FWSM 3.1 and virtual contexts connected "back-to-back"
I have been running into a problem with the virtual contexts and the way that the FWSM detects which context a packet is destined for.
I have a situation where i'm in control of an "outer" firewall wth common rules for an organization. I would like to deploy som other internal firewalls as virtual contexts but to tie them all in with the "outer" firewall they need to be on the same shared internal vlan.
All the contexts are supposed to run NAT on the "inside" because of overlapping networks.
But for some reason it does not work. I'm getting the log info "FWSM-6-106025: failed to determine security context or packet........" Whenever i try to get traffic from behind one of the internal virtual firewalls to exit my outer firewall ?
It seems to be an issue with the way that the FWSM handles the classification in relation to where a packet is destined (which virtual context, since i have a couple on the same vlan).
Do anyone have any hints as to how this can be solved ? or anyone else running virtual contexts in a type of "virtual firewall behind a virtual firewall" setup ?
Re: FWSM 3.1 and virtual contexts connected "back-to-back"
If you configure dynamic NAT or PAT (nat and global commands) for any hosts on a local interface when they access hosts on a given same security interface, then for any traffic between those two interfaces, the NAT requirements change for the local interface. Namely, the local interface takes on the NAT requirements of an inside interface
1)No traffic can originate on the local interface without being translated (or being configured to bypass NAT).
2)No traffic from the specified same security interface can access hosts behind the local interface unless you configure a static NAT statement.
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...