Tuesday, March 2, 2010

NAT on FWSM and not good syslog message

Syslog is absolutely my best friend in troubleshooting Cisco firewalls. Today, I got surprised by getting so "usual" message for such unpredictable issue. I hope Cisco can add new syslog message for this issue. I've checked version 4.1 documentation of syslog messages, and I wasn't able to find syslog message when traffic is dropped due to passing between interfaces with same security levels.

Today I was doing some NAT setup on FWSM 3.1. I wasn't sure that the config will work as there is no example on configuration guide for 2 nat statements with same number on same interface with different source addresses. However there was an example of this in the config guide for version 4.0 (Figure 15-15), so I wanted to try it if it will work. The configuration is below:

nat (if1) 1
nat (if1) 1
nat (if1) 1
nat (if1) 1
nat (if1) 1
nat (if1) 1
nat (if2) 1
nat (if3) 1
global (if4) 1

Everything worked as expected except the connections from if2. Looking at the log I got this message:

Mar  2 16:07:12 %FWSM-3-106011: Deny inbound (No xlate) tcp src if2: dst if4

I've checked the access-list, and the hitcounts were there, so next step in the traffic flow is matching of xlate table. I've removed the specific nat statement, re-tried and same message. I've added it again and re-tried, and again the same message. It took some time until I got the idea to check the security levels on the interfaces, and I got this:

FWSM/context#show nameif
Interface                Name                     Security
ethernet2                if1                       25
ethernet4                if2                       20
ethernet3                if4                       20
ethernet1                if3                      100
ethernet5                if5                       20

After permitting traffic on same security levels interface, I got the connection:

FWSM/context# show runn same-security-traffic
same-security-traffic permit inter-interface

FWSM/context# show xlate debug | grep
TCP PAT from if2: to if4: flags ri idle 0:00:20 timeout 0:00:30 connections 1

FWSM/context# show conn detail | grep
TCP out in idle 0:00:02 Bytes 64 FLAGS -

No comments: