Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
928
Views
0
Helpful
7
Replies

FWSM Communication Issue

DSPVGAdmin
Level 1
Level 1

‎04-12-2011 03:05 AM - edited ‎03-11-2019 01:19 PM

I have a Cisco 6500 running FWSM version 3.1(10)

Have muliple contexts

ACL's are configured on 2 contexts to allow single hosts to communicate over TCP 7780 (HTTP)

No Communication or Denys or Hits on ACL's

Reseting the VLAN on source Context temp fixes the problem (5mins Max)

Any Idea's ?

Thanks

Labels:
0 Helpful
7 Replies 7

Anu M Chacko
Cisco Employee
Cisco Employee

‎04-12-2011 04:42 AM

Hi Simon,

Do you have relevant static NAT command for the hosts? When the FWSM exists in the multiple context mode, the traffic is sent to a context depending on 3 criteria: unique interface, unique MAC address or unique NAT translation. If your interfaces are being shared, then a unique translation is needed for the traffic to be forwarded to the correct context.

Regards,

Anu.

P.S.: Please mark the question answered, if it has been resolved. Do rate helpful posts. Thanks.

0 Helpful

DSPVGAdmin
Level 1
Level 1
In response to Anu M Chacko

‎04-12-2011 04:45 AM

Would this be the case if I was not running NAT control and both contexts are the same security level.

I never see this issue until a reload of the Cisco 6500 last week.

Thanks

0 Helpful

Anu M Chacko
Cisco Employee
Cisco Employee
In response to DSPVGAdmin

‎04-12-2011 06:28 AM

Hi Simon,

If everything was working fine before the reload, then maybe some configuration was not saved before it reloaded. Was all that  configuration saved before the reload? What are the syslogs you see on  the FWSM now, when you try to send the traffic through it?

Regards,

Anu.

0 Helpful

DSPVGAdmin
Level 1
Level 1
In response to Anu M Chacko

‎04-12-2011 06:33 AM

Anu,

Yes as 100% I can be the config are the same, we are also get no output in syslogs, no connections built. The statis nat on the source context is

(outsdie,inside) x.x.79.x  x.x.79.x 255.255.255.248 - so it is for the whole subnet - the incoming context does not have the statis nat applied

Simon

0 Helpful

Anu M Chacko
Cisco Employee
Cisco Employee
In response to DSPVGAdmin

‎04-12-2011 07:00 AM

Simon,

Did you take captures on the outside interface? Do you see packets coming into the firewall? Can you put in a specific static NAT command for the destination IP address and test?

Thanks,

Anu.

0 Helpful

DSPVGAdmin
Level 1
Level 1
In response to Anu M Chacko

‎04-12-2011 07:40 AM

A Capture on the outside interface (Source Context) shows a SYN being sent but nothing else. Also no hits on the ACL (Outside) so I do not think it is even getting to the Destination Context (inside)

0 Helpful

Anu M Chacko
Cisco Employee
Cisco Employee
In response to DSPVGAdmin

‎04-12-2011 09:09 AM

Simon,

That is because after the FWSM receives the SYN packet from the sender on the outside, it does not know to which context it has to send it to. Put in the following and test if it works.

static(inside,outside)

Thanks,

Anu.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card