Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
826
Views
0
Helpful
5
Replies

Problems Connecting Multiple FWSM Contexts Via a shared Vlan

iwearing
Level 1
Level 1

‎08-01-2005 08:26 AM - edited ‎03-09-2019 12:00 PM

Hi,

We have a customer who is migrating all Firewalls onto a FWSM. There is a requirement to daisy chain some of the FW Contexts . The Outside of one context_A connects to the inside of another context_B via a shared Vlan 200. Please note that the only interfaces on the shared vlan are the Context_A outside Vlan and Context_B inside Vlan. It is not possible to pass traffic through both Firewalls when the contexts are connected via the shared vlan 200. However If Context_A is removed from Vlan 200 Context_B will pass taffic sourced from Vlan 200. I can confirm that static routing on the Firewall Contexts is correct.

Any ideas would be appreciated.

Labels:
0 Helpful
5 Replies 5

didyap
Level 6
Level 6

‎08-05-2005 11:40 AM

You cannot initiate connections from a shared interface when you use NAT exemption for the destination address. The classifier only looks at static statements where the global interface matches the source interface of the packet. Because NAT exemption does not identify a global interface, the classifier does not consider those NAT statements for classification purposes.

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/mod_icn/fwsm/fwsm_2_2/fwsm_cfg/context.htm#wp1036615

0 Helpful

nisse
Level 1
Level 1

‎09-01-2005 06:01 AM

Hi,

If you need to daisy-chain, this topology should work (at least according to the test I have done):

Context_A outside interface (sec level 0) connects to Context_B outside interface (sec level 0) instead. By this you can create static entrys in both directions to allow traffic. Static commands are a requirement with shared vlans.

0 Helpful

j.docio
Level 1
Level 1
In response to nisse

‎09-16-2005 08:06 AM

Hi Nisse,

on the topology that you are describing, will work static NAT of a entire network? or is required to make static NAT host by host?.

I'm reading the configuration guide and I can't well understand it.

Thank you very much

Juan.

0 Helpful

j.docio
Level 1
Level 1
In response to j.docio

‎09-20-2005 12:51 AM

Finally I tried it on our lab.

It works fine, but we need a static entry for every network.

I attach a topology diagram and the configs of the context.

Hope this help to any that need info about this topic.

The config of the system is:

*********

:

PIX Version 7.0(1)

!

interface Ethernet0

!

interface Ethernet0.1

shutdown

no vlan

!

interface Ethernet0.10

vlan 10

!

!

interface Ethernet1

!

interface Ethernet2

!

interface Ethernet3

shutdown

!

enable password xxx

hostname pixfirewall

ftp mode passive

pager lines 24

no failover

asdm image flash:/asdm-501.bin

no asdm history enable

arp timeout 14400

console timeout 0

admin-context admin

context admin

allocate-interface Ethernet0.10 outside visible

allocate-interface Ethernet1 inside visible

config-url flash:/admin.cfg

!

context cpd

allocate-interface Ethernet0.10 outside visible

allocate-interface Ethernet2 inside visible

config-url flash:/cpd.cfg

!

Cryptochecksum:xxx

: end

*********

Preview file
58 KB
0 Helpful

tanvictor
Level 1
Level 1
In response to j.docio

‎10-26-2005 03:16 AM

This is great info. Thanks for testing it out. I was looking for an answer to this too.

Would it be possible for you to try the same config, but daisy chaining admin_context outside to cpd_context inside? If this works, it'll solve my DMZ problem using 2 contexts.

0 Helpful
Customers Also Viewed These Support Documents