Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1893
Views
0
Helpful
6
Replies

Cascading contexts

ciscors
Level 1
Level 1

‎04-30-2007 04:15 PM - edited ‎03-11-2019 03:07 AM

Can anybody give me further information about cascading contexts other than what's on the documentation CD which is very little? Isn't a cascading context nothing but a shared interface? You're basically sharing context A's outside interface and context B's inside interface. Isn't it?

Thank you

Labels:
0 Helpful
6 Replies 6

haithamnofal
Level 3
Level 3

‎04-30-2007 06:06 PM

Hi,

When cascading contexts you need to avoid sharing inside interfaces to avoid limitations in the FW classifier. Only the outside interface is what needs to be shared.

Cascading two contexts via their outside interfaces is possible. You need to NAT the internal network on Context B for Context A can see it, then a static route must be installed in Context A to point to B as a next-hop, and vice versa.

Hope this is clear.

Regards,

Haitham

0 Helpful

ciscors
Level 1
Level 1
In response to haithamnofal

‎04-30-2007 06:49 PM

On the DOC CD, the definition of cascading contexts is below while you seem to be stating that the outside interfaces of the contexts can be shared. I'm confused

Placing a context directly in front of another context is called cascading contexts; the outside interface of one context is the same interface as the inside interface of another context

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to ciscors

‎04-30-2007 11:21 PM

Hi

You are correct in what you say. A cascading context is having one virtual firewall behind another. So yes the outside interface of one context will connect to the same shared vlan as the inside interface of another context.

And this is where the problems begin. As the docs on v3.1 state if you have Context A which connects to the Internet. Behind that you have context B. Context A inside interface is on the same shared vlan as context B outside interface.

If a user on the inside of context B wants to connect to the Internet there must be a static translation on the context A for the Internet address.

Otherwise the classifier has no idea which context to send the traffic to. This as you can imagine would be failry limiting if you had to enter every Internet address you wanted to reach as a static translation.

I don't wish to second guess Haitham but it sounds like what he is describing is not cascaded contexts but contexts that share a vlan for their outside interfaces. This is not the same although you still face issues with the classifier.

Hope this makes sense

Jon

0 Helpful

haithamnofal
Level 3
Level 3
In response to Jon Marshall

‎05-01-2007 11:12 AM

Please have a look at the attached doc; it is very helpful.

Regards,

Haitham

21796-FWSM-Classifier.zip
0 Helpful

ciscors
Level 1
Level 1
In response to Jon Marshall

‎05-02-2007 01:42 PM

Jon

I apologize that I didn't previously mention that I'm doing this on ASA appliances and not a FWSM. When you refer to v3.1, I guess you're referring to the FWSM version and it also seems that contexts are more popular in the FWSM world as that's what large service providers use

Jon, is your explanation for the last post valid for appliances too?

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to ciscors

‎05-02-2007 08:46 PM

Hi

No need to apologize, i just made the wrong assumption. Yes version 3.1 is the equivalent of version 7.x for the standalone ASA & pix devices.

I haven't used the ASA appliances in a cascading scenario so the answer is i'm not sure. I checked the config guides for ASA and up to v7.1 the same caveats apply to the ASA as the FWSM.

Interestingly the v7.2 config guide makes no mention of having to have static translations for all destinations on your outside context but it does talk about having unique MAC addresses for each context interface.

http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a0080636f9b.html#wp1121392

I would need to test this before i could be certain. We are getting 2 ASA devices in a a couple of weeks so if i get a chance i'll have a look.

HTH

Jon

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card