When you have an ASA running in multi-context mode, you have to pay extra attention to the flow classifier.
Consider:
ccie-asa1/india# packet-tracer input out icmp 192.168.70.1 8 0 10.7.1.2
Result:input-interface: outinput-status: upinput-line-status: upAction: dropDrop-reason: (ifc-classify) Virtual firewall classification failed
Let's work backwards. Here, we are dealing with an external network 192.168.70.0 /24 trying t reach a internal network 10.7.1.0/24 in a "no nat-control" setup. The multi-context ASA here has multiple contexts sharing an outside interface (common in SP and hosting environments).
Here is the challenge:
When a packet arrives at the outside interface destined for a destination inside one of the contexts, how does the firewall know which one to forward to? Without unique mac-addresses, the layer 2 address does not give any clues. The firewall relies on NAT configuration to determine the context.
For example:
In the "ccie-asa1/india" context
static (inside,out) 10.7.1.1 10.7.1.1 netmask 255.255.255.255
Now, the classifier has information to act on the packet is sent to the "india" context.
This behavior is critical to grasp when it comes to configuring DMVPN through the firewall. Here, we have a need to allow IP/47 (GRE) traffic to the 10.7.1.1 address, or IP/50 (ESP) or IP/51 (AH). You can be very specific and allow just the protocol you are using. Don't forget udp/500 and if necessary, udp/4500 for IKE.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment