cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


257
Views
0
Helpful
4
Replies

problem with no nat after upgrade version

Hello Guys...

Im having problems with nat after upgrade....

source = 10.11.7.14

destination = 10.0.32.10

the next hop for 10.0.32/24 is 10.0.5.1, by inside interface. My firewall Pings this 10.0.5.1. When I change the router to doesnt pass by firewall, the connection works from source to destination, works!

In log, im receiving this message:

6Nov 23 201215:24:54302303spbwts02_03035551710.0.32.1080Built TCP state-bypass connection 249015 from dmz:spbwts02_0303/55517 (spbwts02_0303/55517) to inside:10.0.32.10/80 (10.0.32.10 /80)

6Nov 23 201215:27:29302304spbwts02_03035112310.0.32.1080Teardown TCP state-bypass connection 242785 from dmz:spbwts02_0303/51123 to inside:10.0.32.10/80 duration 1:00:10 bytes 0 Connection timeout

In 8.2 I had this NAT:

DMZ interface:

Exempt     10.0.32.0/24     10.11.7.0/24     (outbound)

I have a bypass for those networks and services. I guess I dont need bypass because the packet comes from dmz and goes to inside, right? Anyway, I removed bypass and nothing happen!

And now, in 8.4(5) I have:

DMZ     Inside     obj-10.11.7.0/24     obj-10.0.32.0/24     any      original     original    

What can be my problem?

4 REPLIES 4
Highlighted
Contributor

problem with no nat after upgrade version

You may have encountered the change of NAT behavior from 8.4(2). Check the "Lookup route table to locate egress interface" checkbox in your identity NAT rule. (This is the route-lookup option in CLI.)

Paste your config if that does not help.

problem with no nat after upgrade version

Hi Peter!

I changed the route for that network and worked!

But I needed to keep the bypass. I didnt understand why, because the traffic comes from DMZ and goes to INSIDE.

Contributor

problem with no nat after upgrade version

Fine, but what did you change exactly?

problem with no nat after upgrade version

route, look:

Before:

route inside 10.0.32.0 255.255.255.0 10.11.5.1 1

Now and working:

route inside 10.0.32.0 255.255.255.0 10.11.2.3 1

I dont have an interface in the 10.11.5.0 network. I guess when someone configured the route, put this 10.11.5.1 as gateway, but I dont know how it was working.

Now, I changed to 10.11.2.3 and OK. My firewall has an interface in 10.11.2.0 newtork.

But the bypass is a mistery to me yet!