[c-nsp] routing through fwsm
Brian Desmond
brian at briandesmond.com
Sun Mar 4 22:56:44 EST 2007
Have you got a NAT statement for the networks?
access-list no_nat permit ip 10.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0
nat (db) 0 access-list no_nat
nat (nms) 0 access-list no_nat
Thanks,
Brian Desmond
brian at briandesmond.com
c - 312.731.3132
________________________________________
From: cisco-nsp-bounces at puck.nether.net [cisco-nsp-bounces at puck.nether.net] On Behalf Of matthew zeier [mrz at velvet.org]
Sent: Sunday, March 04, 2007 6:56 PM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] routing through fwsm
Is there a trick to routing through a FWSM to non-directly connected networks?
My network looks like:
db-network (10.2.70.0/24)
|
fwsm
|
sj-nms-network (10.2.10.0/23) -- sj-vpn (10.2.10.12) == nl-vpn
On the other side of the vpn is 10.4.0.0/16 (nl). The vpn box there has
directly connected interfaces to the other networks.
Routing between the two nms networks works. Routing between the sj-nms and
networks behind the nl-vpn works. Where I'm stuck is getting the fwsm to route.
I have a route defined. If I try to connect from 10.4.70.20 to 10.2.70.103,
the fwsm logs :
Mar 3 16:22:58 fwsm1 %FWSM-3-106010: Deny inbound tcp src
nms:10.4.70.20/32770 dst db:10.2.70.103/22
but not against a specific ACL. If I go the other way around, I don't get any
errors and tcpdump on sj-vpn doesn't show any traffic either.
Any ideas?
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list