04-12-2011 03:05 AM - edited 03-11-2019 01:19 PM
I have a Cisco 6500 running FWSM version 3.1(10)
Have muliple contexts
ACL's are configured on 2 contexts to allow single hosts to communicate over TCP 7780 (HTTP)
No Communication or Denys or Hits on ACL's
Reseting the VLAN on source Context temp fixes the problem (5mins Max)
Any Idea's ?
04-12-2011 04:42 AM
Do you have relevant static NAT command for the hosts? When the FWSM exists in the multiple context mode, the traffic is sent to a context depending on 3 criteria: unique interface, unique MAC address or unique NAT translation. If your interfaces are being shared, then a unique translation is needed for the traffic to be forwarded to the correct context.
P.S.: Please mark the question answered, if it has been resolved. Do rate helpful posts. Thanks.
04-12-2011 04:45 AM
Would this be the case if I was not running NAT control and both contexts are the same security level.
I never see this issue until a reload of the Cisco 6500 last week.
04-12-2011 06:28 AM
If everything was working fine before the reload, then maybe some configuration was not saved before it reloaded. Was all that configuration saved before the reload? What are the syslogs you see on the FWSM now, when you try to send the traffic through it?
04-12-2011 06:33 AM
Yes as 100% I can be the config are the same, we are also get no output in syslogs, no connections built. The statis nat on the source context is
(outsdie,inside) x.x.79.x x.x.79.x 255.255.255.248 - so it is for the whole subnet - the incoming context does not have the statis nat applied
04-12-2011 07:00 AM
Did you take captures on the outside interface? Do you see packets coming into the firewall? Can you put in a specific static NAT command for the destination IP address and test?
04-12-2011 07:40 AM
A Capture on the outside interface (Source Context) shows a SYN being sent but nothing else. Also no hits on the ACL (Outside) so I do not think it is even getting to the Destination Context (inside)
04-12-2011 09:09 AM
That is because after the FWSM receives the SYN packet from the sender on the outside, it does not know to which context it has to send it to. Put in the following and test if it works.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: