FWSM InterContext Connection

Unanswered Question
Oct 11th, 2008

Hi Guys,

It is my first time to inquire on the Cisco NetPro Forums.



I am currently having a problem with one of my set-up in our production environment. Let me first start by describing the set-up of the network infrastructure. I have a two context firewall deployed on our Edge Router Cisco 7609. One context is deployed to cater the DMZ requirement of our network and the other context is allocated to filter incoming traffic from the internet. (Please see attached Powerpoint Document)

A server from the DMZ needs to be accessed from the internet and vice versa. The local address of this server is being translated into a public IP on the firewall context that is catered to filter WWW traffic (WWW Firewall Context).

Problem is that I am unable to successfully connect to the internet using this set-up. I have checked the routing and have verified that I have a complete path going to the vlan interface of WWWFirewall Context. However I am not able to see any traffic hitting my WWWFirewall Context coming from my local address (10.10.10.10).

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Farrukh Haroon Sat, 10/11/2008 - 03:17

Is there a route on the WWW FW Context and the MSFC for the 10.10.10.10 host?

Can you ping 10.10.10.10 from the WWW FW Context?

Regards

Farrukh

griever060684 Sat, 10/11/2008 - 19:42

Hi,

Yes I can reach the server 10.10.10.10 from the WWWFW context. I can also ping the FW contex from the 10.10.10.10 host.

I believe that the routing is not an issue anymore since I have set the default routes on th DMZFW context pointing to the MFSC, and the MSFC by default is routing going to the WWWFW Context.

From the WWWFW context, I have 10.10.10.0/24 route pointing to the MSFC (10.10.2.33) and an entry in the MSFC for pointing 10.10.10.0/24 to the DMZFW context.

Might there be an issue on my natting on the WWWFW Context? Because right now, I am mapping 10.10.10.10 to 200.200.30.5. exact entry is

static (VLAN200,VLAN1888) 200.200.30.5 10.10.10.10 netmask 255.255.255.255

Marwan ALshawi Sat, 10/11/2008 - 19:45

can please, confirm that you have the proper permit ACL on both direction i mean in each context u need to have a permit on the inside and outside for the required traffic !!!

griever060684 Sat, 10/11/2008 - 20:06

Hi Marwanshawi,

Yes I have already placed an acl on both the inbound and outbound direction. I hawever am not getting any hits on the firewall that would translate my local IP to a public IP.

Marwan ALshawi Sat, 10/11/2008 - 20:08

ok now after u made sure the nating, routing and ACLs configured corectly

RELOAD the FWSM

then try to check out the nating after that

good luck

Marwan ALshawi Sat, 10/11/2008 - 06:45

first u need to have a permite ACL becuase fwsm deny all traffic on all interfaces by defualt

then u need static route on wwwFW to the 10.10.10.10 through MSFC

ip route vlan200 10.10.10.10 255.255.255.255 10.10.2.50

on the dmz firewall u need to have the permit ACL on both interfaces as well as mentioned Above fwsm deny all bydefault

the u need route like

ip route vlan220 0.0.0.0 0.0.0.0 10.10.2.49

on MSFC

ip route 0.0.0.0 0.0.0.0 10.10.2.43

good luck

griever060684 Sat, 10/11/2008 - 19:44

Hi,

I already have the default route and access list on both context set to allow the traffic from 10.10.10.10 host to the internet. The routing on the MSFC was also set. I am not sure but I think I am having problem with the translation of the local IP into the global IP.

Farrukh Haroon Sat, 10/11/2008 - 21:55

You can verify the NAT/connnections by

show conn det | inc 10.10.10.10

show xlate det | inc 10.10.10.10

The only thing having a higher preference than a static would be a nat (x) 0 ACL, incase you have one those on any context?

Regards

Farrukh

griever060684 Sun, 10/12/2008 - 01:45

Thanks, I'll look into that during the troubleshooting window. Another question, since the static translation I configured on my firewall applies to vlan200 going to vlan1888, do I still need to configure another static translation this time for the interface vlan1888 going to int vlan200?

Marwan ALshawi Sun, 10/12/2008 - 01:50

u dont need to make the translation twice

once the destination translated to 10.10.10.10

then it will be sent internally to that address when get back to the outside will be retrnaslted to the outside address

good luck

Farrukh Haroon Sun, 10/12/2008 - 02:45

Yes as Marwan said, static translations are bi-directional. so no need for two statements, in fact the second statement would mean something totally opposite. Similarly "nat (intf) 0 access-list ... " is also bi-directional (NAT exemption).

Regular Dynamic NAT [Nat/Global] and Identity NAT [nat (intf)0 ip mask] are uni-directional only tough.

Regards

Farrukh

griever060684 Sun, 10/12/2008 - 22:34

hi guys thank you for your help. The issue was already resolved. We just had a problem with the natting of the IP. thanks!

Actions

This Discussion