Cisco Cisco Catalyst 6500 Series Firewall Services Module Fehlerbehebungsanleitung
FWSM: Troubleshoot Traffic Failures Due to Wrong
Xlates
Xlates
Document ID: 115010
Contributed by Michael Robertson and Jay Johnston, Cisco TAC
Engineers.
Nov 02, 2012
Engineers.
Nov 02, 2012
Contents
Introduction
Prerequisites
Requirements
Components Used
Conventions
Symptoms
Logical Topology
Relevant Configuration
Observed Behaviors
Triggers
Solutions
Resolve Incorrect Routing Configurations
Disable same−security−traffic permit intra−interface
Prerequisites
Requirements
Components Used
Conventions
Symptoms
Logical Topology
Relevant Configuration
Observed Behaviors
Triggers
Solutions
Resolve Incorrect Routing Configurations
Disable same−security−traffic permit intra−interface
Drop Packets that Arrive on an Incorrect Interface (ACLs or uRPF)
Enable xlate−bypass
Summary
Related Information
Enable xlate−bypass
Summary
Related Information
Introduction
Due to the design of the Firewall Services Module's (FWSM) packet processing, xlates built by incorrectly
routed packets can cause traffic failures for connections through the firewall. In order to select an egress
interface for an inbound packet, the FWSM first checks to see if the destination IP of the inbound packet
matches any existing global IP/Network in a NAT translation (xlate) for that interface in its xlate table. If a
match is found, the egress interface is simply chosen based on the local interface in the xlate entry and the
firewall does not consult the routing table to make the egress interface decision.
routed packets can cause traffic failures for connections through the firewall. In order to select an egress
interface for an inbound packet, the FWSM first checks to see if the destination IP of the inbound packet
matches any existing global IP/Network in a NAT translation (xlate) for that interface in its xlate table. If a
match is found, the egress interface is simply chosen based on the local interface in the xlate entry and the
firewall does not consult the routing table to make the egress interface decision.
The default behavior of the FWSM is to build an xlate entry for the source IP of any permitted packet that is
received on one of its interfaces. If a packet is routed through the network incorrectly (for any number of
reasons) and arrives inbound on the wrong interface of the FWSM, an xlate is built to reflect this. When this
occurs, entries in the xlate table can override entries in the routing table and cause traffic failures for the
affected destinations.
received on one of its interfaces. If a packet is routed through the network incorrectly (for any number of
reasons) and arrives inbound on the wrong interface of the FWSM, an xlate is built to reflect this. When this
occurs, entries in the xlate table can override entries in the routing table and cause traffic failures for the
affected destinations.
This document describes the symptoms and triggers for this issue, how to diagnose it, and provides solutions
for preventing it from occurring.
for preventing it from occurring.
Prerequisites