[c-nsp] FWSM Question

Sam Stickland sam_mailinglists at spacething.org
Thu Mar 22 18:28:28 EST 2007


Yeah, keep in mind that the ACLs are only for traffic that transit the 
FWSM. There's a seperate set of commands (icmp, ssh etc) for traffic 
that's aimed at it. If you've enabled "no nat control" you might also 
want to do "fixup protocol icmp" and "fixup protocol icmp error" so that 
you can traceroute through it as well.

Keep in mind that even with "no nat control" turned on, that the FWSM 
still does NAT translation. It just automatically adds 1-to-1 identity 
NATs to the translation table. You need to be aware of this because it 
can turn against you under some circumstance.

Imagine you've set up a PAT such as, 1.1.1.1:80 -> 2.2.2.2:80, and host 
X is talking to 1.1.1.1 on port 80. Now, if X trys to talk to 1.1.1.1 on 
a port other than 80 it doesn't match the PAT statement, so the PIX 
automatically adds an identity NAT statement for host X. This identity 
NAT statement will take precedence and the PAT will no longer function. 
Watch out!

S

Paul Stewart wrote:
> Solved.. thanks everyone...
>
> I kept trying to ping the blade as a test - was puzzled as could see mac
> addresses etc...
>
> Anyways, I had permitted ip any any on outside and permitted icmp any any
> but didn't realize that for the FWSM itself you have to do a "icmp permit
> any outside"....
>
> Appreciate all the help.. thanks again...
>
> Paul
>  
>
> -----Original Message-----
> From: Jason Lixfeld [mailto:jason at lixfeld.ca] 
> Sent: Thursday, March 22, 2007 12:48 PM
> To: Paul Stewart
> Cc: 'Voll, Scott'; cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] FWSM Question
>
> Any reason you're not running 3.x, Paul?
>
> On 22-Mar-07, at 12:40 PM, Paul Stewart wrote:
>
>   
>> Thanks... I need to do some more reading..;)  I understand what you're 
>> saying... at this point all I'm trying to do is get remote access to 
>> the FWSM itself running so that I can upgrade the OS etc...
>>
>> VLAN
>>     
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>   



More information about the cisco-nsp mailing list