Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
547
Views
0
Helpful
4
Replies

FWSM. Sharing interfaces between contexts.

andrea.meconi
Level 2
Level 2

‎12-10-2009 06:27 AM - edited ‎03-11-2019 09:47 AM

I’m going to configure (on paper) an FWSM with two contexts sharing inside and outside interfaces.

I’m using one context only for admin purpose (access to the system space) and other to pass traffic.

Admin and production contexts are sharing the inside and outside vlans (see attached diagram): from admin context, I need to reach some servers over vlan 940, like AAA.

I do not need to use NAT.

Now I’m reading the configuration guide about packets classification. So, because the classifier relies on active NAT sessions and for management traffic destined for an interface, the interface IP address is used for classification, I believe I need to perform NAT with some static entries on production context.

Is it wrong?

Regards.

Andrea

Labels:
Preview file
39 KB
0 Helpful
4 Replies 4

Kureli Sankar
Cisco Employee
Cisco Employee

‎12-10-2009 08:19 AM

Yes, you need to add either global or static nat so, the classifier will properly classify the flow.

If you share the outside interface, you need to provide translation for all the inside networks.

If you share the inside interfce (this is bad if it is internet facing context) you need to provide translation for all the outside hosts/network.

Even though our config guide below shows exactly what you are trying to do, it is not a good idea to do this. Troubleshooting may become a big problem.

http://www.cisco.com/en/US/docs/security/fwsm/fwsm31/configuration/guide/contxt_f.html#wp1124236

-KS

0 Helpful

andrea.meconi
Level 2
Level 2
In response to Kureli Sankar

‎12-10-2009 11:31 AM

Many thanks for your help.
I understand that my problem is sharing the inside interface although I'm using admin context only for system space management.
So I can evaluate two solutions: go back to single mode or promote the production context to admin context.
Regards.
Andrea

0 Helpful

Kureli Sankar
Cisco Employee
Cisco Employee
In response to andrea.meconi

‎12-10-2009 11:37 AM

You certainly can. Make sure to save your config. Even if you do not it will be saved in the disk:

If the admin context is used only for mgmt, then you can allocate only one interface for this context. No need to allocate two. Just a thought.

-KS

0 Helpful

andrea.meconi
Level 2
Level 2
In response to Kureli Sankar

‎12-10-2009 11:42 AM

Good. But I need to reach some servers on outside from admin.

Perhaps I can use LOCAL authentication but always I'm sharing inside.

Regards.

Andrea

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card