Ubaid,
The packet tracer also fails with NAT when going from the LOCAL address to a
global address. But if you use the packet-tracer in multi-context sourcing
from an address that actually goes thru the classifier then the output will
succeed for the command.
ciscoasa/LEFT(config)# packet-tracer input inside icmp 10.1.1.100 8 0
123.2.0.2
Result:
input-interface: Inside
input-status: up
input-line-status: up
Action: drop
Drop-reason: (ifc-classify) Virtual firewall classification failed
ciscoasa/LEFT(config)# sh xlate
1 in use, 3 most used
Global 123.2.0.100 Local 10.1.1.100
ciscoasa/LEFT(config)# packet-tracer input outside icmp 123.2.0.2 8 0
123.2.0.100
Phase: 1
Type: VIRTUAL-FW-CLASSIFY
Subtype:
Result: ALLOW
Config:
Additional Information:
Destination 123.2.0.100 Mask 255.255.255.255 Context LEFT Interface Outside
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 3
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 4
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (Inside,Outside) 123.2.0.100 10.1.1.100 netmask 255.255.255.255
match ip Inside host 10.1.1.100 Outside any
static translation to 123.2.0.100
translate_hits = 0, untranslate_hits = 25
Additional Information:
NAT divert to egress interface Inside
Untranslate 123.2.0.100/0 to 10.1.1.100/0 using netmask 255.255.255.255
Phase: 5
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group OUTSIDE_IN in interface Outside
access-list OUTSIDE_IN extended permit icmp any 123.2.0.0 255.255.0.0 echo
Additional Information:
Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Phase: 8
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (Outside) 1 123.0.0.0 255.0.0.0
match ip Outside 123.0.0.0 255.0.0.0 Outside any
dynamic translation to pool 1 (123.2.0.15)
translate_hits = 0, untranslate_hits = 0
Additional Information:
Phase: 10
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
static (Inside,Outside) 123.2.0.100 10.1.1.100 netmask 255.255.255.255
match ip Inside host 10.1.1.100 Outside any
static translation to 123.2.0.100
translate_hits = 0, untranslate_hits = 25
Additional Information:
Phase: 11
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (Inside,Outside) 123.2.0.100 10.1.1.100 netmask 255.255.255.255
match ip Inside host 10.1.1.100 Outside any
static translation to 123.2.0.100
translate_hits = 0, untranslate_hits = 25
Additional Information:
Phase: 12
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 13
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 19645, packet dispatched to next module
Result:
input-interface: Outside
input-status: up
input-line-status: up
output-interface: Inside
output-status: up
output-line-status: up
Action: allow
ciscoasa/LEFT(config)#
ciscoasa/LEFT(config)# packet-tracer input inside icmp 123.2.0.100 8 0
123.2.0$
Result:
input-interface: Inside
input-status: up
input-line-status: up
Action: drop
Drop-reason: (ifc-classify) Virtual firewall classification failed
Regards,
Tyson Scott - CCIE #13513 R&S, Security, and SP
Technical Instructor - IPexpert, Inc.
Mailto: tsc...@ipexpert.com
Telephone: +1.810.326.1444, ext. 208
Live Assistance, Please visit: www.ipexpert.com/chat
eFax: +1.810.454.0130
-----Original Message-----
From: Ubaid Iftikhar (AU) [mailto:mag...@bigpond.net.au]
Sent: Sunday, January 03, 2010 11:56 PM
To: 'Tyson Scott'
Subject: RE: Packet-Tracer doesn't work properly in multi-context
Ta
Ubaid
-----Original Message-----
From: Tyson Scott [mailto:tsc...@ipexpert.com]
Sent: Saturday, 2 January 2010 1:25 PM
To: 'Ubaid Iftikhar (AU)'; 'T.J. Mitchell'
Subject: RE: Packet-Tracer doesn't work properly in multi-context
Ubaid,
I will test next week with NAT to see if it works. I cannot think for sure
whether I have tested packet-tracer for multi-context firewalls as the
typical scenario I use it is for problems with VPN's which means I am
running single context mode. But I will let you know what I find as well.
Regards,
Tyson Scott - CCIE #13513 R&S, Security, and SP
Technical Instructor - IPexpert, Inc.
