Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

FWSM. Sharing interfaces between contexts.

I’m going to configure (on paper) an FWSM with two contexts sharing inside and outside interfaces.

I’m using one context only for admin purpose (access to the system space) and other to pass traffic.

Admin and production contexts are sharing the inside and outside vlans (see attached diagram): from admin context, I need to reach some servers over vlan 940, like AAA.

I do not need to use NAT.

Now I’m reading the configuration guide about packets classification. So, because the classifier relies on active NAT sessions and for management traffic destined for an interface, the interface IP address is used for classification, I believe I need to perform NAT with some static entries on production context.

Is it wrong?

Regards.

Andrea

4 REPLIES
Cisco Employee

Re: FWSM. Sharing interfaces between contexts.

Yes, you need to add either global or static nat so, the classifier will properly classify the flow.

If you share the outside interface, you need to provide translation for all the inside networks.

If you share the inside interfce (this is bad if it is internet facing context) you need to provide translation for all the outside hosts/network.

Even though our config guide below shows exactly what you are trying to do, it is not a good idea to do this. Troubleshooting may become a big problem.

http://www.cisco.com/en/US/docs/security/fwsm/fwsm31/configuration/guide/contxt_f.html#wp1124236

-KS

New Member

Re: FWSM. Sharing interfaces between contexts.

Many thanks for your help.
I understand that my problem is sharing the inside interface although I'm using admin context only for system space management.
So I can evaluate two solutions: go back to single mode or promote the production context to admin context.
Regards.
Andrea

Cisco Employee

Re: FWSM. Sharing interfaces between contexts.

You certainly can. Make sure to save your config. Even if you do not it will be saved in the disk:

If the admin context is used only for mgmt, then you can allocate only one interface for this context. No need to allocate two. Just a thought.

-KS

New Member

Re: FWSM. Sharing interfaces between contexts.

Good. But I need to reach some servers on outside from admin.

Perhaps I can use LOCAL authentication but always I'm sharing inside.

Regards.

Andrea

213
Views
0
Helpful
4
Replies
CreatePlease to create content