Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

ASA5520 inside shared interface

Dear All,

I have two asa5520 configured in multiple context mode, the two context share both the inside and the outside interfaces.

I have configured in the system context the mac-address auto to assign a unique mac to each sub-interface.

When I try to send a packet from the inside interface I got the following error:

Result:

input-interface: inside

input-status: up

input-line-status: up

Action: drop

Drop-reason: (ifc-classify) Virtual firewall classification failed

If I try to send a packet from the outside toward a more secure interface all works well.

Both context has an static traslation for the inside network:

static (inside,dmz) 192.168.0.0 192.168.0.0 netmask 255.255.255.0

But the destination networks are different for each context:

Context A

src 192.168.0.1 dst 171.22.233.1/26

Context B

src 192.168.0.1 dst 171.22.233.69/27

The classifier Criteria should use first the unique macs, than the nat traslation performing a destination lookup, right?

Why the traffic from the shared inside is not classified?

Thanks&Regards,

Igor.

1 ACCEPTED SOLUTION

Accepted Solutions

Re: ASA5520 inside shared interface

for the classifier to work properly for when using shared inside interfaces, you will need to have a static NAT entry in place for the outside address to appear as a global address for the classifier to examine packets entering from the inside network o decide which context should receive a packet.

post your config...

6 REPLIES

Re: ASA5520 inside shared interface

Drop-reason: (ifc-classify) Virtual firewall classification failed

the error means a packet arrived on a shared interface, but failed to classify to any specific context interface.

Recommendation: Use the global or static command to specify the IPv4 addresses that belong to each context interface.

Go through this as it contains configuration example for extactly what you are trying to do. http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808d2b63.shtml#diag

New Member

Re: ASA5520 inside shared interface

Hi Francisco,

Thank you for you reply.

In the example that you provide me, the context 1 and 2 do not share the inside and outside interfaces.

My configuration share the inside and the outside, the subinterfaces are the same for both the context A and B:

System configuration:

context Internet

description Internet module

allocate-interface GigabitEthernet0/1.1 inside_shared

allocate-interface GigabitEthernet0/2.1 dmz_Internet

allocate-interface GigabitEthernet0/3.1 outside_shared

allocate-interface GigabitEthernet0/3.2 int_ipsec

config-url disk0:/Internet.cfg

join-failover-group 1

!

context E-Commerce

allocate-interface GigabitEthernet0/1.1 inside_shared

allocate-interface GigabitEthernet0/1.3 application

allocate-interface GigabitEthernet0/3.1 outside_shared

config-url disk0:/E-Commerce.cfg

join-failover-group 2

Re: ASA5520 inside shared interface

for the classifier to work properly for when using shared inside interfaces, you will need to have a static NAT entry in place for the outside address to appear as a global address for the classifier to examine packets entering from the inside network o decide which context should receive a packet.

post your config...

Re: ASA5520 inside shared interface

IGOR,

was my commments helpful? is the problem solved?

Thanks for the rating..

Francisco

New Member

Re: ASA5520 inside shared interface

Hi Francisco,

The outside nat solve the problem you are right!

All works fine now, thank you for your help.

Igor.

New Member

What was the config you

What was the config you actually added.

5707
Views
0
Helpful
6
Replies
CreatePlease to create content