Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

multicontext mode shared interfaces

I am running a multicontext mode on my firewalls, have a shared outside interface. having few problems trying to allow a single user access to external network through the firewall....attached is the diagram for how things are connected, this is just for the context that i am having issues....

from port g0/2 i have allowed proxy to any and works fine

i am trying to allow a specific network from port g0/0.10 to any and having no joy, receive ifc-classify fail error everytime i trace the packet....

i have global NAT for g0/0.10 interface NATted to range on g0/1.66

i have enable traffic to flow across same security level interfaces...

will appreciate any assistance...



Cisco Employee

Re: multicontext mode shared interfaces

Hello Amar,

I hope you are doing great is it only one host having the issue? or is it an entire network? Can you paste the packet tracer? The configuration for the system and the context that is having the problem?



New Member

Re: multicontext mode shared interfaces

it actually is entire network... entire network is unable to go through g0/0.10 interface all

traffic is going through Proxy interface...

below is the config of the context.. please note i have removed the global NAT for the test that is was doing....

ASA Version 8.2(1)
hostname Passthrough
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
name Soul-DNS1
name Soul-DNS1_NAT
name Soul-DNS2
name Soul-DNS2_NAT
name TG-Internal description TG Internal Domain
name TG-Internal_PAT
name VSVWIN2008E017 description DC TG.local
name VSVWIN2008E017_NAT description DC TG.local NAT
name VSVWIN2008E018 description DC TG.local
name VSVWIN2008E018_NAT description DC TG.corp NAT
name VSVWIN2008E019 description DC corp TG.local
name VSVWIN2008E019_NAT description DC corp.TG.local NAT
name VSVWIN2008E020 description DC corp.TG.local
name VSVWIN2008E020_NAT description DC corp.TG.local NAT
name VSVWIN2008E021 description DC corp.TG.local
name VSVWIN2008E021_NAT description DC corp.TG.local NAT
name SRVDWX336X001_NAT description WEB Proxy 1 NAT
name SRVDWX336X002_NAT description WEB Proxy 2 NAT
name Telstra
name Telstra_NAT
name SRVDWX336X001 description WEB Proxy 1
name SRVDWX336X002 description WEB Proxy 2
name VSVWIN2003E069
name VSVWIN2003E069_NAT
name test1
name test1_NAT
name test2
interface GigabitEthernet0/0.10
nameif Internal-Passthrough
security-level 100
ip address
interface GigabitEthernet0/1.66
nameif DMZ-Passthrough
security-level 0
ip address

