03-27-2019 02:29 AM
Hi,
I have have an ASA 5520 wokring in multiple context for years now.
Till now the first context was using the interfaces 0/0 and 0/1 and the second context the interfaces 0/2 and 0/3
But recently I had to add another lan to this configuration but, because of the lack of available interfaces I had to do
small changes in the system context to add new interfaces in the 2 other contexts.
This is how it is now :
interface GigabitEthernet0/0 ! interface GigabitEthernet0/1 ! interface GigabitEthernet0/2 ! interface GigabitEthernet0/2.200 description Vlan Telephony vlan 200 ! interface GigabitEthernet0/2.300 description Vlan INSIDE vlan 300 ! interface GigabitEthernet0/3 ! interface Management0/0 shutdown ! class default limit-resource All 0 limit-resource Mac-addresses 65535 limit-resource ASDM 5 limit-resource SSH 5 limit-resource Telnet 5 ! ftp mode passive pager lines 24 no failover no asdm history enable arp timeout 14400 no arp permit-nonconnected console timeout 0 admin-context admin context admin config-url disk0:/admin.cfg ! context ISP2 description ISP2-Context allocate-interface GigabitEthernet0/2.200 Telephony allocate-interface GigabitEthernet0/2.300 Inside allocate-interface GigabitEthernet0/3 Outside config-url disk0:/ISP2.cfg ! context ISP1 descrption ISP1-Context allocate-interface GigabitEthernet0/0 Inside allocate-interface GigabitEthernet0/1 Outside allocate-interface GigabitEthernet0/2.200 Telephony config-url disk0:/ISP1.cfg ! prompt hostname context no call-home reporting anonymous call-home profile CiscoTAC-1 no active destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address email callhome@cisco.com destination transport-method http subscribe-to-alert-group diagnostic subscribe-to-alert-group environment
Just doing this and after reapplying configuration on the ISP2 context (because I had to remove the physical interface for two vlans interfaces in this context) The historical config is working, and I can see the Telephony interface in both context.
Traffic from inside to outside is working and provided services to externals is still wokring through the context.
Now regarding the Telephony interfaces, any ressources in the same vlan can ping them but nothing can go through the FWs using these interface as gateway and packet tracer give me a nice :
(ifc-classify) Virtual firewall classification failed
There is clearly something that I do not understand but I can't find what. An help would be very appreciated.
This is the config (not all but everything related to the interface and nat) of the first context :
! interface Inside nameif Inside security-level 100 ip address 10.1.100.253 255.255.255.0 ! interface Outside nameif Outside security-level 0 ip address 155.175.237.133 255.255.255.248 ! interface Telephony nameif Telephony security-level 50 ip address 10.1.200.253 255.255.255.0 ! object network Default-Nat subnet 10.1.0.0 255.255.128.0 object network XX-VRIPB-01 host 10.1.200.16 object network Telephony-DMZ subnet 10.1.200.0 255.255.255.0 object network Default-Nat nat (Inside,Outside) dynamic interface object network XX-VRIPB-01 nat (Telephony,Outside) static 155.175.237.134 object network Telephony-DMZ nat (Telephony,Outside) dynamic interface (tried to put static 155.175.237.134 instead but did not worked either) route Outside 0.0.0.0 0.0.0.0 155.175.237.129 1 route Inside 10.1.0.0 255.255.240.0 10.1.100.1 1 route Inside 10.1.0.0 255.255.255.0 10.1.100.1 1 route Inside 10.1.80.0 255.255.255.0 10.1.100.1 1
Many thanks by advance for your help.
F.
Solved! Go to Solution.
03-27-2019 05:50 AM
It looks like there is a shared interface between 2 contexts.
interface GigabitEthernet0/2.200 description Vlan Telephony vlan 200
In case of shared interfaces incoming traffic might fail to be classified to contexts, which is usually fixed by enabling per-context mac address (prefix) generation with 'mac-address auto' command under system context.
03-27-2019 05:50 AM
It looks like there is a shared interface between 2 contexts.
interface GigabitEthernet0/2.200 description Vlan Telephony vlan 200
In case of shared interfaces incoming traffic might fail to be classified to contexts, which is usually fixed by enabling per-context mac address (prefix) generation with 'mac-address auto' command under system context.
03-27-2019 06:22 AM
Many thanks llkin, that did the job!!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide