ASA Multiple Contexts with Shared interfaces

Unanswered Question
Mar 3rd, 2009

I have an issue with the ASA, multiple contexts and shared interfaces. I have read through the documentation on and also looked through the posts here, but my specific question is not really answered.

I have two contexts running on an ASA v8. I have two interfaces which are configured as trunks on a switch carrying vlans to two ports on the ASA for an inner and outer firewall.

Switch Port 1 (Trunk)---------- ASA Gig0/1 = outer firewall context

Switch Port 2 (trunk)---------- ASA Gig0/2 = inner firewall context

there are two shared vlans between the firewalls, which happen to be on switch port 2 trunk. I have enabled mac-address auto on the system context to enable unique mac addresses.

I have shown a simplified version below.

Vlan 1---------(Outer_FW)----Shared----(inner_FW)----------Vlan 200

I am able to ping across from Vlan 1 to Vlan 200 effectively traversing both firewalls. All interfaces including the shared one(s) are on the same security level with open rules for testing. I am unable to get from the shared VLAN to either Vlan 1 or vlan 200. If I use the packet tracer I get the (ifc-classify) Virtual Firewall Classification failed message. So I obviously understand that the ASA does not know which context should handle the incoming packet although the destination ip address is unique and only behind one firewall and unique mac addresses are being used.

My question is then is it possible to have shared inside interfaces if you will be talking to other inside interfaces (or same level interfaces), I believe it is, and if so do I still have to use NAT to tell the ASA which networks are behind which firewalls ?

Thanks in Advance

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Ivan Martinon Tue, 03/03/2009 - 07:31

Pinging should be possible since in most cases this setup resembles a shared outside address, keypoint is that IP addresses should be different, with your mac address automatic you should not have a problem as to how to classify traffic here. When you are pinging are you pinging from a host on the shared network or from the actual interface? what is the route or how is the route defined when reaching either LAN (1 or 200)?

1arichardson Tue, 03/03/2009 - 08:04

Thanks for the reply, IP addresses for each firewall interface in the shared vlan are indeed different.

I have devices on the shared network that can ping both the firewall interfaces on the shared VLAN, but can not ping through.

All of the routes are known by the firewall as I am only trying to get to addresses that are directly attached to the firewall.

The fact that I'm getting the ifc-classify error seems to indicate a classification error and the inability of the ASA to determine the correct context although I can not see why this should happen.

Ivan Martinon Tue, 03/03/2009 - 08:10

How is the security level? this shared interface has low security level than the other interfaces? Do you have some nat settings there?

1arichardson Tue, 03/03/2009 - 08:38

The security level is the same on shared and other interfaces and there is no NAT on anywhere. I'll try to sanitise the configs and upload.


This Discussion