Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2891
Views
0
Helpful
2
Replies

Cisco ASA (8.3) - Packet tracer / Multi Context Classification

Go to solution
Paul Cummings
Level 1
Level 1

‎11-23-2011 08:41 AM - edited ‎03-11-2019 02:54 PM

Hi,

I've been using packet-tracer for some time on and off with mixed results.

I'm running a multi context firewall with over 10 of the contexts sharing the same outside interface / network.

All interfaces obviously have valid, unique IPs and also unique MAC addresses as mac-address auto is enabled in the system context.

This is an ASA 5550 running 8.3(2.10) interim so includes the fix for the well known packet-tracer classication failed bug.

So in theory, with firewall contexts on a shared interface the ASA should use the firewall MAC address to classify incoming traffic to the correct firewall and as far as I am aware, only fall back on using NAT to classify if the interface MACs are the same. In reality on my platform this doesn't seem to be happening and the classifier is using NAT to determine the destination context. I'm seeing this with live traffic (i.e. not generated by packet-tracer) in logs and can prove it by disabling certain NAT rules (there is some overlap with the IP addressing behind each firewall).

My question regarding packet tracer is this - in the above scenario with a shared outside interface, does packet tracer ALWAYS use NAT to determine the destination context? Or does packet tracer look up the MAC address of the ingress interface according to what context you are running packet tracer from? It appears that packet-tracer is using NAT in my case which could be just symptomatic of the potential bug I've described above rather than by design.

I've trawled the forums for an answer to this and haven't found one - not sure if this is a question for TAC/Developers?

Cheers

Paul

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
mirober2
Cisco Employee
Cisco Employee

‎11-26-2011 05:08 AM

Hi Paul,

The packet-tracer has no way of specifying the MAC address of the simulated packet, so it will always fall back to a NAT check. This is currently a limiation of the packet-tracer feature in multiple context mode.

Additionally, if your NAT rules contain the 'any' keyword in the interface pair, you should be aware of this bug:

CSCts07069 - ASA: Packet classifier fails with 'any' in Object NAT rule (fixed in 8.3.2.28)

Hope that helps.

-Mike

View solution in original post

0 Helpful
2 Replies 2

Go to solution
mirober2
Cisco Employee
Cisco Employee

‎11-26-2011 05:08 AM

Hi Paul,

The packet-tracer has no way of specifying the MAC address of the simulated packet, so it will always fall back to a NAT check. This is currently a limiation of the packet-tracer feature in multiple context mode.

Additionally, if your NAT rules contain the 'any' keyword in the interface pair, you should be aware of this bug:

CSCts07069 - ASA: Packet classifier fails with 'any' in Object NAT rule (fixed in 8.3.2.28)

Hope that helps.

-Mike

0 Helpful

Go to solution
Paul Cummings
Level 1
Level 1

‎11-26-2011 06:56 AM

Thanks Mike

Good to get confirmation of my suspicions. I wasn't aware of the 'any' NAT bug so that's good to know.

Cheers

Paul

Sent from Cisco Technical Support iPhone App

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card