Contexts on FWSM!!!!!

Unanswered Question
Aug 18th, 2008


I have the following problem

I am working with security contexts on a FWSM installed on a cat 6500

(I strongly recommend that you take a look at the topology diagram at this point)

My problem is that I can't make server SIRE_APP located on DMZ_SIRE

to communicate with any other host on any other VLAN UNLESS

i manually configure the VLANS I want to communicate with on the CAT 6500

for instance....

In order for server SIRE_APP ( (VLAN 11 --> to communicate with server DNSin ( (VLAN4 -->

i have to manually enter the following lines on the CAT 6500


interface Vlan11

description DMZ_SIRE (configured on context EXTRA)

ip address

no shutdown

interface Vlan4

description DMZ (configured on context EXTRA)

ip address

no shutdown


Then I have to manually change the SIRE_APP server's default gateway to point to

ip (vlan 11) configured on the CAT 6500 instead of pointing

to the ip (configured as an interface on contect EXTRA)

BUT if I do this ALL other hosts on ANY other vlans can't communicate with servers on the DMZ (VLAN4)


NONE of this is (or was necessary) in order for servers on VALN 4

DNSin, OASin to communicate with hosts on any other VLANS

I have setup CAPTURES (raw-data & asp-drop types) but the problem is not an access-list, I have try several NATs but still the same...

I have attached the run config for context EXTRA, context INTRA and context system (CONTEXTS.txt)

and relevan info on the running-config for the CAT 6500 (CAT 6500 with changes)

I'll appreciate any help on this issue


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
a-ford Mon, 08/18/2008 - 12:52

You don't have a static from DMZ_SIRE to DMZ configured.

Are you getting xlate errors in the log of extra or the admin context?

Try adding a static and pinging.


This Discussion