"We recommend that you do not make the outside interface (for example, where you access the Internet) on the same security level as your inside interfaces. On the FWSM, all connections have an associated xlate entry (even when you do not explicitly configure NAT). Xlates are normally created for connections between the inside interface and any lower security interface. In a same-security-traffic configuration, the FWSM randomly chooses which same-security interface is the "inside" interface for the sake of creating xlates. This selection may change later after a reload or after a software upgrade. If the FWSM considers the outside same-security interface as the "inside" interface, it creates xlates for every Internet host being accessed through it.
If there is any application (or a virus) on the internal network that scans thousands of Internet hosts, all entries in the xlate table may be quickly exhausted (see the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide for xlate limits). After that, the FWSM will stop creating new xlates, logging error message %FWSM-3-305006: ("translation creation failed") for every new connection. The show resource usage command will show the number of active xlates equal or close to the limit. The clear xlate command will temporarily recover connectivity.
To avoid this situation, we recommend that the outside interface should always have security level lower than any other FWSM interface. This configuration guarantees that the FWSM always considers the ISP link as an outside interface. In this case, only one xlate will be created for every application or virus scanning Internet hosts from the inside network. No xlates will be created for Internet hosts being scanned."
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :