Im having problems with nat after upgrade....
source = 10.11.7.14
destination = 10.0.32.10
the next hop for 10.0.32/24 is 10.0.5.1, by inside interface. My firewall Pings this 10.0.5.1. When I change the router to doesnt pass by firewall, the connection works from source to destination, works!
In log, im receiving this message:
|6||Nov 23 2012||15:24:54||302303||spbwts02_0303||55517||10.0.32.10||80||Built TCP state-bypass connection 249015 from dmz:spbwts02_0303/55517 (spbwts02_0303/55517) to inside:10.0.32.10/80 (10.0.32.10 /80)|
|6||Nov 23 2012||15:27:29||302304||spbwts02_0303||51123||10.0.32.10||80||Teardown TCP state-bypass connection 242785 from dmz:spbwts02_0303/51123 to inside:10.0.32.10/80 duration 1:00:10 bytes 0 Connection timeout|
In 8.2 I had this NAT:
Exempt 10.0.32.0/24 10.11.7.0/24 (outbound)
I have a bypass for those networks and services. I guess I dont need bypass because the packet comes from dmz and goes to inside, right? Anyway, I removed bypass and nothing happen!
And now, in 8.4(5) I have:
DMZ Inside obj-10.11.7.0/24 obj-10.0.32.0/24 any original original
What can be my problem?
You may have encountered the change of NAT behavior from 8.4(2). Check the "Lookup route table to locate egress interface" checkbox in your identity NAT rule. (This is the route-lookup option in CLI.)
Paste your config if that does not help.
I changed the route for that network and worked!
But I needed to keep the bypass. I didnt understand why, because the traffic comes from DMZ and goes to INSIDE.
route inside 10.0.32.0 255.255.255.0 10.11.5.1 1
Now and working:
route inside 10.0.32.0 255.255.255.0 10.11.2.3 1
I dont have an interface in the 10.11.5.0 network. I guess when someone configured the route, put this 10.11.5.1 as gateway, but I dont know how it was working.
Now, I changed to 10.11.2.3 and OK. My firewall has an interface in 10.11.2.0 newtork.
But the bypass is a mistery to me yet!