[c-nsp] FWSM Static NAT gets stuck..

Andrew Yourtchenko ayourtch at cisco.com
Tue Oct 21 11:20:45 EDT 2008 

If "clear local" fixes it - then most probably there's another xlate that 
stands in the way, should not be related to arp.

Watch out for the identity statics that are supersets of this host static, 
i.e. something like this is not good:

static (inside,outside) 1.1.1.1 2.2.2.2 netmask 255.255.255.255
static (inside,outside) 2.2.2.0 2.2.2.0 netmask 255.255.255.0

if your first packet on the outside is destined to the 1.1.1.1 - all good. 
But if your first packet is destined to 2.2.2.2 - then the first static 
won't match, and it will create the xlate based on the second one.

if you have such a config, blocking the destination of 2.2.2.2 by the 
inbound ACL on the outside should help (and as well identify who sends 
such a packet).

in any case, "show local x.x.x.x" along with "show xlate debug 
local x.x.x.x" should shed some more light on this.

thanks,
andrew

On Mon, 20 Oct 2008, Christian Koch wrote:

> i checked this when it happened the first time but i forgot what the
> ouput was...thanks for the suggestion, i'll have to check it again
> next time it pops up
>
> christian
>
> On Mon, Oct 20, 2008 at 10:58 AM, Ozgur Guler <gulerozgur at yahoo.co.uk> wrote:
>> Do you see the correct arp for the translation when it stops working?
>> You might need to define a static arp with alias to fix it.
>>
>>
>> --- On Mon, 20/10/08, Christian Koch <christian at broknrobot.com> wrote:
>>
>> From: Christian Koch <christian at broknrobot.com>
>> Subject: [c-nsp] FWSM Static NAT gets stuck..
>> To: "Cisco-nsp" <cisco-nsp at puck.nether.net>
>> Date: Monday, 20 October, 2008, 3:38 PM
>>
>> Hello All -
>>
>> Seeing an issue on FWSM running 3.2(4) code..
>>
>> Where a static nat gets stuck, and the host becomes unreachable via
>> both ingress/egress
>>
>> If i issue a clear xlate local x.x.x.x, this clears things up and
>> connectivity is restored
>>
>> there are currently 2 hosts on the same network, yet
>>  this problem only
>> occurs with one of them
>>
>> static (DMZ,OUTSIDE) 1.1.1.24 2.2.2.24 netmask 255.255.255.255
>> static (DMZ,OUTSIDE) 1.1.1.25 2.2.2.25 netmask 255.255.255.255
>>
>> .24 is the one that becomes stuck, .25 is fine and never has a problem..
>>
>> any ideas/possible bugs?
>>
>> thanks
>>
>> christian
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>> Send instant messages to your online friends http://uk.messenger.yahoo.com
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

More information about the cisco-nsp mailing list