Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
560
Views
0
Helpful
4
Replies

problem with no nat after upgrade version

Diego Maciel Gomes
Level 1
Level 1

‎11-23-2012 09:29 AM - edited ‎03-11-2019 05:27 PM

Hello Guys...

Im having problems with nat after upgrade....

source = 10.11.7.14

destination = 10.0.32.10

the next hop for 10.0.32/24 is 10.0.5.1, by inside interface. My firewall Pings this 10.0.5.1. When I change the router to doesnt pass by firewall, the connection works from source to destination, works!

In log, im receiving this message:

6Nov 23 201215:24:54302303spbwts02_03035551710.0.32.1080Built TCP state-bypass connection 249015 from dmz:spbwts02_0303/55517 (spbwts02_0303/55517) to inside:10.0.32.10/80 (10.0.32.10 /80)

6Nov 23 201215:27:29302304spbwts02_03035112310.0.32.1080Teardown TCP state-bypass connection 242785 from dmz:spbwts02_0303/51123 to inside:10.0.32.10/80 duration 1:00:10 bytes 0 Connection timeout

In 8.2 I had this NAT:

DMZ interface:

Exempt     10.0.32.0/24     10.11.7.0/24     (outbound)

I have a bypass for those networks and services. I guess I dont need bypass because the packet comes from dmz and goes to inside, right? Anyway, I removed bypass and nothing happen!

And now, in 8.4(5) I have:

DMZ     Inside     obj-10.11.7.0/24     obj-10.0.32.0/24     any      original     original    

What can be my problem?

Labels:
0 Helpful
4 Replies 4

Peter Koltl
Level 7
Level 7

‎11-25-2012 12:24 PM

You may have encountered the change of NAT behavior from 8.4(2). Check the "Lookup route table to locate egress interface" checkbox in your identity NAT rule. (This is the route-lookup option in CLI.)

Paste your config if that does not help.

0 Helpful

Diego Maciel Gomes
Level 1
Level 1
In response to Peter Koltl

‎11-26-2012 03:18 AM

Hi Peter!

I changed the route for that network and worked!

But I needed to keep the bypass. I didnt understand why, because the traffic comes from DMZ and goes to INSIDE.

0 Helpful

Peter Koltl
Level 7
Level 7
In response to Diego Maciel Gomes

‎11-26-2012 04:13 AM

Fine, but what did you change exactly?

0 Helpful

Diego Maciel Gomes
Level 1
Level 1
In response to Peter Koltl

‎11-26-2012 04:29 AM

route, look:

Before:

route inside 10.0.32.0 255.255.255.0 10.11.5.1 1

Now and working:

route inside 10.0.32.0 255.255.255.0 10.11.2.3 1

I dont have an interface in the 10.11.5.0 network. I guess when someone configured the route, put this 10.11.5.1 as gateway, but I dont know how it was working.

Now, I changed to 10.11.2.3 and OK. My firewall has an interface in 10.11.2.0 newtork.

But the bypass is a mistery to me yet!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card