FWSM. Sharing interfaces between contexts.

Unanswered Question

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin-top:0cm; mso-para-margin-right:0cm; mso-para-margin-bottom:10.0pt; mso-para-margin-left:0cm; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-fareast-language:EN-US;}

I’m going to configure (on paper) an FWSM with two contexts sharing inside and outside interfaces.

I’m using one context only for admin purpose (access to the system space) and other to pass traffic.

Admin and production contexts are sharing the inside and outside vlans (see attached diagram): from admin context, I need to reach some servers over vlan 940, like AAA.

I do not need to use NAT.

Now I’m reading the configuration guide about packets classification. So, because the classifier relies on active NAT sessions and for management traffic destined for an interface, the interface IP address is used for classification, I believe I need to perform NAT with some static entries on production context.

Is it wrong?



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Kureli Sankar Thu, 12/10/2009 - 08:19

Yes, you need to add either global or static nat so, the classifier will properly classify the flow.

If you share the outside interface, you need to provide translation for all the inside networks.

If you share the inside interfce (this is bad if it is internet facing context) you need to provide translation for all the outside hosts/network.

Even though our config guide below shows exactly what you are trying to do, it is not a good idea to do this. Troubleshooting may become a big problem.



Kureli Sankar Thu, 12/10/2009 - 11:37

You certainly can. Make sure to save your config. Even if you do not it will be saved in the disk:

If the admin context is used only for mgmt, then you can allocate only one interface for this context. No need to allocate two. Just a thought.



This Discussion