topic Re: multicontext mode shared interfaces in Network Security

multicontext mode shared interfaces

amar_5664 — Mon, 11 Mar 2019 18:55:32 GMT

I am running a multicontext mode on my firewalls, have a shared outside interface. having few problems trying to allow a single user access to external network through the firewall....attached is the diagram for how things are connected, this is just for the context that i am having issues....

from port g0/2 i have allowed proxy to any and works fine

i am trying to allow a specific network from port g0/0.10 to any and having no joy, receive ifc-classify fail error everytime i trace the packet....

i have global NAT for g0/0.10 interface NATted to range on g0/1.66

i have enable traffic to flow across same security level interfaces...

will appreciate any assistance...

thanks

Re: multicontext mode shared interfaces

Maykol Rojas — Mon, 18 Oct 2010 02:21:28 GMT

Hello Amar,

I hope you are doing great is it only one host having the issue? or is it an entire network? Can you paste the packet tracer? The configuration for the system and the context that is having the problem?

Cheers

Mike

Re: multicontext mode shared interfaces

amar_5664 — Mon, 18 Oct 2010 03:06:53 GMT

it actually is entire network... entire network is unable to go through g0/0.10 interface all

traffic is going through Proxy interface...

below is the config of the context.. please note i have removed the global NAT for the test that is was doing....

ASA Version 8.2(1)
!
hostname Passthrough
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 203.194.27.57 Soul-DNS1
name 10.153.66.150 Soul-DNS1_NAT
name 203.194.56.150 Soul-DNS2
name 10.153.66.151 Soul-DNS2_NAT
name 10.128.0.0 TG-Internal description TG Internal Domain
name 192.168.66.254 TG-Internal_PAT
name 10.142.171.20 VSVWIN2008E017 description DC TG.local
name 192.168.66.100 VSVWIN2008E017_NAT description DC TG.local NAT
name 10.152.171.20 VSVWIN2008E018 description DC TG.local
name 192.168.66.101 VSVWIN2008E018_NAT description DC TG.corp NAT
name 10.142.171.21 VSVWIN2008E019 description DC corp TG.local
name 192.168.66.102 VSVWIN2008E019_NAT description DC corp.TG.local NAT
name 10.142.171.22 VSVWIN2008E020 description DC corp.TG.local
name 192.168.66.103 VSVWIN2008E020_NAT description DC corp.TG.local NAT
name 10.152.171.21 VSVWIN2008E021 description DC corp.TG.local
name 192.168.66.104 VSVWIN2008E021_NAT description DC corp.TG.local NAT
name 192.168.66.120 SRVDWX336X001_NAT description WEB Proxy 1 NAT
name 192.168.66.121 SRVDWX336X002_NAT description WEB Proxy 2 NAT
name 144.140.108.23 Telstra
name 10.153.66.99 Telstra_NAT
name 10.153.20.120 SRVDWX336X001 description WEB Proxy 1
name 10.153.20.121 SRVDWX336X002 description WEB Proxy 2
name 10.142.176.46 VSVWIN2003E069
name 192.168.66.146 VSVWIN2003E069_NAT
name 116.193.208.10 KATTRON
name 10.153.66.110 KATTRON_NAT
name 10.137.161.131 test1
name 192.168.66.105 test1_NAT
name 10.137.161.0 test2
!
interface GigabitEthernet0/0.10
nameif Internal-Passthrough
security-level 100
ip address 10.153.10.42 255.255.255.0
!
interface GigabitEthernet0/1.66
nameif DMZ-Passthrough
security-level 0
ip address 192.168.66.1 255.255.255.0

