FWSM InterContext Connection

Unanswered Question
Oct 11th, 2008

Hi Guys,

It is my first time to inquire on the Cisco NetPro Forums.


I am currently having a problem with one of my set-up in our production environment. Let me first start by describing the set-up of the network infrastructure. I have a two context firewall deployed on our Edge Router Cisco 7609. One context is deployed to cater the DMZ requirement of our network and the other context is allocated to filter incoming traffic from the internet. (Please see attached Powerpoint Document)

A server from the DMZ needs to be accessed from the internet and vice versa. The local address of this server is being translated into a public IP on the firewall context that is catered to filter WWW traffic (WWW Firewall Context).

Problem is that I am unable to successfully connect to the internet using this set-up. I have checked the routing and have verified that I have a complete path going to the vlan interface of WWWFirewall Context. However I am not able to see any traffic hitting my WWWFirewall Context coming from my local address (

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Farrukh Haroon Sat, 10/11/2008 - 03:17

Is there a route on the WWW FW Context and the MSFC for the host?

Can you ping from the WWW FW Context?



griever060684 Sat, 10/11/2008 - 19:42


Yes I can reach the server from the WWWFW context. I can also ping the FW contex from the host.

I believe that the routing is not an issue anymore since I have set the default routes on th DMZFW context pointing to the MFSC, and the MSFC by default is routing going to the WWWFW Context.

From the WWWFW context, I have route pointing to the MSFC ( and an entry in the MSFC for pointing to the DMZFW context.

Might there be an issue on my natting on the WWWFW Context? Because right now, I am mapping to exact entry is

static (VLAN200,VLAN1888) netmask

Marwan ALshawi Sat, 10/11/2008 - 19:45

can please, confirm that you have the proper permit ACL on both direction i mean in each context u need to have a permit on the inside and outside for the required traffic !!!

griever060684 Sat, 10/11/2008 - 20:06

Hi Marwanshawi,

Yes I have already placed an acl on both the inbound and outbound direction. I hawever am not getting any hits on the firewall that would translate my local IP to a public IP.

Marwan ALshawi Sat, 10/11/2008 - 20:08

ok now after u made sure the nating, routing and ACLs configured corectly


then try to check out the nating after that

good luck

Marwan ALshawi Sat, 10/11/2008 - 06:45

first u need to have a permite ACL becuase fwsm deny all traffic on all interfaces by defualt

then u need static route on wwwFW to the through MSFC

ip route vlan200

on the dmz firewall u need to have the permit ACL on both interfaces as well as mentioned Above fwsm deny all bydefault

the u need route like

ip route vlan220


ip route

good luck

griever060684 Sat, 10/11/2008 - 19:44


I already have the default route and access list on both context set to allow the traffic from host to the internet. The routing on the MSFC was also set. I am not sure but I think I am having problem with the translation of the local IP into the global IP.

Farrukh Haroon Sat, 10/11/2008 - 21:55

You can verify the NAT/connnections by

show conn det | inc

show xlate det | inc

The only thing having a higher preference than a static would be a nat (x) 0 ACL, incase you have one those on any context?



griever060684 Sun, 10/12/2008 - 01:45

Thanks, I'll look into that during the troubleshooting window. Another question, since the static translation I configured on my firewall applies to vlan200 going to vlan1888, do I still need to configure another static translation this time for the interface vlan1888 going to int vlan200?

Marwan ALshawi Sun, 10/12/2008 - 01:50

u dont need to make the translation twice

once the destination translated to

then it will be sent internally to that address when get back to the outside will be retrnaslted to the outside address

good luck

Farrukh Haroon Sun, 10/12/2008 - 02:45

Yes as Marwan said, static translations are bi-directional. so no need for two statements, in fact the second statement would mean something totally opposite. Similarly "nat (intf) 0 access-list ... " is also bi-directional (NAT exemption).

Regular Dynamic NAT [Nat/Global] and Identity NAT [nat (intf)0 ip mask] are uni-directional only tough.



griever060684 Sun, 10/12/2008 - 22:34

hi guys thank you for your help. The issue was already resolved. We just had a problem with the natting of the IP. thanks!


This Discussion