Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
963
Views
0
Helpful
3
Replies

FWSM can not show sessions in xlate between two specific vlans

redsoftcisco
Level 1
Level 1

‎12-24-2012 06:30 AM - edited ‎03-11-2019 05:40 PM

Dear Experts ,

I have FWSM running version 3.2(23) , configured with interface vlans , all having the same security level , except outside interface vlan which has security level 0 , also same-security-traffic permit inter-interface and same-security-traffic permit intra-interface are configured, my problem is when establishing sessions (I tried TCP only using ssh and telnet , in addition of ping ) from one specific vlan (172.16.1.0/28)  to other vlan (172.16.1.16/28) , I can not see the established sessions  in "show xlate debug" output ! although I can see these sessions from capture !  the two subnets are separate , two different /28.

I can see the session established from the remaining interface vlans with same security level toward  172.16.1.16/28 , my question is what is the exception with vlan having this subnet172.16.1.0/28, how it can reach other vlan with subnnet 172.16.1.16/28 without showing anything in xlate table ? do you thing it is bug ? please advise

Regards

Labels:
0 Helpful
3 Replies 3

Kureli Sankar
Cisco Employee
Cisco Employee

‎01-13-2013 11:05 AM

Do you have xlate-bypass configured?

http://www.cisco.com/en/US/docs/security/fwsm/fwsm32/command/reference/uw.html#wp1306953

-Kureli

https://supportforums.cisco.com/community/netpro/expert-corner#view=webcasts

Upcoming Live Webcast in English: January 15, 2013
Troubleshooting ASA and Firewall Service Modules

Register today: http://tools.cisco.com/squish/42F25

0 Helpful

redsoftcisco
Level 1
Level 1

‎01-13-2013 11:23 PM

Thanks kureli for your reply.
No, xlate bypass is not configured


Regards
Red1


Sent from Cisco Technical Support Android App

0 Helpful

Kureli Sankar
Cisco Employee
Cisco Employee
In response to redsoftcisco

‎01-14-2013 10:55 AM

Red1,

Need to make sure the packets are arriving on the correct interface.  Need to grab captures and the debug level syslogs at the same time. Hope you are not running into the xlate limitation of the module.

Pls. check the limitation link here:

http://www.cisco.com/en/US/docs/security/fwsm/fwsm32/configuration/guide/specs_f.html#wp1056716

-Kureli

https://supportforums.cisco.com/community/netpro/expert-corner#view=webcasts

Upcoming Live Webcast in English: January 15, 2013
Troubleshooting ASA and Firewall Service Modules

Register today: http://tools.cisco.com/squish/42F25

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card