Hi all

I've posted a few times before regarding and issue where I after a
firewall migration suddenly loose external and internal access to
services with static entires in my FWSM. The only hint I have is a
show xlate where both the local and global IP is the external IP for
the static.
Now, a few days ago I retried the migration and had no problems until
I finally moved the statics for our two DNSes with authority over our
domain. As soon as these statics were entered in the FWSM and traffic
was redirected from our edge routers I saw the duplicate IPs in the
logs and lost connectivity.
I've sent this to a few CCIE guys but no answer yet.

My only guess is something with DNS inspection, which is configured
default on, but I need this feature for my outside NAT.

Is there something else that can be done?

Regards
Fredrik

"Hoffa" <fredrik.hofgren@gmail.com> wrote in message 
news:1193400060.564785.283280@y42g2000hsy.googlegroups.com...
> Hi all
>
> I've posted a few times before regarding and issue where I after a
> firewall migration suddenly loose external and internal access to
> services with static entires in my FWSM. The only hint I have is a
> show xlate where both the local and global IP is the external IP for
> the static.
> Now, a few days ago I retried the migration and had no problems until
> I finally moved the statics for our two DNSes with authority over our
> domain. As soon as these statics were entered in the FWSM and traffic
> was redirected from our edge routers I saw the duplicate IPs in the
> logs and lost connectivity.
> I've sent this to a few CCIE guys but no answer yet.
>
> My only guess is something with DNS inspection, which is configured
> default on, but I need this feature for my outside NAT.
>
> Is there something else that can be done?
>
> Regards
> Fredrik
>

Are you routing context to context? If so, thats a big no-no. With a FWSM 
you essentially need to route to a true routing point, i.e a vlan interface 
on the supervisor for inter context communication. FWSM's work off what is 
called a qualifier and NAT's take precedence over static routes. Basically 
you can never have (or should never have) context to context communication 
directly, it can cause all kinds of issues.

context to context = bad
context to route point to context = good 

On 26 Okt, 15:10, "Brian V" <diespam...@nospam.com> wrote:
> "Hoffa" <fredrik.hofg...@gmail.com> wrote in message
>
> news:1193400060.564785.283280@y42g2000hsy.googlegroups.com...
>
>
>
> > Hi all
>
> > I've posted a few times before regarding and issue where I after a
> > firewall migration suddenly loose external and internal access to
> > services with static entires in my FWSM. The only hint I have is a
> > show xlate where both the local and global IP is the external IP for
> > the static.
> > Now, a few days ago I retried the migration and had no problems until
> > I finally moved the statics for our two DNSes with authority over our
> > domain. As soon as these statics were entered in the FWSM and traffic
> > was redirected from our edge routers I saw the duplicate IPs in the
> > logs and lost connectivity.
> > I've sent this to a few CCIE guys but no answer yet.
>
> > My only guess is something with DNS inspection, which is configured
> > default on, but I need this feature for my outside NAT.
>
> > Is there something else that can be done?
>
> > Regards
> > Fredrik
>
> Are you routing context to context? If so, thats a big no-no. With a FWSM
> you essentially need to route to a true routing point, i.e a vlan interface
> on the supervisor for inter context communication. FWSM's work off what is
> called a qualifier and NAT's take precedence over static routes. Basically
> you can never have (or should never have) context to context communication
> directly, it can cause all kinds of issues.
>
> context to context = bad
> context to route point to context = good

I know that limitation. I have two contexts configured on the FWSM but
they are separated by a router and not sharing any VLANs at all.

/Fredrik