[c-nsp] Unusual FWSM behaviour.. Need help.. :(

Paolo pao_rivi at hotmail.com
Mon Nov 5 07:32:16 EST 2007


If I'm not wrong you can keep 
 
nat for all at 0 (that mean no nat), and remove the static command which you don't need anymore.
 
The second thing is that the static command is :
 
static (high, low) low higth 
 
and :
 
static (XV-Wan,XV-Tran-Net) 0.0.0.0 0.0.0.0 netmask 0.0.0.0is wrong at all.
 
 
 
cheers
 
-- Paolo Riviello Mob. +39.328.1749468 Home: http://www.paoloriviello.com E-mail: paolo at paoloriviello.com Msn: pao_rivi at hotmail.com Skype: pao_rivi -----I'm a rebel, soul rebel I'm a capturer, soul adventurerSee the morning sun, On the hillside not living good, travel wide. B.M.> Date: Mon, 5 Nov 2007 23:12:58 +1100> From: overkillxx at gmail.com> To: cisco-nsp at puck.nether.net> Subject: [c-nsp] Unusual FWSM behaviour.. Need help.. :(> > Hi Guys,> > I just did a configuration change on a FWSM context firewall instance & had> something peculiar happen..> > Here is the config to get things started:> > > > nat (XV-Wan) 0 0.0.0.0 0.0.0.0> nat (XV-Tran-Net) 0 0.0.0.0 0.0.0.0> nat (CMS-Server) 0 0.0.0.0 0.0.0.0> nat (HP-CCS-CSM_mXVt) 0 0.0.0.0 0.0.0.0> nat (DMZ-XV_client_VIP) 0 0.0.0.0 0.0.0.0> static (XV-Tran-Net,XV-Wan) 0.0.0.0 0.0.0.0 netmask 0.0.0.0> static (XV-Wan,XV-Tran-Net) 0.0.0.0 0.0.0.0 netmask 0.0.0.0> > nameif vlan1300 XV-Wan security50> nameif vlan1116 XV-Tran-Net security90> nameif vlan1151 CMS-Server security60> nameif vlan3000 HP-CCS-CSM_mXVt security60> nameif vlan3301 DMZ-XV_client_VIP security60> > Looking at the config (correct me if I am wrong) the following stick out:> > - The statement "nat (XV-Tran-Net) 0 0.0.0.0 0.0.0.0" is not needed because> the interface XV-Tran-Net has the highest security level> > - The statements:> > static (XV-Tran-Net,XV-Wan) 0.0.0.0 0.0.0.0 netmask 0.0.0.0> static (XV-Wan,XV-Tran-Net) 0.0.0.0 0.0.0.0 netmask 0.0.0.0> > are doing the same as the statements:> > nat (XV-Wan) 0 0.0.0.0 0.0.0.0> nat (XV-Tran-Net) 0 0.0.0.0 0.0.0.0> > Moving forward I removed the following statements:> > static (XV-Tran-Net,XV-Wan) 0.0.0.0 0.0.0.0 netmask 0.0.0.0> static (XV-Wan,XV-Tran-Net) 0.0.0.0 0.0.0.0 netmask 0.0.0.0> > Straight away packets from outside to inside (Coming in from XW-Wan to> XV-Tran-Net) started to be denied. Realizing this I immediately reapllied> the statements.> I believe these statements were needed due to the fact that the context was> using shared interfaces with another context. However, prior to attempting> to remove the above statemets I removed the the applicable vlans associated> in the other contexts by removing "allocate-interface" assocaitions in the> system space:> Similar to the following:> > context ECC-FC-5> no allocate-interface vlanXXXX> > Can somebody explain this behaviour? I have never come across this before &> would really appreciate the input..> > > Regards,> > Brad> _______________________________________________> cisco-nsp mailing list cisco-nsp at puck.nether.net> https://puck.nether.net/mailman/listinfo/cisco-nsp> archive at http://puck.nether.net/pipermail/cisco-nsp/
_________________________________________________________________
Crea i tuoi biglietti da visita con Windows Live Messenger!
http://www.messenger.it/biglietti_da_visita.html


More information about the cisco-nsp mailing list