https://community.cisco.com/t5/network-security/fwsm-multiple-context/m-p/1172713#M877224 <HTML><HEAD></HEAD><BODY><P>Here you go - </P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/docs/security/fwsm/fwsm32/configuration/guide/exampl_f.html#wp1029314" target="_blank">http://www.cisco.com/en/US/docs/security/fwsm/fwsm32/configuration/guide/exampl_f.html#wp1029314</A></P><P></P><P>Jon</P></BODY></HTML> Mon, 26 Jan 2009 17:51:18 GMT Jon Marshall 2009-01-26T17:51:18Z https://community.cisco.com/t5/network-security/fwsm-multiple-context/m-p/1172710#M877219 <P></P><P>Hi, </P><P></P><P>Is there any FWSM multiple context configuration example with 'shared ingress Vlan interface'.</P><P></P><P>Thanks.</P> Mon, 11 Mar 2019 14:42:07 GMT https://community.cisco.com/t5/network-security/fwsm-multiple-context/m-p/1172710#M877219 cisco_lite 2019-03-11T14:42:07Z https://community.cisco.com/t5/network-security/fwsm-multiple-context/m-p/1172711#M877220 <HTML><HEAD></HEAD><BODY><P>When you say shared ingress vlan do you mean that each context shares a vlan for it's outside interfaces ie. each context uses an IP address from the same subnet on it's outside interface ?</P><P></P><P>Also is it safe to assume multiple context routed mode ?</P><P></P><P>Finally, which version of FWSM software ?</P><P></P><P>Jon</P></BODY></HTML> Mon, 26 Jan 2009 17:39:11 GMT https://community.cisco.com/t5/network-security/fwsm-multiple-context/m-p/1172711#M877220 Jon Marshall 2009-01-26T17:39:11Z https://community.cisco.com/t5/network-security/fwsm-multiple-context/m-p/1172712#M877222 <HTML><HEAD></HEAD><BODY><P>"When you say shared ingress vlan do you mean that each context shares a vlan for it's outside interfaces ie. each context uses an IP address from the same subnet on it's outside interface ? "</P><P></P><P>Yes, that is what I meant. </P><P>The multiple context shall be in routed mode. </P><P></P><P>FWSM version 3.2(2)</P><P></P><P>Thanks.</P><P></P><P></P></BODY></HTML> Mon, 26 Jan 2009 17:45:45 GMT https://community.cisco.com/t5/network-security/fwsm-multiple-context/m-p/1172712#M877222 cisco_lite 2009-01-26T17:45:45Z https://community.cisco.com/t5/network-security/fwsm-multiple-context/m-p/1172713#M877224 <HTML><HEAD></HEAD><BODY><P>Here you go - </P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/docs/security/fwsm/fwsm32/configuration/guide/exampl_f.html#wp1029314" target="_blank">http://www.cisco.com/en/US/docs/security/fwsm/fwsm32/configuration/guide/exampl_f.html#wp1029314</A></P><P></P><P>Jon</P></BODY></HTML> Mon, 26 Jan 2009 17:51:18 GMT https://community.cisco.com/t5/network-security/fwsm-multiple-context/m-p/1172713#M877224 Jon Marshall 2009-01-26T17:51:18Z https://community.cisco.com/t5/network-security/fwsm-multiple-context/m-p/1172714#M877227 <HTML><HEAD></HEAD><BODY><P>Thanks Jon. </P><P></P><P>Couple more questions</P><P></P><P>1. Is NAT a condition to use multiple context with shared outside interface</P><P>2. Can IDSM be deployed to FWSM in multiple context. I believe If I failover single FWSM context to redundant Cat6500 chassis, IDSM will not work because IDSM can be active against one physical FWSM only. </P><P></P><P>Thanks.</P></BODY></HTML> Mon, 26 Jan 2009 18:03:08 GMT https://community.cisco.com/t5/network-security/fwsm-multiple-context/m-p/1172714#M877227 cisco_lite 2009-01-26T18:03:08Z https://community.cisco.com/t5/network-security/fwsm-multiple-context/m-p/1172715#M877228 <HTML><HEAD></HEAD><BODY><P>No problem.</P><P></P><P>1) That's a very good question. When you share a vlan between contexts then the FWSM classifier comes into play. You need to have a read of this section. Sharing the same vlan for outside contexts is the most common approach so it is less problematic - </P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/docs/security/fwsm/fwsm32/configuration/guide/contxt_f.html#wp1124236" target="_blank">http://www.cisco.com/en/US/docs/security/fwsm/fwsm32/configuration/guide/contxt_f.html#wp1124236</A></P><P></P><P>If you have any more questions on this please come back.