11-23-2012 09:29 AM - edited 03-11-2019 05:27 PM
Hello Guys...
Im having problems with nat after upgrade....
source = 10.11.7.14
destination = 10.0.32.10
the next hop for 10.0.32/24 is 10.0.5.1, by inside interface. My firewall Pings this 10.0.5.1. When I change the router to doesnt pass by firewall, the connection works from source to destination, works!
In log, im receiving this message:
6 | Nov 23 2012 | 15:24:54 | 302303 | spbwts02_0303 | 55517 | 10.0.32.10 | 80 | Built TCP state-bypass connection 249015 from dmz:spbwts02_0303/55517 (spbwts02_0303/55517) to inside:10.0.32.10/80 (10.0.32.10 /80) |
6 | Nov 23 2012 | 15:27:29 | 302304 | spbwts02_0303 | 51123 | 10.0.32.10 | 80 | Teardown TCP state-bypass connection 242785 from dmz:spbwts02_0303/51123 to inside:10.0.32.10/80 duration 1:00:10 bytes 0 Connection timeout |
In 8.2 I had this NAT:
DMZ interface:
Exempt 10.0.32.0/24 10.11.7.0/24 (outbound)
I have a bypass for those networks and services. I guess I dont need bypass because the packet comes from dmz and goes to inside, right? Anyway, I removed bypass and nothing happen!
And now, in 8.4(5) I have:
DMZ Inside obj-10.11.7.0/24 obj-10.0.32.0/24 any original original
What can be my problem?
11-25-2012 12:24 PM
You may have encountered the change of NAT behavior from 8.4(2). Check the "Lookup route table to locate egress interface" checkbox in your identity NAT rule. (This is the route-lookup option in CLI.)
Paste your config if that does not help.
11-26-2012 03:18 AM
Hi Peter!
I changed the route for that network and worked!
But I needed to keep the bypass. I didnt understand why, because the traffic comes from DMZ and goes to INSIDE.
11-26-2012 04:13 AM
Fine, but what did you change exactly?
11-26-2012 04:29 AM
route, look:
Before:
route inside 10.0.32.0 255.255.255.0 10.11.5.1 1
Now and working:
route inside 10.0.32.0 255.255.255.0 10.11.2.3 1
I dont have an interface in the 10.11.5.0 network. I guess when someone configured the route, put this 10.11.5.1 as gateway, but I dont know how it was working.
Now, I changed to 10.11.2.3 and OK. My firewall has an interface in 10.11.2.0 newtork.
But the bypass is a mistery to me yet!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide