FWSM 3.1(7): DNS static causes lost connectivity

Discussion in 'Cisco' started by Hoffa, Oct 26, 2007.

  1. Hoffa

    Hoffa Guest

    Hi all

    I've posted a few times before regarding and issue where I after a
    firewall migration suddenly loose external and internal access to
    services with static entires in my FWSM. The only hint I have is a
    show xlate where both the local and global IP is the external IP for
    the static.
    Now, a few days ago I retried the migration and had no problems until
    I finally moved the statics for our two DNSes with authority over our
    domain. As soon as these statics were entered in the FWSM and traffic
    was redirected from our edge routers I saw the duplicate IPs in the
    logs and lost connectivity.
    I've sent this to a few CCIE guys but no answer yet.

    My only guess is something with DNS inspection, which is configured
    default on, but I need this feature for my outside NAT.

    Is there something else that can be done?

    Regards
    Fredrik
    Hoffa, Oct 26, 2007
    #1
    1. Advertising

  2. Hoffa

    Brian V Guest

    "Hoffa" <> wrote in message
    news:...
    > Hi all
    >
    > I've posted a few times before regarding and issue where I after a
    > firewall migration suddenly loose external and internal access to
    > services with static entires in my FWSM. The only hint I have is a
    > show xlate where both the local and global IP is the external IP for
    > the static.
    > Now, a few days ago I retried the migration and had no problems until
    > I finally moved the statics for our two DNSes with authority over our
    > domain. As soon as these statics were entered in the FWSM and traffic
    > was redirected from our edge routers I saw the duplicate IPs in the
    > logs and lost connectivity.
    > I've sent this to a few CCIE guys but no answer yet.
    >
    > My only guess is something with DNS inspection, which is configured
    > default on, but I need this feature for my outside NAT.
    >
    > Is there something else that can be done?
    >
    > Regards
    > Fredrik
    >


    Are you routing context to context? If so, thats a big no-no. With a FWSM
    you essentially need to route to a true routing point, i.e a vlan interface
    on the supervisor for inter context communication. FWSM's work off what is
    called a qualifier and NAT's take precedence over static routes. Basically
    you can never have (or should never have) context to context communication
    directly, it can cause all kinds of issues.

    context to context = bad
    context to route point to context = good
    Brian V, Oct 26, 2007
    #2
    1. Advertising

  3. Hoffa

    Hoffa Guest

    On 26 Okt, 15:10, "Brian V" <> wrote:
    > "Hoffa" <> wrote in message
    >
    > news:...
    >
    >
    >
    > > Hi all

    >
    > > I've posted a few times before regarding and issue where I after a
    > > firewall migration suddenly loose external and internal access to
    > > services with static entires in my FWSM. The only hint I have is a
    > > show xlate where both the local and global IP is the external IP for
    > > the static.
    > > Now, a few days ago I retried the migration and had no problems until
    > > I finally moved the statics for our two DNSes with authority over our
    > > domain. As soon as these statics were entered in the FWSM and traffic
    > > was redirected from our edge routers I saw the duplicate IPs in the
    > > logs and lost connectivity.
    > > I've sent this to a few CCIE guys but no answer yet.

    >
    > > My only guess is something with DNS inspection, which is configured
    > > default on, but I need this feature for my outside NAT.

    >
    > > Is there something else that can be done?

    >
    > > Regards
    > > Fredrik

    >
    > Are you routing context to context? If so, thats a big no-no. With a FWSM
    > you essentially need to route to a true routing point, i.e a vlan interface
    > on the supervisor for inter context communication. FWSM's work off what is
    > called a qualifier and NAT's take precedence over static routes. Basically
    > you can never have (or should never have) context to context communication
    > directly, it can cause all kinds of issues.
    >
    > context to context = bad
    > context to route point to context = good


    I know that limitation. I have two contexts configured on the FWSM but
    they are separated by a router and not sharing any VLANs at all.

    /Fredrik
    Hoffa, Oct 29, 2007
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Harry (de echte)

    FWSM problem DNS zone transfers

    Harry (de echte), Sep 30, 2004, in forum: Cisco
    Replies:
    1
    Views:
    2,257
    Harry (de echte)
    Sep 30, 2004
  2. Nieuws Xs4all
    Replies:
    0
    Views:
    611
    Nieuws Xs4all
    May 26, 2005
  3. X
    Replies:
    0
    Views:
    1,243
  4. none
    Replies:
    5
    Views:
    3,160
  5. Hoffa
    Replies:
    1
    Views:
    2,053
    sivakumar
    Sep 25, 2008
Loading...

Share This Page