[c-nsp] routing through fwsm

matthew zeier mrz at velvet.org
Mon Mar 5 12:30:34 EST 2007


That was exactly it - my original "no nat" was just for the .sj network. 
  Needed to change that for the other networks.

Thanks!

Brian Desmond wrote:
> Have you got a NAT statement for the networks?
> 
> access-list no_nat permit ip 10.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0
> 
> nat (db) 0 access-list no_nat
> nat (nms) 0 access-list no_nat
> 
> 
> 
> Thanks,
> Brian Desmond
> brian at briandesmond.com
> 
> c - 312.731.3132
> ________________________________________
> From: cisco-nsp-bounces at puck.nether.net [cisco-nsp-bounces at puck.nether.net] On Behalf Of matthew zeier [mrz at velvet.org]
> Sent: Sunday, March 04, 2007 6:56 PM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] routing through fwsm
> 
> Is there a trick to routing through a FWSM to non-directly connected networks?
> 
> My network looks like:
> 
> db-network (10.2.70.0/24)
>    |
> fwsm
>    |
> sj-nms-network (10.2.10.0/23) -- sj-vpn (10.2.10.12) == nl-vpn
> 
> On the other side of the vpn is 10.4.0.0/16 (nl).  The vpn box there has
> directly connected interfaces to the other networks.
> 
> Routing between the two nms networks works.  Routing between the sj-nms and
> networks behind the nl-vpn works.  Where I'm stuck is getting the fwsm to route.
> 
> I have a route defined.  If I try to connect from 10.4.70.20 to 10.2.70.103,
> the fwsm logs :
> 
> Mar  3 16:22:58 fwsm1 %FWSM-3-106010: Deny inbound tcp src
> nms:10.4.70.20/32770 dst db:10.2.70.103/22
> 
> but not against a specific ACL. If I go the other way around, I don't get any
> errors and tcpdump on sj-vpn doesn't show any traffic either.
> 
> Any ideas?
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


More information about the cisco-nsp mailing list