https://community.cisco.com/t5/network-security/assistance-about-shared-interface-between-multiple-contexts/m-p/613761#M1023868 <P>Hi,</P><P>Execuse me. I have a deployed FWSM with 2 contexts. The inside is a shared interface and the outside interfaces are unique interfaces. On the shared interface I used identity static translation in the two contexts. Now the traffic cannot go through the context B although can go through the context A. I don't know why. Please help me.</P><P>BTW, the topology is as the following.</P><P>|--------------|</P><P>| 10.0.22.0 |-----------------</P><P>|--------------| |</P><P> | |</P><P>10.0.22.254| |10.0.22.250</P><P>|-----------| |------------|</P><P>|Context A | | Context B |</P><P>|-----------| |------------|</P><P>| 10.0.9.0 10.0.5.0 |</P><P>|------------ --------------</P><P></P><P>My question is:</P><P>Is there any restrict in this environment?</P><P></P><P>Thanking in advance.</P><P></P><P>ZJ</P> Mon, 11 Mar 2019 09:43:11 GMT junzhang 2019-03-11T09:43:11Z https://community.cisco.com/t5/network-security/assistance-about-shared-interface-between-multiple-contexts/m-p/613761#M1023868 <P>Hi,</P><P>Execuse me. I have a deployed FWSM with 2 contexts. The inside is a shared interface and the outside interfaces are unique interfaces. On the shared interface I used identity static translation in the two contexts. Now the traffic cannot go through the context B although can go through the context A. I don't know why. Please help me.</P><P>BTW, the topology is as the following.</P><P>|--------------|</P><P>| 10.0.22.0 |-----------------</P><P>|--------------| |</P><P> | |</P><P>10.0.22.254| |10.0.22.250</P><P>|-----------| |------------|</P><P>|Context A | | Context B |</P><P>|-----------| |------------|</P><P>| 10.0.9.0 10.0.5.0 |</P><P>|------------ --------------</P><P></P><P>My question is:</P><P>Is there any restrict in this environment?</P><P></P><P>Thanking in advance.</P><P></P><P>ZJ</P> Mon, 11 Mar 2019 09:43:11 GMT https://community.cisco.com/t5/network-security/assistance-about-shared-interface-between-multiple-contexts/m-p/613761#M1023868 junzhang 2019-03-11T09:43:11Z https://community.cisco.com/t5/network-security/assistance-about-shared-interface-between-multiple-contexts/m-p/613762#M1023869 <HTML><HEAD></HEAD><BODY><P>Hi </P><P></P><P>It sounds like the classifier is having a problem in sending the traffic to the right context interface. </P><P></P><P>When you say you have static NAT setup what do you mean ? On a shared vlan you must map NAT statements within each context and clearly between contexts you can't have any overlap. </P><P></P><P>Could you send the configs of your 2 contexts with an explanation of where you are connecting from and where you are connecting to and we might be able to help you. </P><P></P><P>Jon </P></BODY></HTML> Thu, 08 Mar 2007 08:13:49 GMT https://community.cisco.com/t5/network-security/assistance-about-shared-interface-between-multiple-contexts/m-p/613762#M1023869 Jon Marshall 2007-03-08T08:13:49Z https://community.cisco.com/t5/network-security/assistance-about-shared-interface-between-multiple-contexts/m-p/613763#M1023872 <HTML><HEAD></HEAD><BODY><P>Hi, Jon,</P><P></P><P>Thank you for your help. The mainly config of the 2 contexts are as the following.</P><P>No.1:</P><P>interface Vlan106</P><P> description Outside</P><P> nameif outside</P><P> security-level 0</P><P> ip address 10.0.9.1 255.255.255.192 standby 10.0.9.2 </P><P>!</P><P>interface Vlan222</P><P> description Link-FW-ShiHou-CeShi_Server</P><P> nameif FW-ShiHou-CeShi_Server</P><P> security-level 70</P><P> ip address 10.0.22.254 255.255.255.0 standby 10.0.22.253 </P><P>!</P><P>access-list any extended permit ip any any </P><P>access-list any extended permit icmp any any </P><P>access-list any extended permit tcp any any </P><P>access-list any extended permit tcp any any gt 1 </P><P>!