Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

FWSM 3.1 and virtual contexts connected "back-to-back"

Hi all,

I have been running into a problem with the virtual contexts and the way that the FWSM detects which context a packet is destined for.

I have a situation where i'm in control of an "outer" firewall wth common rules for an organization. I would like to deploy som other internal firewalls as virtual contexts but to tie them all in with the "outer" firewall they need to be on the same shared internal vlan.

All the contexts are supposed to run NAT on the "inside" because of overlapping networks.

But for some reason it does not work. I'm getting the log info "FWSM-6-106025: failed to determine security context or packet........" Whenever i try to get traffic from behind one of the internal virtual firewalls to exit my outer firewall ?

It seems to be an issue with the way that the FWSM handles the classification in relation to where a packet is destined (which virtual context, since i have a couple on the same vlan).

Do anyone have any hints as to how this can be solved ? or anyone else running virtual contexts in a type of "virtual firewall behind a virtual firewall" setup ?

Any hints will be much appreciated,



Re: FWSM 3.1 and virtual contexts connected "back-to-back"

If you configure dynamic NAT or PAT (nat and global commands) for any hosts on a local interface when they access hosts on a given same security interface, then for any traffic between those two interfaces, the NAT requirements change for the local interface. Namely, the local interface takes on the NAT requirements of an inside interface

1)No traffic can originate on the local interface without being translated (or being configured to bypass NAT).

2)No traffic from the specified same security interface can access hosts behind the local interface unless you configure a static NAT statement.

CreatePlease to create content