Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
394
Views
0
Helpful
3
Replies

Assistance about shared interface between multiple contexts

junzhang
Level 1
Level 1

‎03-07-2007 08:27 AM - edited ‎03-11-2019 02:43 AM

Hi,

Execuse me. I have a deployed FWSM with 2 contexts. The inside is a shared interface and the outside interfaces are unique interfaces. On the shared interface I used identity static translation in the two contexts. Now the traffic cannot go through the context B although can go through the context A. I don't know why. Please help me.

BTW, the topology is as the following.

|--------------|

| 10.0.22.0 |-----------------

|--------------| |

| |

10.0.22.254| |10.0.22.250

|-----------| |------------|

|Context A | | Context B |

|-----------| |------------|

| 10.0.9.0 10.0.5.0 |

|------------ --------------

My question is:

Is there any restrict in this environment?

Thanking in advance.

ZJ

Labels:
0 Helpful
3 Replies 3

Jon Marshall
Hall of Fame
Hall of Fame

‎03-08-2007 12:13 AM

Hi

It sounds like the classifier is having a problem in sending the traffic to the right context interface.

When you say you have static NAT setup what do you mean ? On a shared vlan you must map NAT statements within each context and clearly between contexts you can't have any overlap.

Could you send the configs of your 2 contexts with an explanation of where you are connecting from and where you are connecting to and we might be able to help you.

Jon

0 Helpful

junzhang
Level 1
Level 1
In response to Jon Marshall

‎03-08-2007 04:05 PM

Hi, Jon,

Thank you for your help. The mainly config of the 2 contexts are as the following.

No.1:

interface Vlan106

description Outside

nameif outside

security-level 0

ip address 10.0.9.1 255.255.255.192 standby 10.0.9.2

!

interface Vlan222

description Link-FW-ShiHou-CeShi_Server

nameif FW-ShiHou-CeShi_Server

security-level 70

ip address 10.0.22.254 255.255.255.0 standby 10.0.22.253

!

access-list any extended permit ip any any

access-list any extended permit icmp any any

access-list any extended permit tcp any any

access-list any extended permit tcp any any gt 1

!

icmp permit 10.0.9.0 255.255.255.0 outside

icmp permit 10.0.22.0 255.255.255.0 FW-ShiHou-CeShi_Server

!

nat (FW-ShiHou-CeShi_Server) 0 10.0.22.0 255.255.255.0

static (FW-ShiHou-CeShi_Server,outside) 10.0.22.0 10.0.22.0 netmask 255.255.255.0

!

access-group any in interface outside

access-group any out interface outside

access-group any in interface FW-ShiHou-CeShi_Server

access-group any out interface FW-ShiHou-CeShi_Server

!

route outside 0.0.0.0 0.0.0.0 10.0.9.5 1

No.2:

interface Vlan105

description Network Manage Hosts

nameif netmanage

security-level 60

ip address 10.0.5.254 255.255.255.0 standby 10.0.5.253

!

interface Vlan222

description Link-FW-ShiHou-CeShi_Server

nameif FW-ShiHou-CeShi_Server

security-level 100

ip address 10.0.22.250 255.255.255.0 standby 10.0.22.249

!

access-list Netman extended permit ip 10.0.5.0 255.255.255.0 any

access-list Netman extended permit icmp 10.0.5.0 255.255.255.0 any

access-list Netman extended permit ip any 10.0.5.0 255.255.255.0

access-list Netman extended permit icmp any 10.0.5.0 255.255.255.0

!

access-list CESHI extended permit ip 10.0.5.0 255.255.255.0 10.0.22.0 255.255.255.0

access-list CESHI extended permit icmp 10.0.5.0 255.255.255.0 10.0.22.0 255.255.255.0

access-list CESHI extended permit ip 10.0.22.0 255.255.255.0 10.0.5.0 255.255.255.0

access-list CESHI extended permit icmp 10.0.22.0 255.255.255.0 10.0.5.0 255.255.255.0

!

static (FW-ShiHou-CeShi_Server,netmanage) 10.0.22.0 10.0.22.0 netmask 255.255.255.0

!

access-group Netman in interface netmanage

access-group CESHI in interface FW-ShiHou-CeShi_Server

!

icmp permit 10.0.5.0 255.255.255.0 netmanage

icmp permit 10.0.22.0 255.255.255.0 FW-ShiHou-CeShi_Server

Now, in the first context, all the traffic are normal.In the second context the icmp traffic from the 10.0.5.0 to the netmanage interface and from the 10.0.22.0 to the FW-ShiHou-CeShi_Server are normal. But the traffic go through the context from outside to inside is not work. And when I ping from 10.0.5.0 to 10.0.22.0 the xlate table in the 2nd. context have the right items but can not see any information although the context icmp debug is open.

Thank you for your help!

ZJ

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to junzhang

‎03-12-2007 04:17 AM

Hi

Apologies for the delay in replying, i've been off work for a couple of days.

If you use shared interfaces you have to setup static NAT translations whether the traffic is coming from a higher to a lower level security interface or vice-versa.

You don't have a NAT translation in context 2 for the 10.0.5.0 network. I think when the icmp echo reply is sent from vlan 222 to the vlan 105 the FWSM does not know how to classify the traffic.

You need a Nat statement for the 10.0.5.0

try

static (netmanage,FW-ShiHou-CeShi_Server) 10.0.5.0 10.0.5.0 netmask 255.255.255.0

Let me know how you get on

HTH

Jon

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card