[c-nsp] FWSM Question
Sam Stickland
sam_mailinglists at spacething.org
Thu Mar 22 18:28:28 EST 2007
Yeah, keep in mind that the ACLs are only for traffic that transit the
FWSM. There's a seperate set of commands (icmp, ssh etc) for traffic
that's aimed at it. If you've enabled "no nat control" you might also
want to do "fixup protocol icmp" and "fixup protocol icmp error" so that
you can traceroute through it as well.
Keep in mind that even with "no nat control" turned on, that the FWSM
still does NAT translation. It just automatically adds 1-to-1 identity
NATs to the translation table. You need to be aware of this because it
can turn against you under some circumstance.
Imagine you've set up a PAT such as, 1.1.1.1:80 -> 2.2.2.2:80, and host
X is talking to 1.1.1.1 on port 80. Now, if X trys to talk to 1.1.1.1 on
a port other than 80 it doesn't match the PAT statement, so the PIX
automatically adds an identity NAT statement for host X. This identity
NAT statement will take precedence and the PAT will no longer function.
Watch out!
S
Paul Stewart wrote:
> Solved.. thanks everyone...
>
> I kept trying to ping the blade as a test - was puzzled as could see mac
> addresses etc...
>
> Anyways, I had permitted ip any any on outside and permitted icmp any any
> but didn't realize that for the FWSM itself you have to do a "icmp permit
> any outside"....
>
> Appreciate all the help.. thanks again...
>
> Paul
>
>
> -----Original Message-----
> From: Jason Lixfeld [mailto:jason at lixfeld.ca]
> Sent: Thursday, March 22, 2007 12:48 PM
> To: Paul Stewart
> Cc: 'Voll, Scott'; cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] FWSM Question
>
> Any reason you're not running 3.x, Paul?
>
> On 22-Mar-07, at 12:40 PM, Paul Stewart wrote:
>
>
>> Thanks... I need to do some more reading..;) I understand what you're
>> saying... at this point all I'm trying to do is get remote access to
>> the FWSM itself running so that I can upgrade the OS etc...
>>
>> VLAN
>>
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
More information about the cisco-nsp
mailing list