</P><P></P><P>2) Unfortunately can't really help you on this as i have no real experience with the IDSM. I have used CSM-S modules (load-balancers) in conjunction with the FWSM's and they work in failover mode but i wouldn't want to say if this is possible with the IDSM.</P><P></P><P>Jon</P></BODY></HTML> Mon, 26 Jan 2009 18:22:14 GMT https://community.cisco.com/t5/network-security/fwsm-multiple-context/m-p/1172715#M877228 Jon Marshall 2009-01-26T18:22:14Z https://community.cisco.com/t5/network-security/fwsm-multiple-context/m-p/1172716#M877229 <HTML><HEAD></HEAD><BODY><P>Jon, </P><P></P><P>In my case all the NAT'ing is done on perimeter firewall and not FWSM. Traffic from firewall is routed to MSFC and then FWSM. So there is a single outside interface on FWSM, where the destination IP is already NAT'ed and should belong to one of the contexts (unique IP address). My understanding is that classifier would 'not' be required in the above scenario. Please advise.</P><P></P><P>Topology:</P><P></P><P>ASA-&gt;MSFC-&gt;FWSM-&gt;ACE</P><P></P><P></P></BODY></HTML> Mon, 26 Jan 2009 18:35:22 GMT https://community.cisco.com/t5/network-security/fwsm-multiple-context/m-p/1172716#M877229 cisco_lite 2009-01-26T18:35:22Z https://community.cisco.com/t5/network-security/fwsm-multiple-context/m-p/1172717#M877230 <HTML><HEAD></HEAD><BODY><P>Okay, i'm a little confused :-). </P><P></P><P>You say there is a single outside interface on FWSM but we were talking about multiple contexts using the same vlan for outside interfaces ?</P><P></P><P>Assuming you are talking about a single context then note this from the link i sent -</P><P></P><P> </P><P>"Because the classifier relies on active NAT sessions to classify the destination addresses to a context, the classifier is limited by how you can configure NAT. If you do not want to perform NAT, you must use unique interfaces."</P><P></P><P>So you need NAT but all this means is you need to setup static translations ie. you don't need to actually change the IP address eg.</P><P></P><P>static (inside,outside) 192.168.5.0 192.168.5.0 netmask 255.255.255.0</P><P></P><P>Does this make sense or have i misunderstood your topology ?</P><P></P><P>Jon </P><P></P></BODY></HTML> Mon, 26 Jan 2009 18:44:14 GMT https://community.cisco.com/t5/network-security/fwsm-multiple-context/m-p/1172717#M877230 Jon Marshall 2009-01-26T18:44:14Z https://community.cisco.com/t5/network-security/fwsm-multiple-context/m-p/1172718#M877232 <HTML><HEAD></HEAD><BODY><P></P><P>Ok. I meant single shared vlan by outside across multiple contexts.</P><P></P><P>So I understand NAT to be a condition (even though to same IP) for multiple contexts to work in the given topology and requirement.</P><P></P><P>Jon, if you don't mind could you please provide your valuable inputs on the below post in 'Lan,Switching &amp; Routing'</P><P></P><P><A class="jive-link-custom" href="http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&amp;forum=Network%20Infrastructure&amp;topic=LAN%2C%20Switching%20and%20Routing&amp;topicID=.ee71a04&amp;fromOutline=&amp;CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cc2d744" target="_blank">http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&amp;forum=Network%20Infrastructure&amp;topic=LAN%2C%20Switching%20and%20Routing&amp;topicID=.ee71a04&amp;fromOutline=&amp;CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cc2d744</A></P><P></P><P>Thanks.</P></BODY></HTML> Mon, 26 Jan 2009 19:49:32 GMT https://community.cisco.com/t5/network-security/fwsm-multiple-context/m-p/1172718#M877232 cisco_lite 2009-01-26T19:49:32Z