interface GigabitEthernet0/2
description Special interface for Proxy domain
nameif Internal-Proxy-Passthrough
security-level 100
ip address 10.153.20.42 255.255.255.0
!
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group network DCs
description TG DC for DNS access
network-object host VSVWIN2008E017
network-object host VSVWIN2008E019
network-object host VSVWIN2008E020
network-object host VSVWIN2008E018
network-object host VSVWIN2008E021
object-group network Soul-DNS-servers
description (NAT)
network-object host Soul-DNS1_NAT
network-object host Soul-DNS2_NAT
object-group network WEB-Proxies
<--- More ---> network-object host SRVDWX336X001
network-object host SRVDWX336X002
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
port-object eq ftp
object-group network DM_INLINE_NETWORK_1
network-object host SRVDWX336X001_NAT
network-object host SRVDWX336X002_NAT
object-group service DM_INLINE_SERVICE_1
service-object ip
service-object tcp eq ftp
service-object tcp eq www
access-list Internal-Passthrough_access_in extended permit object-group TCPUDP o
bject-group DCs object-group Soul-DNS-servers eq domain
access-list Internal-Passthrough_access_in extended permit tcp host VSVWIN2003E0
69 host KATTRON_NAT eq 3001
access-list Internal-Passthrough_access_in extended permit object-group DM_INLIN
E_SERVICE_1 host test1 host bentley_NAT log inactive
access-list DMZ-Passthrough_access_in extended permit icmp any object-group DM_I
NLINE_NETWORK_1
access-list Internal-Proxy-Passthrough_access_in extended permit tcp object-grou
p WEB-Proxies any object-group DM_INLINE_TCP_1
pager lines 24
logging enable
logging timestamp
logging buffered debugging
logging trap informational
logging asdm informational
logging device-id string SYW-Passthrough
logging host Internal-Passthrough 10.142.176.32
mtu Internal-Passthrough 1500
mtu DMZ-Passthrough 1500
mtu Internal-Proxy-Passthrough 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any Internal-Passthrough
no asdm history enable
arp timeout 14400
static (DMZ-Passthrough,Internal-Passthrough) Soul-DNS1_NAT Soul-DNS1 netmask 25
5.255.255.255
static (DMZ-Passthrough,Internal-Passthrough) Soul-DNS2_NAT Soul-DNS2 netmask 25
5.255.255.255
static (Internal-Passthrough,DMZ-Passthrough) VSVWIN2008E017_NAT VSVWIN2008E017
netmask 255.255.255.255
static (Internal-Passthrough,DMZ-Passthrough) VSVWIN2008E018_NAT VSVWIN2008E018
netmask 255.255.255.255
static (Internal-Passthrough,DMZ-Passthrough) VSVWIN2008E019_NAT VSVWIN2008E019
netmask 255.255.255.255
static (Internal-Passthrough,DMZ-Passthrough) VSVWIN2008E020_NAT VSVWIN2008E020
netmask 255.255.255.255
static (Internal-Passthrough,DMZ-Passthrough) VSVWIN2008E021_NAT VSVWIN2008E021
netmask 255.255.255.255
static (DMZ-Passthrough,Internal-Passthrough) Telstra_NAT Telstra netmask 255.25
5.255.255
static (Internal-Proxy-Passthrough,DMZ-Passthrough) SRVDWX336X001_NAT SRVDWX336X
001 netmask 255.255.255.255
static (Internal-Proxy-Passthrough,DMZ-Passthrough) SRVDWX336X002_NAT SRVDWX336X
002 netmask 255.255.255.255
static (Internal-Passthrough,DMZ-Passthrough) VSVWIN2003E069_NAT VSVWIN2003E069
netmask 255.255.255.255
static (DMZ-Passthrough,Internal-Passthrough) KATTRON_NAT KATTRON netmask 255.25
5.255.255
access-group Internal-Passthrough_access_in in interface Internal-Passthrough
access-group DMZ-Passthrough_access_in in interface DMZ-Passthrough
access-group Internal-Proxy-Passthrough_access_in in interface Internal-Proxy-Pa
ssthrough
route DMZ-Passthrough 0.0.0.0 0.0.0.0 192.168.66.19 1
route Internal-Passthrough TG-Internal 255.128.0.0 10.153.10.1 1
route Internal-Proxy-Passthrough SRVDWX336X001 255.255.255.255 SRVDWX336X001 1
route DMZ-Passthrough SRVDWX336X002 255.255.255.255 SRVDWX336X002 1
route Internal-Proxy-Passthrough 146.178.211.0 255.255.255.0 10.153.20.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
no snmp-server location
no snmp-server contact
telnet timeout 5
ssh timeout 5
no threat-detection statistics tcp-intercept
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
<--- More ---> parameters
message-length maximum 1024
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
Cryptochecksum:50f7f89738faadcdfd62c970ecbcf147
: end

-------------------------------------------------------------------------------------

Interface allocation for this particular context

Passthrough      default    GigabitEthernet0/0.10, disk0:/passthrough.cfg
                             GigabitEthernet0/1.66,
                             GigabitEthernet0/2

Packet tracer result .... when the actual configuration is applied

Result:
input-interface: Internal-Passthrough
input-status: up
input-line-status: up
Action: drop
Drop-reason: (ifc-classify) Virtual firewall classification failed

Re: multicontext mode shared interfaces

Maykol Rojas — Mon, 18 Oct 2010 21:30:46 GMT

Hello Amar,

Thank you so much for the reply. This is interesting, I was doing some research regarding this issue. Are you able to pass real traffic? Or have you just use packet tracer to test? Do you have mac-address auto configured? This smells like the following bug:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCso17884

But this is cosmetic and does not affect the real traffiric

Would you please confirm?

Thank you !

Mike

Re: multicontext mode shared interfaces

amar_5664 — Mon, 18 Oct 2010 22:44:10 GMT

no i have not configured mac-add auto for any contexts, all of my internal traffic is forwarded through Proxy interface (g0/2).

according to my understanding it seems the internal traffic is classified out of g0/2 interface as when there is an outside shared interface the classifier uses dest ip and g0/2 interface has an ACE to allow web proxies to any ...

for internal interface g0/0.10 i tried and created ACE to allow one user access ftp to a particular site and had a static NAT entry for that it worked fine.... but when i allow network/user to any for g0/0.10 interface ifc-classify fails ... firewall is unable to classify internal network for g0/0.10....

it doesnt solve my issue.... my question now is why cant i have an ACE on g0/0.10 and g0/2 to allow any dst

g0/0.10

access-list xxxx permit ip 10.137.x.x 0.0.255.255 any

g0/2

access-list xxxx permit ip web-proxies any

when i have above config and packet trace internal network (10.137) from g0/0.10 interface ifc-classify fails while packet trace 10.137 from g0/2 firewall classifies that packet which confuses me as i have a dynamic NAT entry for 10.137 network for g0/0.10 interface.....