https://community.cisco.com/t5/network-security/fwsm-sharing-interfaces-between-contexts/m-p/1369049#M857648 <HTML><HEAD></HEAD><BODY><P>Yes, you need to add either global or static nat so, the classifier will properly classify the flow.</P><P></P><P>If you share the outside interface, you need to provide translation for all the inside networks.</P><P></P><P>If you share the inside interfce (this is bad if it is internet facing context) you need to provide translation for all the outside hosts/network.</P><P></P><P>Even though our config guide below shows exactly what you are trying to do, it is not a good idea to do this. Troubleshooting may become a big problem.</P><P></P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/docs/security/fwsm/fwsm31/configuration/guide/contxt_f.html#wp1124236">http://www.cisco.com/en/US/docs/security/fwsm/fwsm31/configuration/guide/contxt_f.html#wp1124236</A></P><P></P><P>-KS</P></BODY></HTML> Thu, 10 Dec 2009 16:19:41 GMT Kureli Sankar 2009-12-10T16:19:41Z https://community.cisco.com/t5/network-security/fwsm-sharing-interfaces-between-contexts/m-p/1369048#M857646 <P><!--[if gte mso 9]><xml> <o:DocumentProperties> <o:Author>rboersma</o:Author> <o:Version>12.00</o:Version> </o:DocumentProperties> </xml><![endif]--><!--[if gte mso 10]> <style> /* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin-top:0cm; mso-para-margin-right:0cm; mso-para-margin-bottom:10.0pt; mso-para-margin-left:0cm; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-fareast-language:EN-US;} </style> <![endif]--></P><P><SPAN style="font-size: 12pt;">I’m going to configure (on paper) an FWSM with two contexts sharing inside and outside interfaces.<BR /><BR />I’m using one context only for admin purpose (access to the system space) and other to pass traffic.<BR /><BR />Admin and production contexts are sharing the inside and outside vlans (see attached diagram): from admin context, I need to reach some servers over vlan 940, like AAA.<BR /><BR />I do not need to use NAT.<BR /><BR />Now I’m reading the configuration guide about packets classification. So, because the classifier relies on active NAT sessions and for management traffic destined for an interface, the interface IP address is used for classification, I believe I need to perform NAT with some static entries on production context.<BR /><BR />Is it wrong?<BR /><BR />Regards.<BR /><BR />Andrea<BR /></SPAN></P> Mon, 11 Mar 2019 16:47:30 GMT https://community.cisco.com/t5/network-security/fwsm-sharing-interfaces-between-contexts/m-p/1369048#M857646 andrea.meconi 2019-03-11T16:47:30Z https://community.cisco.com/t5/network-security/fwsm-sharing-interfaces-between-contexts/m-p/1369049#M857648 <HTML><HEAD></HEAD><BODY><P>Yes, you need to add either global or static nat so, the classifier will properly classify the flow.</P><P></P><P>If you share the outside interface, you need to provide translation for all the inside networks.</P><P></P><P>If you share the inside interfce (this is bad if it is internet facing context) you need to provide translation for all the outside hosts/network.</P><P></P><P>Even though our config guide below shows exactly what you are trying to do, it is not a good idea to do this. Troubleshooting may become a big problem.</P><P></P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/docs/security/fwsm/fwsm31/configuration/guide/contxt_f.html#wp1124236">http://www.cisco.com/en/US/docs/security/fwsm/fwsm31/configuration/guide/contxt_f.html#wp1124236</A></P><P></P><P>-KS</P></BODY></HTML> Thu, 10 Dec 2009 16:19:41 GMT https://community.cisco.com/t5/network-security/fwsm-sharing-interfaces-between-contexts/m-p/1369049#M857648 Kureli Sankar 2009-12-10T16:19:41Z https://community.cisco.com/t5/network-security/fwsm-sharing-interfaces-between-contexts/m-p/1369050#M857649 <HTML><HEAD></HEAD><BODY><P>Many thanks for your help.<BR />I understand that my problem is sharing the inside interface although I'm using admin context only for system space management.<BR />So I can evaluate two solutions: go back to single mode or promote the production context to admin context.<BR />Regards.<BR />Andrea</P></BODY></HTML> Thu, 10 Dec 2009 19:31:56 GMT https://community.cisco.com/t5/network-security/fwsm-sharing-interfaces-between-contexts/m-p/1369050#M857649 andrea.meconi 2009-12-10T19:31:56Z https://community.cisco.com/t5/network-security/fwsm-sharing-interfaces-between-contexts/m-p/1369051#M857650 <HTML><HEAD></HEAD><BODY><P>You certainly can. Make sure to save your config. Even if you do not it will be saved in the disk:</P><P></P><P>If the admin context is used only for mgmt, then you can allocate only one interface for this context. No need to allocate two. Just a thought.</P><P></P><P>-KS</P></BODY></HTML> Thu, 10 Dec 2009 19:37:08 GMT https://community.cisco.com/t5/network-security/fwsm-sharing-interfaces-between-contexts/m-p/1369051#M857650 Kureli Sankar 2009-12-10T19:37:08Z https://community.cisco.com/t5/network-security/fwsm-sharing-interfaces-between-contexts/m-p/1369052#M857651 <HTML><HEAD></HEAD><BODY><P>Good. But I need to reach some servers on outside from admin.</P><P>Perhaps I can use LOCAL authentication but always I'm sharing inside.</P><P>Regards.</P><P>Andrea</P></BODY></HTML> Thu, 10 Dec 2009 19:42:06 GMT https://community.cisco.com/t5/network-security/fwsm-sharing-interfaces-between-contexts/m-p/1369052#M857651 andrea.meconi 2009-12-10T19:42:06Z