https://community.cisco.com/t5/network-security/cisco-asa-8-3-packet-tracer-multi-context-classification/m-p/1806679#M492585 <HTML><HEAD></HEAD><BODY><P>Thanks Mike</P><P></P><P>Good to get confirmation of my suspicions. I wasn't aware of the 'any' NAT bug so that's good to know. </P><P></P><P>Cheers</P><P>Paul</P><P></P><P>Sent from Cisco Technical Support iPhone App</P></BODY></HTML> Sat, 26 Nov 2011 14:56:58 GMT Paul Cummings 2011-11-26T14:56:58Z https://community.cisco.com/t5/network-security/cisco-asa-8-3-packet-tracer-multi-context-classification/m-p/1806677#M492582 <P>Hi,</P><P></P><P>I've been using packet-tracer for some time on and off with mixed results.</P><P></P><P>I'm running a multi context firewall with over 10 of the contexts sharing the same outside interface / network.</P><P>All interfaces obviously have valid, unique IPs and also unique MAC addresses as mac-address auto is enabled in the system context.</P><P></P><P>This is an ASA 5550 running 8.3(2.10) interim so includes the fix for the well known packet-tracer classication failed bug.</P><P></P><P>So in theory, with firewall contexts on a shared interface the ASA should use the firewall MAC address to classify incoming traffic to the correct firewall and as far as I am aware, only fall back on using NAT to classify if the interface MACs are the same. In reality on my platform this doesn't seem to be happening and the classifier is using NAT to determine the destination context. I'm seeing this with live traffic (i.e. not generated by packet-tracer) in logs and can prove it by disabling certain NAT rules (there is some overlap with the IP addressing behind each firewall).</P><P></P><P>My question regarding packet tracer is this - in the above scenario with a shared outside interface, does packet tracer ALWAYS use NAT to determine the destination context? Or does packet tracer look up the MAC address of the ingress interface according to what context you are running packet tracer from? It appears that packet-tracer is using NAT in my case which could be just symptomatic of the potential bug I've described above rather than by design.</P><P></P><P>I've trawled the forums for an answer to this and haven't found one - not sure if this is a question for TAC/Developers?</P><P></P><P>Cheers</P><P></P><P>Paul</P> Mon, 11 Mar 2019 21:54:28 GMT https://community.cisco.com/t5/network-security/cisco-asa-8-3-packet-tracer-multi-context-classification/m-p/1806677#M492582 Paul Cummings 2019-03-11T21:54:28Z https://community.cisco.com/t5/network-security/cisco-asa-8-3-packet-tracer-multi-context-classification/m-p/1806678#M492583 <HTML><HEAD></HEAD><BODY><P>Hi Paul,</P><P></P><P>The packet-tracer has no way of specifying the MAC address of the simulated packet, so it will always fall back to a NAT check. This is currently a limiation of the packet-tracer feature in multiple context mode.</P><P></P><P>Additionally, if your NAT rules contain the 'any' keyword in the interface pair, you should be aware of this bug:</P><P></P><P>CSCts07069 - ASA: Packet classifier fails with 'any' in Object NAT rule (fixed in 8.3.2.28)</P><P></P><P>Hope that helps.</P><P></P><P>-Mike</P></BODY></HTML> Sat, 26 Nov 2011 13:08:39 GMT https://community.cisco.com/t5/network-security/cisco-asa-8-3-packet-tracer-multi-context-classification/m-p/1806678#M492583 mirober2 2011-11-26T13:08:39Z https://community.cisco.com/t5/network-security/cisco-asa-8-3-packet-tracer-multi-context-classification/m-p/1806679#M492585 <HTML><HEAD></HEAD><BODY><P>Thanks Mike</P><P></P><P>Good to get confirmation of my suspicions. I wasn't aware of the 'any' NAT bug so that's good to know. </P><P></P><P>Cheers</P><P>Paul</P><P></P><P>Sent from Cisco Technical Support iPhone App</P></BODY></HTML> Sat, 26 Nov 2011 14:56:58 GMT https://community.cisco.com/t5/network-security/cisco-asa-8-3-packet-tracer-multi-context-classification/m-p/1806679#M492585 Paul Cummings 2011-11-26T14:56:58Z