</P><P>icmp permit 10.0.9.0 255.255.255.0 outside</P><P>icmp permit 10.0.22.0 255.255.255.0 FW-ShiHou-CeShi_Server</P><P>!</P><P>nat (FW-ShiHou-CeShi_Server) 0 10.0.22.0 255.255.255.0</P><P>static (FW-ShiHou-CeShi_Server,outside) 10.0.22.0 10.0.22.0 netmask 255.255.255.0 </P><P>!</P><P>access-group any in interface outside</P><P>access-group any out interface outside</P><P>access-group any in interface FW-ShiHou-CeShi_Server</P><P>access-group any out interface FW-ShiHou-CeShi_Server</P><P>!</P><P>route outside 0.0.0.0 0.0.0.0 10.0.9.5 1</P><P></P><P>No.2:</P><P>interface Vlan105</P><P> description Network Manage Hosts</P><P> nameif netmanage</P><P> security-level 60</P><P> ip address 10.0.5.254 255.255.255.0 standby 10.0.5.253</P><P>!</P><P>interface Vlan222</P><P> description Link-FW-ShiHou-CeShi_Server</P><P> nameif FW-ShiHou-CeShi_Server</P><P> security-level 100</P><P> ip address 10.0.22.250 255.255.255.0 standby 10.0.22.249</P><P>!</P><P>access-list Netman extended permit ip 10.0.5.0 255.255.255.0 any </P><P>access-list Netman extended permit icmp 10.0.5.0 255.255.255.0 any </P><P>access-list Netman extended permit ip any 10.0.5.0 255.255.255.0</P><P>access-list Netman extended permit icmp any 10.0.5.0 255.255.255.0 </P><P>!</P><P>access-list CESHI extended permit ip 10.0.5.0 255.255.255.0 10.0.22.0 255.255.255.0 </P><P>access-list CESHI extended permit icmp 10.0.5.0 255.255.255.0 10.0.22.0 255.255.255.0 </P><P>access-list CESHI extended permit ip 10.0.22.0 255.255.255.0 10.0.5.0 255.255.255.0 </P><P>access-list CESHI extended permit icmp 10.0.22.0 255.255.255.0 10.0.5.0 255.255.255.0</P><P>!</P><P>static (FW-ShiHou-CeShi_Server,netmanage) 10.0.22.0 10.0.22.0 netmask 255.255.255.0 </P><P>!</P><P>access-group Netman in interface netmanage</P><P>access-group CESHI in interface FW-ShiHou-CeShi_Server</P><P>!</P><P>icmp permit 10.0.5.0 255.255.255.0 netmanage</P><P>icmp permit 10.0.22.0 255.255.255.0 FW-ShiHou-CeShi_Server</P><P></P><P>Now, in the first context, all the traffic are normal.In the second context the icmp traffic from the 10.0.5.0 to the netmanage interface and from the 10.0.22.0 to the FW-ShiHou-CeShi_Server are normal. But the traffic go through the context from outside to inside is not work. And when I ping from 10.0.5.0 to 10.0.22.0 the xlate table in the 2nd. context have the right items but can not see any information although the context icmp debug is open.</P><P></P><P>Thank you for your help!</P><P></P><P>ZJ</P></BODY></HTML> Fri, 09 Mar 2007 00:05:06 GMT https://community.cisco.com/t5/network-security/assistance-about-shared-interface-between-multiple-contexts/m-p/613763#M1023872 junzhang 2007-03-09T00:05:06Z https://community.cisco.com/t5/network-security/assistance-about-shared-interface-between-multiple-contexts/m-p/613764#M1023875 <HTML><HEAD></HEAD><BODY><P>Hi </P><P></P><P>Apologies for the delay in replying, i've been off work for a couple of days. </P><P></P><P>If you use shared interfaces you have to setup static NAT translations whether the traffic is coming from a higher to a lower level security interface or vice-versa. </P><P></P><P>You don't have a NAT translation in context 2 for the 10.0.5.0 network. I think when the icmp echo reply is sent from vlan 222 to the vlan 105 the FWSM does not know how to classify the traffic. </P><P></P><P>You need a Nat statement for the 10.0.5.0 </P><P></P><P>try </P><P></P><P>static (netmanage,FW-ShiHou-CeShi_Server) 10.0.5.0 10.0.5.0 netmask 255.255.255.0</P><P></P><P>Let me know how you get on </P><P></P><P>HTH </P><P></P><P>Jon </P><P></P><P></P></BODY></HTML> Mon, 12 Mar 2007 11:17:56 GMT https://community.cisco.com/t5/network-security/assistance-about-shared-interface-between-multiple-contexts/m-p/613764#M1023875 Jon Marshall 2007-03-12T11:17:56Z