[c-nsp] routing through fwsm
matthew zeier
mrz at velvet.org
Mon Mar 5 12:30:34 EST 2007
That was exactly it - my original "no nat" was just for the .sj network.
Needed to change that for the other networks.
Thanks!
Brian Desmond wrote:
> Have you got a NAT statement for the networks?
>
> access-list no_nat permit ip 10.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0
>
> nat (db) 0 access-list no_nat
> nat (nms) 0 access-list no_nat
>
>
>
> Thanks,
> Brian Desmond
> brian at briandesmond.com
>
> c - 312.731.3132
> ________________________________________
> From: cisco-nsp-bounces at puck.nether.net [cisco-nsp-bounces at puck.nether.net] On Behalf Of matthew zeier [mrz at velvet.org]
> Sent: Sunday, March 04, 2007 6:56 PM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] routing through fwsm
>
> Is there a trick to routing through a FWSM to non-directly connected networks?
>
> My network looks like:
>
> db-network (10.2.70.0/24)
> |
> fwsm
> |
> sj-nms-network (10.2.10.0/23) -- sj-vpn (10.2.10.12) == nl-vpn
>
> On the other side of the vpn is 10.4.0.0/16 (nl). The vpn box there has
> directly connected interfaces to the other networks.
>
> Routing between the two nms networks works. Routing between the sj-nms and
> networks behind the nl-vpn works. Where I'm stuck is getting the fwsm to route.
>
> I have a route defined. If I try to connect from 10.4.70.20 to 10.2.70.103,
> the fwsm logs :
>
> Mar 3 16:22:58 fwsm1 %FWSM-3-106010: Deny inbound tcp src
> nms:10.4.70.20/32770 dst db:10.2.70.103/22
>
> but not against a specific ACL. If I go the other way around, I don't get any
> errors and tcpdump on sj-vpn doesn't show any traffic either.
>
> Any ideas?
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list