Cascading contexts

Unanswered Question
Apr 30th, 2007
User Badges:

Can anybody give me further information about cascading contexts other than what's on the documentation CD which is very little? Isn't a cascading context nothing but a shared interface? You're basically sharing context A's outside interface and context B's inside interface. Isn't it?



Thank you

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
haithamnofal Mon, 04/30/2007 - 18:06
User Badges:

Hi,


When cascading contexts you need to avoid sharing inside interfaces to avoid limitations in the FW classifier. Only the outside interface is what needs to be shared.

Cascading two contexts via their outside interfaces is possible. You need to NAT the internal network on Context B for Context A can see it, then a static route must be installed in Context A to point to B as a next-hop, and vice versa.


Hope this is clear.


Regards,

Haitham


ciscors Mon, 04/30/2007 - 18:49
User Badges:

On the DOC CD, the definition of cascading contexts is below while you seem to be stating that the outside interfaces of the contexts can be shared. I'm confused


Placing a context directly in front of another context is called cascading contexts; the outside interface of one context is the same interface as the inside interface of another context



Jon Marshall Mon, 04/30/2007 - 23:21
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


You are correct in what you say. A cascading context is having one virtual firewall behind another. So yes the outside interface of one context will connect to the same shared vlan as the inside interface of another context.


And this is where the problems begin. As the docs on v3.1 state if you have Context A which connects to the Internet. Behind that you have context B. Context A inside interface is on the same shared vlan as context B outside interface.

If a user on the inside of context B wants to connect to the Internet there must be a static translation on the context A for the Internet address.

Otherwise the classifier has no idea which context to send the traffic to. This as you can imagine would be failry limiting if you had to enter every Internet address you wanted to reach as a static translation.


I don't wish to second guess Haitham but it sounds like what he is describing is not cascaded contexts but contexts that share a vlan for their outside interfaces. This is not the same although you still face issues with the classifier.


Hope this makes sense


Jon

ciscors Wed, 05/02/2007 - 13:42
User Badges:

Jon


I apologize that I didn't previously mention that I'm doing this on ASA appliances and not a FWSM. When you refer to v3.1, I guess you're referring to the FWSM version and it also seems that contexts are more popular in the FWSM world as that's what large service providers use


Jon, is your explanation for the last post valid for appliances too?

Jon Marshall Wed, 05/02/2007 - 20:46
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


No need to apologize, i just made the wrong assumption. Yes version 3.1 is the equivalent of version 7.x for the standalone ASA & pix devices.

I haven't used the ASA appliances in a cascading scenario so the answer is i'm not sure. I checked the config guides for ASA and up to v7.1 the same caveats apply to the ASA as the FWSM.

Interestingly the v7.2 config guide makes no mention of having to have static translations for all destinations on your outside context but it does talk about having unique MAC addresses for each context interface.


http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a0080636f9b.html#wp1121392


I would need to test this before i could be certain. We are getting 2 ASA devices in a a couple of weeks so if i get a chance i'll have a look.


HTH


Jon

Actions

This Discussion