[c-nsp] FWSM INT 0 configure
Peter Rathlev
peter at rathlev.dk
Wed Nov 7 09:44:46 EST 2012
On Tue, 2012-11-06 at 10:49 +0800, zhangyongshun wrote:
> but is found out that always a private ip address in "show xlate state
> identity 's output".
> like this:
...
> *Global 10.11.1.21 Local 10.11.1.21*
...
> 10.11.1.21 this user isn't able to access outside through NAT.
> Have anybody know such problem or any suggestion.
Take a look at "show xlate local 10.11.1.21 debug". You might see an
identity NAT hairpin on the outside, something not totally unlike this:
NAT from inside:10.11.1.21 to outside:10.11.1.21 flags Ii idle 1:40:54 timeout 2:04:00 connections 0
This can result from the FWSM and whatever router is on the outside not
agreeing on what to route where. If the FWSM sends it toward outside but
the router sends it back to the FWSM it might create a new (wrong)
xlate. We've seen this a few times with inconsistent routing.
Otherwise take a good look at the logfiles at "informational" (or above)
level, especially the FWSM-6-305009 and possibly FWSM-3-305006 messages.
It might hint at what happens.
--
Peter
More information about the cisco-nsp
mailing list