ASA Multi-Context - IDS Inline Interface Problem

Unanswered Question

Hello,


I've perused the last few months of postings and did not see anything related to this issue. Please forgive me if I missed the subject in the archives....


I have an issue when trying to configure IDS inline pairs with an ASA in multi-context mode. The issue is that I simply cannot pass traffic over that interface pair when in multi-mode. The basic layout is like this:


R1 ---> ASA ---> IDS ---> R7 ---> IDS ---> R8


I have the addressing set up per the following list:


R1 E0/0: 10.1.1.1 (VLAN 11)

Context 1: ASA E0/1 (inside): 10.1.1.11 (VLAN 11)

Context 2: ASA E0/2: (inside)10.12.12.10 (VLAN 12)


Context 1: ASA E0/0.1 (outside): 1.1.1.10 (VLAN 100)

Context 2: ASAE0/0.1 (outside): 1.1.1.20 (VLAN 100)

R7 E0/0: 1.1.1.7 (VLAN 101)


R7 E1/0: 2.2.2.7 (VLAN 200)

R8 E0/0: 2.2.2.8 (VLAN 201)


As you can see, the outside interface is shared between contexts 1 & 2. All ports on the switches are set to access mode, in the corresponding vlans.


The IDS has two interface pairs:


Pair1: E1/0 & E1/1

Pair2: E1/2 & E1/3


Pair1 bridges vlans 100 & 101 between ASA Context 1 and R7. Pair2 bridges vlans 200 & 201 between R7 & R8. I am able to pass traffic over Pair2 from R7 to R8 & Visa Versa. I enabled signatures 2000 & 2004, which fire when I pass traffic over Pair2. When I attempt pings between the ASA contexts & R7, the signatures do not fire.


When configuring the ASA in multi-context mode, I've tried assigning mac addreses to interface E0/0.1 in each context via the 'mac-address auto' command, and manually in interface config mode. In both cases, I'm unable to pass traffic. However, if I re-configure the ASA in single mode, using 10.1.1.1 in vlan 11, traffic will pass between the ASA & R7... and the signatures fire appropriately.



Additionally, here are the mac addresses the ASA assigned to interface e0/0.1 in each context:


Context 1: 1200.0001.0200

Context 2: 1200.0001.0300


When I jump into the switch and look for these mac addresses in the mac address table, they do not show up:


SW1#sho mac-address-table | in 1200.0001.0200

SW1#

SW1#sho mac-address-table | in 1200.0001.0300

SW1#

SW1#sho mac-address-table | in Fa0/13 (switchport mode access, access vlan 100 - connected to ASA E0/0)

SW1#



I am totally stumped on this. I'm actually losing sleep over this one. :/


Any help would be greatly appreciated.


Thanks!




  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Actions

This Discussion