Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
277
Views
0
Helpful
2
Replies

How to create multiple contexts in FWSM

sbgcsdtsg
Level 1
Level 1

‎10-07-2006 09:20 PM - edited ‎03-09-2019 04:27 PM

I have an FWSM on 6509 and want to create two contexts sharing interfaces. I am able to do this for "Outside" interface for which inside to outside static NAT exists. But if I create second context for "Management" interface, connectivity from server in management interface to other interfaces in first context is lost.

I have tried Global and Static NAT also for inside to Management in second context, but it is not working.

Does anybody have any idea, what may be the cause of this problem?

Thanks

Labels:
0 Helpful
2 Replies 2

ethiel
Level 3
Level 3

‎10-08-2006 09:27 PM

The link at the bottom of my post might be useful. It explains the logic used by the FWSM when multiple contexts share the same interface. Basically, the fwsm looks at the destination and checks for a NAT. If there isn't one, it doesn't know what to do with the packet.

In your case, if your management network has to get to the Internet, you would have a problem. Say server 1.1.1.1 sent a packet to context 1 destined for 2.2.2.2 on the internet. The FWSM would receive it and look for a translation for 2.2.2.2 to decide which context it belongs to. Unless you want to static NAT all IPs on the Internet, you will have a challenge.

Now if you don't care about Internet access from the management segment, you can set up statics for the management interface on each context. So for example, say management is 1.1.1.0/24, inside of context 1 is 10.10.10.0/24, and inside on context 2 is 10.20.20.0/24. You could just set up:

!context 1

static (inside,management) 10.10.10.0 10.10.10.0 netmask 255.255.255.0

!context 2

static (inside,management) 10.20.20.0 10.20.20.0 netmask 255.255.255.0

This way any traffic from the management interface destined to 10.10.10.x would accurately go to context 1, and 10.20.20.x would be sent to context 2.

Hopefully this makes sense.

-Eric

http://www.cisco.com/en/US/products/hw/switches/ps708/products_module_configuration_guide_chapter09186a0080577c35.html#wp1124172

0 Helpful

sbgcsdtsg
Level 1
Level 1
In response to ethiel

‎10-14-2006 10:15 PM

Thanks eric for the reply. I am still facing the problem as described under.

I have created two contexts ContextA and ContextB. Each is having VLAN100 for Outside with IPs 100.100.100.1 and 100.100.100.2 respectively. Now I create an interface with name Management with VLAN 200 in ContextA with IP 200.200.200.1 and a static statement as under

static (management,outside) 100.100.100.10 200.200.200.10 netmask 255.255.255.0

where 100.100.100.10 is a server in Management VLAN

It works fine, means I am able to access its resources from Outside. But as soon as I create the Management interface in ContextB with IP 200.200.200.2, Outside stops communicating with both the contexts.

I tried creating a STATIC NAT as under:

static (management,outside) 100.100.100.11 200.200.200.10 netmask 255.255.255.0

But that also not helps.

This way I am not able to share the management interface between two contexts.

Need help from somebody

Thanks

Eesh

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents