[c-nsp] Unusual FWSM behaviour.. Need help.. :(

[overkillxx at gmail.com]

Hi Guys,

I just did a configuration change on a FWSM context firewall instance & had
something peculiar happen..

Here is the config to get things started:



nat (XV-Wan) 0 0.0.0.0 0.0.0.0
nat (XV-Tran-Net) 0 0.0.0.0 0.0.0.0
nat (CMS-Server) 0 0.0.0.0 0.0.0.0
nat (HP-CCS-CSM_mXVt) 0 0.0.0.0 0.0.0.0
nat (DMZ-XV_client_VIP) 0 0.0.0.0 0.0.0.0
static (XV-Tran-Net,XV-Wan) 0.0.0.0 0.0.0.0 netmask 0.0.0.0
static (XV-Wan,XV-Tran-Net) 0.0.0.0 0.0.0.0 netmask 0.0.0.0

nameif vlan1300 XV-Wan security50
nameif vlan1116 XV-Tran-Net security90
nameif vlan1151 CMS-Server security60
nameif vlan3000 HP-CCS-CSM_mXVt security60
nameif vlan3301 DMZ-XV_client_VIP security60

Looking at the config (correct me if I am wrong) the following stick out:

- The statement "nat (XV-Tran-Net) 0 0.0.0.0 0.0.0.0" is not needed because
the interface XV-Tran-Net has the highest security level

- The statements:

static (XV-Tran-Net,XV-Wan) 0.0.0.0 0.0.0.0 netmask 0.0.0.0
static (XV-Wan,XV-Tran-Net) 0.0.0.0 0.0.0.0 netmask 0.0.0.0

are doing the same as the statements:

nat (XV-Wan) 0 0.0.0.0 0.0.0.0
nat (XV-Tran-Net) 0 0.0.0.0 0.0.0.0

Moving forward I removed the following statements:

static (XV-Tran-Net,XV-Wan) 0.0.0.0 0.0.0.0 netmask 0.0.0.0
static (XV-Wan,XV-Tran-Net) 0.0.0.0 0.0.0.0 netmask 0.0.0.0

Straight away packets from outside to inside (Coming in from XW-Wan to
XV-Tran-Net) started to be denied. Realizing this I immediately reapllied
the statements.
I believe these statements were needed due to the fact that the context was
using shared interfaces with another context. However, prior to attempting
to remove the above statemets I removed the the applicable vlans associated
in the other contexts by removing "allocate-interface" assocaitions in the
system space:
Similar to the following:

context ECC-FC-5
  no allocate-interface vlanXXXX

Can somebody explain this behaviour? I have never come across this before &
would really appreciate the input..


Regards,

Brad