[c-nsp] Unusual FWSM behaviour.. Need advice.

overkillxx at gmail.com overkillxx at gmail.com
Mon Nov 5 07:33:35 EST 2007 

:
>
> Hi Guys,
>



 I just did a configuration change on a FWSM context firewall instance & had
> something peculiar happen..
>
> Here is the config to get things started:
>
>
>
> nat (XV-Wan) 0 0.0.0.0 0.0.0.0
> nat (XV-Tran-Net) 0 0.0.0.0 0.0.0.0
> nat (CMS-Server) 0 0.0.0.0 0.0.0.0
> nat (HP-CCS-CSM_mXVt) 0 0.0.0.0 0.0.0.0
> nat (DMZ-XV_client_VIP) 0 0.0.0.0 0.0.0.0
> static (XV-Tran-Net,XV-Wan) 0.0.0.0 0.0.0.0 netmask 0.0.0.0
> static (XV-Wan,XV-Tran-Net) 0.0.0.0 0.0.0.0 netmask 0.0.0.0
>
> nameif vlan1300 XV-Wan security50
> nameif vlan1116 XV-Tran-Net security90
> nameif vlan1151 CMS-Server security60
> nameif vlan3000 HP-CCS-CSM_mXVt security60
> nameif vlan3301 DMZ-XV_client_VIP security60
>
> Looking at the config (correct me if I am wrong) the following stick out:
>
> - The statement "nat (XV-Tran-Net) 0 0.0.0.0 0.0.0.0" is not needed
> because
> the interface XV-Tran-Net has the highest security level
>
> - The statements:
>
> static (XV-Tran-Net,XV-Wan) 0.0.0.0 0.0.0.0 netmask 0.0.0.0
> static (XV-Wan,XV-Tran-Net) 0.0.0.0 0.0.0.0 netmask 0.0.0.0
>
> are doing the same as the statements:
>
> nat (XV-Wan) 0 0.0.0.0 0.0.0.0
> nat (XV-Tran-Net) 0 0.0.0.0 0.0.0.0
>
> Moving forward I removed the following statements:
>
> static (XV-Tran-Net,XV-Wan) 0.0.0.0 0.0.0.0 netmask 0.0.0.0
> static (XV-Wan,XV-Tran-Net) 0.0.0.0 0.0.0.0 netmask 0.0.0.0
>
> Straight away packets from outside to inside (Coming in from XW-Wan to
> XV-Tran-Net) started to be denied. Realizing this I immediately reapllied
> the statements.
> I believe these statements were needed due to the fact that the context
> was using shared interfaces with another context. However, prior to
> attempting to remove the above statemets I removed the the applicable vlans
> associated in the other contexts by removing "allocate-interface"
> assocaitions in the system space:
> Similar to the following:
>
> context ECC-FC-5
>   no allocate-interface vlanXXXX
>
> Can somebody explain this behaviour? I have never come across this before
> &
> would really appreciate the input..
>
>
> Regards,
>
> Brad
>
>
>

More information about the cisco-nsp mailing list