06-04-2009 02:29 AM - edited 03-11-2019 08:39 AM
Dear All,
I have two asa5520 configured in multiple context mode, the two context share both the inside and the outside interfaces.
I have configured in the system context the mac-address auto to assign a unique mac to each sub-interface.
When I try to send a packet from the inside interface I got the following error:
Result:
input-interface: inside
input-status: up
input-line-status: up
Action: drop
Drop-reason: (ifc-classify) Virtual firewall classification failed
If I try to send a packet from the outside toward a more secure interface all works well.
Both context has an static traslation for the inside network:
static (inside,dmz) 192.168.0.0 192.168.0.0 netmask 255.255.255.0
But the destination networks are different for each context:
Context A
src 192.168.0.1 dst 171.22.233.1/26
Context B
src 192.168.0.1 dst 171.22.233.69/27
The classifier Criteria should use first the unique macs, than the nat traslation performing a destination lookup, right?
Why the traffic from the shared inside is not classified?
Thanks&Regards,
Igor.
Solved! Go to Solution.
06-04-2009 04:30 AM
for the classifier to work properly for when using shared inside interfaces, you will need to have a static NAT entry in place for the outside address to appear as a global address for the classifier to examine packets entering from the inside network o decide which context should receive a packet.
post your config...
06-04-2009 03:31 AM
Drop-reason: (ifc-classify) Virtual firewall classification failed
the error means a packet arrived on a shared interface, but failed to classify to any specific context interface.
Recommendation: Use the global or static command to specify the IPv4 addresses that belong to each context interface.
Go through this as it contains configuration example for extactly what you are trying to do. http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808d2b63.shtml#diag
06-04-2009 04:01 AM
Hi Francisco,
Thank you for you reply.
In the example that you provide me, the context 1 and 2 do not share the inside and outside interfaces.
My configuration share the inside and the outside, the subinterfaces are the same for both the context A and B:
System configuration:
context Internet
description Internet module
allocate-interface GigabitEthernet0/1.1 inside_shared
allocate-interface GigabitEthernet0/2.1 dmz_Internet
allocate-interface GigabitEthernet0/3.1 outside_shared
allocate-interface GigabitEthernet0/3.2 int_ipsec
config-url disk0:/Internet.cfg
join-failover-group 1
!
context E-Commerce
allocate-interface GigabitEthernet0/1.1 inside_shared
allocate-interface GigabitEthernet0/1.3 application
allocate-interface GigabitEthernet0/3.1 outside_shared
config-url disk0:/E-Commerce.cfg
join-failover-group 2
06-04-2009 04:30 AM
for the classifier to work properly for when using shared inside interfaces, you will need to have a static NAT entry in place for the outside address to appear as a global address for the classifier to examine packets entering from the inside network o decide which context should receive a packet.
post your config...
06-04-2009 06:15 AM
IGOR,
was my commments helpful? is the problem solved?
Thanks for the rating..
Francisco
06-04-2009 06:38 AM
Hi Francisco,
The outside nat solve the problem you are right!
All works fine now, thank you for your help.
Igor.
09-30-2014 04:34 AM
What was the config you actually added.
06-12-2019 02:47 AM - edited 06-12-2019 02:49 AM
Thank you Francisco! You saved the day!
Best Regards,
DSK Bank Network Team
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide