Cisco Cisco Catalyst 6500 Series Firewall Services Module 故障排查指南
Because the same−security−traffic permit intra−interface command is enabled, the FWSM will allow the
u−turned xlate to be built.
u−turned xlate to be built.
To summarize, the first xlate was triggered by:
A broad 10.0.0.0/8 route configured on the DMZ router
•
A permit ip any any ACL configured on the FWSM's inside interface
•
The second xlate was triggered by:
A flapping interface on the Inside router
•
same−security−traffic permit intra−interface configured on the FWSM
•
Solutions
There are many different possible solutions to this problem. First and foremost, deleting the xlate from the
table should allow traffic to start working again until the xlate is rebuilt. This can be done with the clear xlate
command. For example:
table should allow traffic to start working again until the xlate is rebuilt. This can be done with the clear xlate
command. For example:
FWSM# clear xlate interface inside local 10.30.1.1 global 10.30.1.1
Note: Any connections that are using the deleted xlate(s) will also be torn down.
Once that is complete, the focus should be on preventing the xlates from returning. Often times, the most
preferred way to do this is to fix the routing configuration in the environment to prevent traffic from arriving
on the wrong FWSM interface. The FWSM also offers a handful of configuration options to address these
issues.
preferred way to do this is to fix the routing configuration in the environment to prevent traffic from arriving
on the wrong FWSM interface. The FWSM also offers a handful of configuration options to address these
issues.
Resolve Incorrect Routing Configurations
This solution takes careful planning and a deep understanding of the network environment. In the first
example above, the 10.0.0.0/8 route on the DMZ router is technically incorrect since the entire /8 network
does not exist beyond its 10.50.1.253 interface. Instead, some options that exist are:
example above, the 10.0.0.0/8 route on the DMZ router is technically incorrect since the entire /8 network
does not exist beyond its 10.50.1.253 interface. Instead, some options that exist are:
Eliminate the 10.50.1.0/24 network all together and simply route all traffic through the FWSM. This
also provides better segmentation and security between the Inside and DMZ networks.
also provides better segmentation and security between the Inside and DMZ networks.
•
Configure a static route on the DMZ for only 10.40.1.0/24 and remove the 10.0.0.0/8 route.
•
Use a dynamic routing protocol between the Inside and DMZ routers to correctly advertise only the
networks that actually exist.
networks that actually exist.
•
There are often many possibilities for adjusting the routing configuration, but the end goal is to ensure that
traffic from a given host is able to arrive only on a single FWSM interface.
traffic from a given host is able to arrive only on a single FWSM interface.
Disable same−security−traffic permit intra−interface
The same−security−traffic permit intra−interface command allows the FWSM to u−turn or hairpin traffic
on an interface. This means that a packet can enter the firewall on the same interface it leaves on. This
functionality is disabled by default and has very little use in most FWSM designs. Because the FWSM uses
VLAN interfaces, traffic that stays within the same VLAN should never be processed by the FWSM.
on an interface. This means that a packet can enter the firewall on the same interface it leaves on. This
functionality is disabled by default and has very little use in most FWSM designs. Because the FWSM uses
VLAN interfaces, traffic that stays within the same VLAN should never be processed by the FWSM.
In the second example above, the same−security−traffic permit intra−interface command allowed a packet
to both enter and leave the inside interface. Disabling same−security−traffic permit intra−interface would
prevent this behavior and drop the packet before an xlate was ever built:
to both enter and leave the inside interface. Disabling same−security−traffic permit intra−interface would
prevent this behavior and drop the packet before an xlate was ever built: