03-07-2007 08:27 AM - edited 03-11-2019 02:43 AM
Hi,
Execuse me. I have a deployed FWSM with 2 contexts. The inside is a shared interface and the outside interfaces are unique interfaces. On the shared interface I used identity static translation in the two contexts. Now the traffic cannot go through the context B although can go through the context A. I don't know why. Please help me.
BTW, the topology is as the following.
|--------------|
| 10.0.22.0 |-----------------
|--------------| |
| |
10.0.22.254| |10.0.22.250
|-----------| |------------|
|Context A | | Context B |
|-----------| |------------|
| 10.0.9.0 10.0.5.0 |
|------------ --------------
My question is:
Is there any restrict in this environment?
Thanking in advance.
ZJ
03-08-2007 12:13 AM
Hi
It sounds like the classifier is having a problem in sending the traffic to the right context interface.
When you say you have static NAT setup what do you mean ? On a shared vlan you must map NAT statements within each context and clearly between contexts you can't have any overlap.
Could you send the configs of your 2 contexts with an explanation of where you are connecting from and where you are connecting to and we might be able to help you.
Jon
03-08-2007 04:05 PM
Hi, Jon,
Thank you for your help. The mainly config of the 2 contexts are as the following.
No.1:
interface Vlan106
description Outside
nameif outside
security-level 0
ip address 10.0.9.1 255.255.255.192 standby 10.0.9.2
!
interface Vlan222
description Link-FW-ShiHou-CeShi_Server
nameif FW-ShiHou-CeShi_Server
security-level 70
ip address 10.0.22.254 255.255.255.0 standby 10.0.22.253
!
access-list any extended permit ip any any
access-list any extended permit icmp any any
access-list any extended permit tcp any any
access-list any extended permit tcp any any gt 1
!
icmp permit 10.0.9.0 255.255.255.0 outside
icmp permit 10.0.22.0 255.255.255.0 FW-ShiHou-CeShi_Server
!
nat (FW-ShiHou-CeShi_Server) 0 10.0.22.0 255.255.255.0
static (FW-ShiHou-CeShi_Server,outside) 10.0.22.0 10.0.22.0 netmask 255.255.255.0
!
access-group any in interface outside
access-group any out interface outside
access-group any in interface FW-ShiHou-CeShi_Server
access-group any out interface FW-ShiHou-CeShi_Server
!
route outside 0.0.0.0 0.0.0.0 10.0.9.5 1
No.2:
interface Vlan105
description Network Manage Hosts
nameif netmanage
security-level 60
ip address 10.0.5.254 255.255.255.0 standby 10.0.5.253
!
interface Vlan222
description Link-FW-ShiHou-CeShi_Server
nameif FW-ShiHou-CeShi_Server
security-level 100
ip address 10.0.22.250 255.255.255.0 standby 10.0.22.249
!
access-list Netman extended permit ip 10.0.5.0 255.255.255.0 any
access-list Netman extended permit icmp 10.0.5.0 255.255.255.0 any
access-list Netman extended permit ip any 10.0.5.0 255.255.255.0
access-list Netman extended permit icmp any 10.0.5.0 255.255.255.0
!
access-list CESHI extended permit ip 10.0.5.0 255.255.255.0 10.0.22.0 255.255.255.0
access-list CESHI extended permit icmp 10.0.5.0 255.255.255.0 10.0.22.0 255.255.255.0
access-list CESHI extended permit ip 10.0.22.0 255.255.255.0 10.0.5.0 255.255.255.0
access-list CESHI extended permit icmp 10.0.22.0 255.255.255.0 10.0.5.0 255.255.255.0
!
static (FW-ShiHou-CeShi_Server,netmanage) 10.0.22.0 10.0.22.0 netmask 255.255.255.0
!
access-group Netman in interface netmanage
access-group CESHI in interface FW-ShiHou-CeShi_Server
!
icmp permit 10.0.5.0 255.255.255.0 netmanage
icmp permit 10.0.22.0 255.255.255.0 FW-ShiHou-CeShi_Server
Now, in the first context, all the traffic are normal.In the second context the icmp traffic from the 10.0.5.0 to the netmanage interface and from the 10.0.22.0 to the FW-ShiHou-CeShi_Server are normal. But the traffic go through the context from outside to inside is not work. And when I ping from 10.0.5.0 to 10.0.22.0 the xlate table in the 2nd. context have the right items but can not see any information although the context icmp debug is open.
Thank you for your help!
ZJ
03-12-2007 04:17 AM
Hi
Apologies for the delay in replying, i've been off work for a couple of days.
If you use shared interfaces you have to setup static NAT translations whether the traffic is coming from a higher to a lower level security interface or vice-versa.
You don't have a NAT translation in context 2 for the 10.0.5.0 network. I think when the icmp echo reply is sent from vlan 222 to the vlan 105 the FWSM does not know how to classify the traffic.
You need a Nat statement for the 10.0.5.0
try
static (netmanage,FW-ShiHou-CeShi_Server) 10.0.5.0 10.0.5.0 netmask 255.255.255.0
Let me know how you get on
HTH
Jon
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: