[c-nsp] FWSM v2.3.3 NAT issue
Christian Zeng
christian at zengl.net
Wed Dec 28 06:34:20 EST 2005
Hi,
* Brett Looney <brett at looney.id.au> wrote:
> global (INSIDE) 1 1.2.3.4
> nat (OUTSIDE) 0 access-list NONAT-OUTSIDE outside
> nat (OUTSIDE) 1 access-list NAT-OUTSIDE outside
>
>Connections from the outside interface used to appear to come from
>1.2.3.4 for hosts on the inside. Now they don't - they appear to come
>from the originator's real IP address.
I never used outside dynamic NAT, so my suggestions are more generic.
Does a 'show xlate' marks the connections in question as 'Outside'?
Are there any static statements 'nat x access-list' would collide with
(static (outside,inside)) or static statements for your inside hosts
(static (inside,outside)) configured? The last one would be necessary,
for outside NAT IIRC, even if it is only static identity NAT translating
inside hosts to the same addresses.
If you can afford loosing all established connections, try a 'clear
xlate'. Then try to initiate communication from an outside hosts and
look at the xlate table. This eliminates the influence of existing
xlate entries from connections initiated at the inside.
Best Regards,
Christian
More information about the cisco-nsp
mailing list