Showing results for 
Search instead for 
Did you mean: 

FWSM Incoming Traffic on inside Interface

Ian Beck


I have a FWSM ruuning on a 6509 with MFSC in context mode.

If I configure up a full SVI routed environment on the MFSC to send packets to the FWSM it all works fine.

Howvever if I just have a VLAN to which my incoming traffic comes via a port on the switch and is routed from an attached router device connected to the switch port in the same VLAN directing traffic to the FWSM however I see no traffic crossing the Interface. I can ping from the router on the port to the FWSM ip address and the other way.

I have the Admin context works fine of the same VLAN !

Any ideas what I have missed

2 Accepted Solutions

Accepted Solutions

Jon Marshall
VIP Community Legend VIP Community Legend
VIP Community Legend

I haven't worked with 4.x code so Kusankar can perhaps confirm but if you have a shared interface you used to have to use NAT rules otherwise the classifier does not know which context to send the traffic to ?


View solution in original post

YES !! My very first posting asked if you are sharing vlan.

Anyway, yes, with interfaces that you share you need to provide translation.

Can you use another vlan for management and allocate that to the admin context?


Do this.

1. allocate another vlan to the admin context.  This doesn't even have to exist in the siwtch's vlan database.

2. now configure this as another interface in the admin context.

3. configure nat in the admin context as well between these two interface from high to low.

So, classifier can work properly and not get confused as to which context to send the packets that it receives.

You can read about classifier here:

Rate the posts that were useful to you and that solved the issue. Pls. make sure to mark the issue resolved if you think it is.


View solution in original post

25 Replies 25

Kureli Sankar
Cisco Employee
Cisco Employee


I am not sure if I follow you. Would you be able to add a simple text based topology?

You are sharing a vlan between two contexts?



As KS had said, a text-based topology would be great.  My guess based strictly on your problem description is that you are likely hitting an asymmetric route situation.

In a routed network, the next Layer-3 device will make the next route decision.  If you have a complete SVI network configured on your switch, and you use these SVIs as the Default Gateway for the upstream routers/hosts, the Switch will make the next route decision. You can ping the local (ie same subnet) IP addresses as local subnet traffic is managed via ARP Requests/Responses.

However, if traffic resides outside of the local subnet, the traffic is sent to the Default Gateway - the Default Gateway will make the next routing decision.  Since it is a fully-meshed SVI network on the Switch, it will likely have an entry in its routing table for the destination IP address that does NOT involve going through the FWSM.

If you want traffic to go through the FWSM, the key takeaway would be to use the FWSM's IP address as the next hop gateway for all of your upstream Layer-3 devices.  The other approach - leveraging a number of different SVIs on the Switch - often requires a significant effort to "work around" the FWSM.  This can be done, but it would require either route-maps and/or VRFs.

If this addresses your questions, please mark this question as answered for the benefit of others.

Best Regards,


Magnus Mortensen
Cisco Employee
Cisco Employee


     There are two ways to firewall traffic with an FWSM:

1) FWSM in routed mode:

You must route the traffic to the IP addresses of the FWSM as tho it was any other layer-3 hop in your network. This involves static routes or some routing protocol and results in traffic being routed to one interface of the FWSM and then the FWSM routes the traffic out another interface on the path to the destination.

2) FWSM in transparent mode:

     For this to work you must break-up a layer-3 segment into two VLANs and assign one to either side of the FWSM. This does not invlove 'routing' the traffic to the FWSM with static routes or routing protocol. The trafic passes through the FWSM as tho the FWSM was a 'bump in the wire'.

What method are you intending for this to work, and how is it currently configured. Is the FWSM (context) transparent or routed?

- Magnus