Assistance about shared interface between multiple contexts

Unanswered Question
Mar 7th, 2007
User Badges:

Hi,

Execuse me. I have a deployed FWSM with 2 contexts. The inside is a shared interface and the outside interfaces are unique interfaces. On the shared interface I used identity static translation in the two contexts. Now the traffic cannot go through the context B although can go through the context A. I don't know why. Please help me.

BTW, the topology is as the following.

|--------------|

| 10.0.22.0 |-----------------

|--------------| |

| |

10.0.22.254| |10.0.22.250

|-----------| |------------|

|Context A | | Context B |

|-----------| |------------|

| 10.0.9.0 10.0.5.0 |

|------------ --------------


My question is:

Is there any restrict in this environment?


Thanking in advance.


ZJ

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Thu, 03/08/2007 - 00:13
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


It sounds like the classifier is having a problem in sending the traffic to the right context interface.


When you say you have static NAT setup what do you mean ? On a shared vlan you must map NAT statements within each context and clearly between contexts you can't have any overlap.


Could you send the configs of your 2 contexts with an explanation of where you are connecting from and where you are connecting to and we might be able to help you.


Jon

junzhang Thu, 03/08/2007 - 16:05
User Badges:

Hi, Jon,


Thank you for your help. The mainly config of the 2 contexts are as the following.

No.1:

interface Vlan106

description Outside

nameif outside

security-level 0

ip address 10.0.9.1 255.255.255.192 standby 10.0.9.2

!

interface Vlan222

description Link-FW-ShiHou-CeShi_Server

nameif FW-ShiHou-CeShi_Server

security-level 70

ip address 10.0.22.254 255.255.255.0 standby 10.0.22.253

!

access-list any extended permit ip any any

access-list any extended permit icmp any any

access-list any extended permit tcp any any

access-list any extended permit tcp any any gt 1

!

icmp permit 10.0.9.0 255.255.255.0 outside

icmp permit 10.0.22.0 255.255.255.0 FW-ShiHou-CeShi_Server

!

nat (FW-ShiHou-CeShi_Server) 0 10.0.22.0 255.255.255.0

static (FW-ShiHou-CeShi_Server,outside) 10.0.22.0 10.0.22.0 netmask 255.255.255.0

!

access-group any in interface outside

access-group any out interface outside

access-group any in interface FW-ShiHou-CeShi_Server

access-group any out interface FW-ShiHou-CeShi_Server

!

route outside 0.0.0.0 0.0.0.0 10.0.9.5 1


No.2:

interface Vlan105

description Network Manage Hosts

nameif netmanage

security-level 60

ip address 10.0.5.254 255.255.255.0 standby 10.0.5.253

!

interface Vlan222

description Link-FW-ShiHou-CeShi_Server

nameif FW-ShiHou-CeShi_Server

security-level 100

ip address 10.0.22.250 255.255.255.0 standby 10.0.22.249

!

access-list Netman extended permit ip 10.0.5.0 255.255.255.0 any

access-list Netman extended permit icmp 10.0.5.0 255.255.255.0 any

access-list Netman extended permit ip any 10.0.5.0 255.255.255.0

access-list Netman extended permit icmp any 10.0.5.0 255.255.255.0

!

access-list CESHI extended permit ip 10.0.5.0 255.255.255.0 10.0.22.0 255.255.255.0

access-list CESHI extended permit icmp 10.0.5.0 255.255.255.0 10.0.22.0 255.255.255.0

access-list CESHI extended permit ip 10.0.22.0 255.255.255.0 10.0.5.0 255.255.255.0

access-list CESHI extended permit icmp 10.0.22.0 255.255.255.0 10.0.5.0 255.255.255.0

!

static (FW-ShiHou-CeShi_Server,netmanage) 10.0.22.0 10.0.22.0 netmask 255.255.255.0

!

access-group Netman in interface netmanage

access-group CESHI in interface FW-ShiHou-CeShi_Server

!

icmp permit 10.0.5.0 255.255.255.0 netmanage

icmp permit 10.0.22.0 255.255.255.0 FW-ShiHou-CeShi_Server


Now, in the first context, all the traffic are normal.In the second context the icmp traffic from the 10.0.5.0 to the netmanage interface and from the 10.0.22.0 to the FW-ShiHou-CeShi_Server are normal. But the traffic go through the context from outside to inside is not work. And when I ping from 10.0.5.0 to 10.0.22.0 the xlate table in the 2nd. context have the right items but can not see any information although the context icmp debug is open.


Thank you for your help!


ZJ

Jon Marshall Mon, 03/12/2007 - 04:17
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


Apologies for the delay in replying, i've been off work for a couple of days.


If you use shared interfaces you have to setup static NAT translations whether the traffic is coming from a higher to a lower level security interface or vice-versa.


You don't have a NAT translation in context 2 for the 10.0.5.0 network. I think when the icmp echo reply is sent from vlan 222 to the vlan 105 the FWSM does not know how to classify the traffic.


You need a Nat statement for the 10.0.5.0


try


static (netmanage,FW-ShiHou-CeShi_Server) 10.0.5.0 10.0.5.0 netmask 255.255.255.0


Let me know how you get on


HTH


Jon



Actions

This Discussion