- Bronze, 100 points or more
i currently have no idea what i might have missed when configuring a new context on the FWSM.
< MSFC > --- < VLAN 1113 > --- < FWSM A > --- < VLAN 1217 >
| 1113,1217 both forwarding on the trunk
< MSFC > --- < VLAN 1113 > --- < FWSM S > --- < VLAN 1217 >
FWSM ~ 3.2(8)
MSFC ~ 12.2(33)SXH2a
FWSM is running in multi mode and the vlans are allocated from the MSFC via the firewall-group. The context which is supposed to be administrative for the two vlans has the vlans correctly configured via "allocate-interface".
The transfer(outside) network is vlan 1113 and is also reachable. So i can log into my new context and start configuring.
Now the (not so) funny part. Within the context i am using nat-control and i created an ACL with an ACS permitting my vlan 1217 network to any.
Then i nat 0 (interface-vlan1217) that network. So the NAT part is okay from my point of view.
I created an ACL for the traffic originating from vlan 1217 (security 50) with permit ip any. So vlan1217 is more or less my inside interface.
I also created an ACL for the Outside Interface (vlan 1113) and yes, all ACL's are assigned via "access-group <acl> in interface <interface>". I allowed icmp via permit icmp on both interfaces. I can ping both interfaces from the FWSM itself. But i can't reach the vlan 1217 interface ip from the MSFC. The vlan 1113 interface ip replies my icmp packets just fine from the MSFC.
I already triple checked the L2 connections, the firewall group and the interface allocations for the context. The ACL's are there, the ICMP statement is there. The ACL is bound to the interface the NAT statement is in place.
So before i start pulling my hair maybe anyone as an idea what i might have missed.
Thanks for reading!
I overlooked you diagram.
It looks as if you are sharing the inside VLAN. Well its not a good idea and not recommended at all.
With multiple context mode the only valid option is to share outside vlans. All of the FWSM contexts uses the same MAC addresses (Unlike ASA where you can have different MACs used for different contexts). As a result the only criteria to handover a packet to a particular packet to a particular context is "destination ip".
For this reason you need static NAT entries to classify packet. With Inside shared interface/Vlan its impossible to have all the destination ip addresses defined.
more details at