I have an issue with the ASA, multiple contexts and shared interfaces. I have read through the documentation on Cisco.com and also looked through the posts here, but my specific question is not really answered.
I have two contexts running on an ASA v8. I have two interfaces which are configured as trunks on a switch carrying vlans to two ports on the ASA for an inner and outer firewall.
Switch Port 1 (Trunk)---------- ASA Gig0/1 = outer firewall context
Switch Port 2 (trunk)---------- ASA Gig0/2 = inner firewall context
there are two shared vlans between the firewalls, which happen to be on switch port 2 trunk. I have enabled mac-address auto on the system context to enable unique mac addresses.
I have shown a simplified version below.
Vlan 1---------(Outer_FW)----Shared----(inner_FW)----------Vlan 200
I am able to ping across from Vlan 1 to Vlan 200 effectively traversing both firewalls. All interfaces including the shared one(s) are on the same security level with open rules for testing. I am unable to get from the shared VLAN to either Vlan 1 or vlan 200. If I use the packet tracer I get the (ifc-classify) Virtual Firewall Classification failed message. So I obviously understand that the ASA does not know which context should handle the incoming packet although the destination ip address is unique and only behind one firewall and unique mac addresses are being used.
My question is then is it possible to have shared inside interfaces if you will be talking to other inside interfaces (or same level interfaces), I believe it is, and if so do I still have to use NAT to tell the ASA which networks are behind which firewalls ?
Thanks in Advance