Mailto: tsc...@ipexpert.com
Telephone: +1.810.326.1444, ext. 208
Live Assistance, Please visit: www.ipexpert.com/chat
eFax: +1.810.454.0130
IPexpert is a premier provider of Classroom and Self-Study Cisco CCNA (R&S,
Voice & Security), CCNP, CCVP, CCSP and CCIE (R&S, Voice, Security & Service
Provider) Certification Training with locations throughout the United
States, Europe and Australia. Be sure to check out our online communities at
www.ipexpert.com/communities and our public website at www.ipexpert.com
-----Original Message-----
From: Ubaid Iftikhar (AU) [mailto:mag...@bigpond.net.au]
Sent: Friday, January 01, 2010 7:03 PM
To: 'T.J. Mitchell'
Cc: 'Tyson Scott'
Subject: RE: Packet-Tracer doesn't work properly in multi-context
Hi T.J,
Thanks for the reply mate. I dont have a connectivity issue after I do
mac-address auto or after assigning static mac. Question which is bugging me
is why packet-tracer gives the error " Drop-reason: (ifc-classify) Virtual
firewall classification failed" even after assigning static mac or after
doing mac-address auto.
In short packet-tracer command doesnt work properly in multicontext mode
with shared interfaces. In my last lab attempt (10 months back) I wasted an
hour on this.I was troubleshooting using a command which doesnt work in
muti-context mode.
When you do multi-context in your next practice lab see if pack-tracer works
for you.
Regards,
Ubaid
-----Original Message-----
From: T.J. Mitchell [mailto:tj.mitch...@protocolnetworks.com]
Sent: Saturday, 2 January 2010 8:35 AM
To: Ubaid Iftikhar (AU)
Subject: RE: Packet-Tracer doesn't work properly in multi-context
Ubaid -
If you are uploading the same interface to multiple contexts and using the
same IP subnet for both (different addresses, but same subnet), then the
problem is that the classifier engine on the firewall doesn't know which
context because the macs to send the traffic to. You need to statically
define the MAC addresses in the context I believe, this will tell the
classifier engine which IP Address (on the same subnet) is assigned to which
mac and to which context for the same physical interface.
That should solve the issue.
This works on the ACE blades because the classifier engine is different than
the one on the firewall.
Thanks,
TJM
T.J. Mitchell
Senior Network Engineer
Protocol Networks
Create, Connect & Evolve
P 877-676-0146 x715
C 774--262-4760
F 508-936-9584
tj.mitch...@protocolnetworks.com
www.protocolnetworks.com
-----Original Message-----
From: nob...@groupstudy.com [mailto:nob...@groupstudy.com] On Behalf Of
Ubaid Iftikhar (AU)
Sent: Friday, January 01, 2010 11:24 AM
To: 'imran mohammed'
Cc: secur...@groupstudy.com
Subject: RE: Packet-Tracer doesn't work properly in multi-context
Hi Imran,
Ip addresses are different but both are on the same physical subnet.
Mac-address plays a part since I was using shared interface on the outside.
Context A
Int e0/0
Ip add 192.168.0.101 255.255.255.0 standby
Mac-address x standby x
Context B
Int e0/0
Ip add 192.168.0.201 255.255.255.0
Mac-address x standby x
R8
Interface fa0/0
Ip add 192.168.0.8 255.255.255.0
I haven't tested packet-tracer when packet classification is by NAT.
Thanks for quick response.
Regards,
Ubaid
_____
From: imran mohammed [mailto:imran4ci...@gmail.com]
Sent: Saturday, 2 January 2010 12:55 AM
To: Ubaid Iftikhar (AU)
Cc: secur...@groupstudy.com
Subject: Re: Packet-Tracer doesn't work properly in multi-context
Hi Ubaid,
I am not sure but if you use same IP in both the context it shouldnt work..
and mac address auto will not play any role here.
do you have different IP for each context?
Regards
Imran
On Fri, Jan 1, 2010 at 5:57 AM, Ubaid Iftikhar (AU) <mag...@bigpond.net.au>
wrote:
Hi All,
Does anyone know why packet-tracer doesn't work properly in multi-context
mode when we have shared interface?
Drop-reason: (ifc-classify) Virtual firewall classification failed
Classification criteria tested with - mac-address auto, mac-address on
interface
Happy New Year All :-)
Regards,
Ubaid
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