interface GigabitEthernet0/2
description Special interface for Proxy domain
nameif Internal-Proxy-Passthrough
security-level 100
ip address
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group network DCs
description TG DC for DNS access
network-object host VSVWIN2008E017
network-object host VSVWIN2008E019
network-object host VSVWIN2008E020
network-object host VSVWIN2008E018
network-object host VSVWIN2008E021
object-group network Soul-DNS-servers
description (NAT)
network-object host Soul-DNS1_NAT
network-object host Soul-DNS2_NAT
object-group network WEB-Proxies
<--- More --->               network-object host SRVDWX336X001
network-object host SRVDWX336X002
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
port-object eq ftp
object-group network DM_INLINE_NETWORK_1
network-object host SRVDWX336X001_NAT
network-object host SRVDWX336X002_NAT
object-group service DM_INLINE_SERVICE_1
service-object ip
service-object tcp eq ftp
service-object tcp eq www
access-list Internal-Passthrough_access_in extended permit object-group TCPUDP o
bject-group DCs object-group Soul-DNS-servers eq domain
access-list Internal-Passthrough_access_in extended permit tcp host VSVWIN2003E0
69 host KATTRON_NAT eq 3001
access-list Internal-Passthrough_access_in extended permit object-group DM_INLIN
E_SERVICE_1 host test1 host bentley_NAT log inactive
access-list DMZ-Passthrough_access_in extended permit icmp any object-group DM_I
access-list Internal-Proxy-Passthrough_access_in extended permit tcp object-grou
p WEB-Proxies any object-group DM_INLINE_TCP_1
pager lines 24
logging enable
logging timestamp
logging buffered debugging
logging trap informational
logging asdm informational
logging device-id string SYW-Passthrough
logging host Internal-Passthrough
mtu Internal-Passthrough 1500
mtu DMZ-Passthrough 1500
mtu Internal-Proxy-Passthrough 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any Internal-Passthrough
no asdm history enable
arp timeout 14400
static (DMZ-Passthrough,Internal-Passthrough) Soul-DNS1_NAT Soul-DNS1 netmask 25
static (DMZ-Passthrough,Internal-Passthrough) Soul-DNS2_NAT Soul-DNS2 netmask 25
static (Internal-Passthrough,DMZ-Passthrough) VSVWIN2008E017_NAT VSVWIN2008E017
static (Internal-Passthrough,DMZ-Passthrough) VSVWIN2008E018_NAT VSVWIN2008E018
static (Internal-Passthrough,DMZ-Passthrough) VSVWIN2008E019_NAT VSVWIN2008E019
static (Internal-Passthrough,DMZ-Passthrough) VSVWIN2008E020_NAT VSVWIN2008E020
static (Internal-Passthrough,DMZ-Passthrough) VSVWIN2008E021_NAT VSVWIN2008E021
static (DMZ-Passthrough,Internal-Passthrough) Telstra_NAT Telstra netmask 255.25
static (Internal-Proxy-Passthrough,DMZ-Passthrough) SRVDWX336X001_NAT SRVDWX336X
001 netmask
static (Internal-Proxy-Passthrough,DMZ-Passthrough) SRVDWX336X002_NAT SRVDWX336X
002 netmask
static (Internal-Passthrough,DMZ-Passthrough) VSVWIN2003E069_NAT VSVWIN2003E069
static (DMZ-Passthrough,Internal-Passthrough) KATTRON_NAT KATTRON netmask 255.25
access-group Internal-Passthrough_access_in in interface Internal-Passthrough
access-group DMZ-Passthrough_access_in in interface DMZ-Passthrough
access-group Internal-Proxy-Passthrough_access_in in interface Internal-Proxy-Pa
route DMZ-Passthrough 1
route Internal-Passthrough TG-Internal 1
route Internal-Proxy-Passthrough SRVDWX336X001 SRVDWX336X001 1
route DMZ-Passthrough SRVDWX336X002 SRVDWX336X002 1
route Internal-Proxy-Passthrough 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
no snmp-server location
no snmp-server contact
telnet timeout 5
ssh timeout 5
no threat-detection statistics tcp-intercept
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
<--- More --->               parameters
  message-length maximum 1024
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny 
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip 
  inspect xdmcp
service-policy global_policy global
: end


Interface allocation for this particular context

Passthrough      default    GigabitEthernet0/0.10, disk0:/passthrough.cfg

Packet tracer result .... when the actual configuration is applied

input-interface: Internal-Passthrough
input-status: up
input-line-status: up
Action: drop
Drop-reason: (ifc-classify) Virtual firewall classification failed

Cisco Employee

Re: multicontext mode shared interfaces

Hello Amar,

Thank you so much for the reply. This is interesting, I was doing some research regarding this issue. Are you able to pass real traffic? Or have you just use packet tracer to test? Do you have mac-address auto configured? This smells like the following bug:

But this is cosmetic and does not affect the real traffiric

Would you please confirm?

Thank you !


New Member

Re: multicontext mode shared interfaces

no i have not configured mac-add auto for any contexts, all of my internal traffic is forwarded through Proxy interface (g0/2).

according to my understanding it seems the internal traffic is classified out of g0/2 interface as when there is an outside shared interface the classifier uses dest ip and g0/2 interface has an ACE to allow web proxies to any ...

for internal interface g0/0.10 i tried and created ACE to allow one user access ftp to a particular site and had a static NAT entry for that it worked fine.... but when i allow network/user to any for g0/0.10 interface ifc-classify fails ... firewall is unable to classify internal network for g0/0.10....

it doesnt solve my issue.... my question now is why cant i have an ACE on g0/0.10 and g0/2 to allow any dst


access-list xxxx permit ip 10.137.x.x any


access-list xxxx permit ip web-proxies any

when i have above config and packet trace internal network (10.137) from g0/0.10 interface ifc-classify fails while packet trace 10.137 from g0/2 firewall classifies that packet which confuses me as i have a dynamic NAT entry for 10.137 network for g0/0.10 interface.....