[c-nsp] FWSM - bug or mis-configuration
Varaillon Jean Christophe
j.varaillon at cosmoline.com
Tue Mar 30 12:49:02 EDT 2010
Hi,
I am using a FWSM 3.1(5), in routed mode, with multiple contexts.
This was the configuration before any changes were done:
-----
access-list DMZ1-NAT extended permit ip any 192.168.0 255.255.0.0
access-list DMZ1-NAT extended permit ip any 10.0.0.0 255.0.0.0
access-list DMZ1-NAT extended permit ip any 172.16.0.0 255.240.0.0
access-list DMZ1-NAT extended deny ip any any
nat-control
global (OUT) 1 21.9.1.40
nat (DMZ1) 0 access-list DMZ1-NAT tcp 1000 1000 udp 1000
nat (DMZ1) 1 10.10.10.0 255.255.255.0
static (DMZ1,OUT) tcp 21.9.1.40 49151 10.10.1.201 49151 netmask
255.255.255.255
static (DMZ1,OUT) udp 21.9.1.40 49151 10.10.1.201 49151 netmask
255.255.255.255
-----
I removed the following part:
-----
no static (DMZ1,OUT) udp 21.9.1.40 49151 10.10.10.201 49151 netmask
255.255.255.255
no static (DMZ1,OUT) tcp 21.9.1.40 49151 10.10.10.201 49151 netmask
255.255.255.255
-----
Exactly one hour later, DMZ1 could not send/receive traffic to/from the OUT
zone any more.
However, DMZ1 could still access any other zones, where no translation were
needed
The traffic to/from the OUT zone was then silently dropped by the firewall
without showing anything at all in the syslogs.
Doing a clear xlate did not solve the problem.
Doing a clear conn did not solve the problem.
Doing the following solved the problem:
-----
no global (OUT) 1 21.9.1.40
global (OUT) 1 21.9.1.40
-----
Beside the explanation of why did this happen, I would like to know if this
is related to a bug, in which case I will have to upgrade the OS or if this
is due to a mis-configuration?
Thank you for your time.
Christophe
More information about the cisco-nsp
mailing list