Solved: Re: FWSM Classification Criteria - Return Packets

charles.coutts · ‎10-28-2010

Dear Cisco FWSM Gurus,

I hope you can help me answer the following query - I can't seem to find the answer in Cisco documentation.

FWSM Version 3.1

In multiple context mode, when traffic traverses from a lower security level (with unique vlan interfaces) to a higher security level, and the higher security level (inside) is a shared vlan interface, are static NAT statements required in order for return packets to be classified properly.

e.g.

Src (outside): 10.10.10.1 (lower security level)

Dst (inside): 172.16.1.1 (higher security level, shared vlan interface)

With config:

static (inside,outside) 172.16.1.0 172.16.1.0 netmask 255.255.255.0

no nat-control

***

I'm aware that the command below would be necessary should the inside (shared) interface initiate traffic, but is it necessary to add a static statement, as below, to allow the classification logic to determine that the destination IP address in the return packet is behind the context I wish the packet to be sent to, when the lower security level initiates traffic:

static (outside,inside) 10.10.10.0 10.10.10.0 netmask 255.255.255.0

In summary my question is, what logic does the classifier use to handle return packets from a higher security level (shared) interface, to a lower security level interface, with the config as defined above.

I look forward to hearing from you.

Many thanks,

Charlie

mmandeka · ‎10-29-2010

Hi Charlie,

So if i understand right, you have multiple contexts configured on the fwsm. the vlan on the higher security level is the shared vlan. The vlans on lower security level access the devices in the shared vlan (higher sec level).

In order to achieve this, you will need a destination translation, like the one you have mentioned:

static (inside,outside) 172.16.1.0 172.16.1.0 netmask 255.255.255.0

You dont need a static for the reply traffic. when traffic is initiated from the 'outside', it reaches the FWSM. The FWSM looks for a destination translation and determines that the destination 172.16.1.x is on the inside. The FWSM then creates an xlate entry and sends the packet inside.

When the reply traffic reaches the FWSM, the FWSM finds an existing translation entry and thereby has no problems sending the packets back.

But, if the host on the higher security level (shared vlan) initiates traffic, you would require a destination translation for the host / network behind the higher security levels.

And, we will also need an acl applied on the outside interface to allow such communication.

Also, just a note.... Unlike the ASA, the FWSM does not have the feature of MAC address auto generate, so therefore, the classifier solely relies on destination translation to determine the egress interface when vlans are shared.

Hope this answers your query.

Regards,

Manisha Mandekar

View solution in original post

Kureli Sankar · ‎10-29-2010

Sharing the inside interface is not a good idea. You need to provide translation for all

the outside hosts especially if this is internet facing you will run out of x-lates.

Sharing the outside interface is what people do normally. In this case you need to provide translation for all the inside hosts.

Read about classifier here: http://www.cisco.com/en/US/docs/security/fwsm/fwsm40/configuration/guide/contxt_f.html#wp1124172

-KS

View solution in original post

mmandeka · ‎10-29-2010