ASA Multi-Context - IDS Inline Interface Problem

Unanswered Question

Hello,

I've perused the last few months of postings and did not see anything related to this issue. Please forgive me if I missed the subject in the archives....

I have an issue when trying to configure IDS inline pairs with an ASA in multi-context mode. The issue is that I simply cannot pass traffic over that interface pair when in multi-mode. The basic layout is like this:

R1 ---> ASA ---> IDS ---> R7 ---> IDS ---> R8

I have the addressing set up per the following list:

R1 E0/0: 10.1.1.1 (VLAN 11)

Context 1: ASA E0/1 (inside): 10.1.1.11 (VLAN 11)

Context 2: ASA E0/2: (inside)10.12.12.10 (VLAN 12)

Context 1: ASA E0/0.1 (outside): 1.1.1.10 (VLAN 100)

Context 2: ASAE0/0.1 (outside): 1.1.1.20 (VLAN 100)

R7 E0/0: 1.1.1.7 (VLAN 101)

R7 E1/0: 2.2.2.7 (VLAN 200)

R8 E0/0: 2.2.2.8 (VLAN 201)

As you can see, the outside interface is shared between contexts 1 & 2. All ports on the switches are set to access mode, in the corresponding vlans.

The IDS has two interface pairs:

Pair1: E1/0 & E1/1

Pair2: E1/2 & E1/3

Pair1 bridges vlans 100 & 101 between ASA Context 1 and R7. Pair2 bridges vlans 200 & 201 between R7 & R8. I am able to pass traffic over Pair2 from R7 to R8 & Visa Versa. I enabled signatures 2000 & 2004, which fire when I pass traffic over Pair2. When I attempt pings between the ASA contexts & R7, the signatures do not fire.

When configuring the ASA in multi-context mode, I've tried assigning mac addreses to interface E0/0.1 in each context via the 'mac-address auto' command, and manually in interface config mode. In both cases, I'm unable to pass traffic. However, if I re-configure the ASA in single mode, using 10.1.1.1 in vlan 11, traffic will pass between the ASA & R7... and the signatures fire appropriately.

Additionally, here are the mac addresses the ASA assigned to interface e0/0.1 in each context:

Context 1: 1200.0001.0200

Context 2: 1200.0001.0300

When I jump into the switch and look for these mac addresses in the mac address table, they do not show up:

SW1#sho mac-address-table | in 1200.0001.0200

SW1#

SW1#sho mac-address-table | in 1200.0001.0300

SW1#

SW1#sho mac-address-table | in Fa0/13 (switchport mode access, access vlan 100 - connected to ASA E0/0)

SW1#

I am totally stumped on this. I'm actually losing sleep over this one. :/

Any help would be greatly appreciated.

Thanks!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Actions

This Discussion