Solved: ASA5520 inside shared interface

ifabrizio · ‎06-04-2009

Dear All,

I have two asa5520 configured in multiple context mode, the two context share both the inside and the outside interfaces.

I have configured in the system context the mac-address auto to assign a unique mac to each sub-interface.

When I try to send a packet from the inside interface I got the following error:

Result:

input-interface: inside

input-status: up

input-line-status: up

Action: drop

Drop-reason: (ifc-classify) Virtual firewall classification failed

If I try to send a packet from the outside toward a more secure interface all works well.

Both context has an static traslation for the inside network:

static (inside,dmz) 192.168.0.0 192.168.0.0 netmask 255.255.255.0

But the destination networks are different for each context:

Context A

src 192.168.0.1 dst 171.22.233.1/26

Context B

src 192.168.0.1 dst 171.22.233.69/27

The classifier Criteria should use first the unique macs, than the nat traslation performing a destination lookup, right?

Why the traffic from the shared inside is not classified?

Thanks&Regards,

Igor.

francisco_1 · ‎06-04-2009

for the classifier to work properly for when using shared inside interfaces, you will need to have a static NAT entry in place for the outside address to appear as a global address for the classifier to examine packets entering from the inside network o decide which context should receive a packet.

post your config...

View solution in original post

francisco_1 · ‎06-04-2009

Drop-reason: (ifc-classify) Virtual firewall classification failed

the error means a packet arrived on a shared interface, but failed to classify to any specific context interface.

Recommendation: Use the global or static command to specify the IPv4 addresses that belong to each context interface.

Go through this as it contains configuration example for extactly what you are trying to do. http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808d2b63.shtml#diag

ifabrizio · ‎06-04-2009

Hi Francisco,

Thank you for you reply.

In the example that you provide me, the context 1 and 2 do not share the inside and outside interfaces.

My configuration share the inside and the outside, the subinterfaces are the same for both the context A and B:

System configuration:

context Internet

description Internet module

allocate-interface GigabitEthernet0/1.1 inside_shared

allocate-interface GigabitEthernet0/2.1 dmz_Internet

allocate-interface GigabitEthernet0/3.1 outside_shared

allocate-interface GigabitEthernet0/3.2 int_ipsec

config-url disk0:/Internet.cfg

join-failover-group 1

!

context E-Commerce

allocate-interface GigabitEthernet0/1.1 inside_shared

allocate-interface GigabitEthernet0/1.3 application

allocate-interface GigabitEthernet0/3.1 outside_shared

config-url disk0:/E-Commerce.cfg

join-failover-group 2

francisco_1 · ‎06-04-2009

for the classifier to work properly for when using shared inside interfaces, you will need to have a static NAT entry in place for the outside address to appear as a global address for the classifier to examine packets entering from the inside network o decide which context should receive a packet.

post your config...

francisco_1 · ‎06-04-2009

IGOR,

was my commments helpful? is the problem solved?

Thanks for the rating..

Francisco

ifabrizio · ‎06-04-2009

Hi Francisco,

The outside nat solve the problem you are right!

All works fine now, thank you for your help.

Igor.

rsinger · ‎09-30-2014

What was the config you actually added.

network@dskbank.bg · ‎06-12-2019

Thank you Francisco! You saved the day!

Best Regards,

DSK Bank Network Team