topic Re: ASA5520 inside shared interface in Network Security

ASA5520 inside shared interface

ifabrizio — Mon, 11 Mar 2019 15:39:41 GMT

Dear All,

I have two asa5520 configured in multiple context mode, the two context share both the inside and the outside interfaces.

I have configured in the system context the mac-address auto to assign a unique mac to each sub-interface.

When I try to send a packet from the inside interface I got the following error:

Result:

input-interface: inside

input-status: up

input-line-status: up

Action: drop

Drop-reason: (ifc-classify) Virtual firewall classification failed

If I try to send a packet from the outside toward a more secure interface all works well.

Both context has an static traslation for the inside network:

static (inside,dmz) 192.168.0.0 192.168.0.0 netmask 255.255.255.0

But the destination networks are different for each context:

Context A

src 192.168.0.1 dst 171.22.233.1/26

Context B

src 192.168.0.1 dst 171.22.233.69/27

The classifier Criteria should use first the unique macs, than the nat traslation performing a destination lookup, right?

Why the traffic from the shared inside is not classified?

Thanks&Regards,

Igor.

Re: ASA5520 inside shared interface

francisco_1 — Thu, 04 Jun 2009 10:31:05 GMT

Drop-reason: (ifc-classify) Virtual firewall classification failed

the error means a packet arrived on a shared interface, but failed to classify to any specific context interface.

Recommendation: Use the global or static command to specify the IPv4 addresses that belong to each context interface.

Go through this as it contains configuration example for extactly what you are trying to do. http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808d2b63.shtml#diag

Re: ASA5520 inside shared interface

ifabrizio — Thu, 04 Jun 2009 11:01:50 GMT

Hi Francisco,

Thank you for you reply.

In the example that you provide me, the context 1 and 2 do not share the inside and outside interfaces.

My configuration share the inside and the outside, the subinterfaces are the same for both the context A and B:

System configuration:

context Internet

description Internet module

allocate-interface GigabitEthernet0/1.1 inside_shared

allocate-interface GigabitEthernet0/2.1 dmz_Internet

allocate-interface GigabitEthernet0/3.1 outside_shared

allocate-interface GigabitEthernet0/3.2 int_ipsec

config-url disk0:/Internet.cfg

join-failover-group 1

context E-Commerce

allocate-interface GigabitEthernet0/1.1 inside_shared

allocate-interface GigabitEthernet0/1.3 application

allocate-interface GigabitEthernet0/3.1 outside_shared

config-url disk0:/E-Commerce.cfg

join-failover-group 2

Re: ASA5520 inside shared interface

francisco_1 — Thu, 04 Jun 2009 11:30:10 GMT

for the classifier to work properly for when using shared inside interfaces, you will need to have a static NAT entry in place for the outside address to appear as a global address for the classifier to examine packets entering from the inside network o decide which context should receive a packet.

post your config...

Re: ASA5520 inside shared interface

francisco_1 — Thu, 04 Jun 2009 13:15:23 GMT

IGOR,

was my commments helpful? is the problem solved?

Thanks for the rating..

Francisco

Re: ASA5520 inside shared interface

ifabrizio — Thu, 04 Jun 2009 13:38:42 GMT

Hi Francisco,

The outside nat solve the problem you are right!

All works fine now, thank you for your help.

Igor.

What was the config you

rsinger — Tue, 30 Sep 2014 11:34:23 GMT

What was the config you actually added.

Re: ASA5520 inside shared interface

network@dskbank.bg — Wed, 12 Jun 2019 09:49:00 GMT

Thank you Francisco! You saved the day!

Best Regards,

DSK Bank Network Team