Communication Between ASA Multiple Contexts

Unanswered Question
Apr 1st, 2009
User Badges:

Is it possible to create the following design:

1) Multiple Contexts: Customer Internal Network; Business Partner A, Business Partner B

2) Customer net can talk to Business Partner A and B (from the inside)

3) Business Partners can't talk to each other.

If this is possible, am I gaining any additional security with using this type of context design vs. putting the business partner connectivity in DMZ interfaces and using ACLs?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Collin Clark Wed, 04/01/2009 - 13:27
User Badges:
  • Purple, 4500 points or more

Is there a specific reason why you would not have a single context and use a different interface for Internal, BP-A, and BP-B? It's possible to do it with multiple contexts, but I think it would be easier to do it with a single context.

Hope that helps.

captain131 Thu, 04/02/2009 - 04:51
User Badges:

No specific reason. My reasoning (which may be convoluted are completely off) was to give each business partner the security of being seperated by a virtual firewall from one another. It's not a strict requirement, but more of a design "thought" I had when reviewing the functionality of contexts. It sounds like I'm making it more complicated than it needs to be?

Collin Clark Thu, 04/02/2009 - 06:11
User Badges:
  • Purple, 4500 points or more

I can understand your thinking, but IMO using a single context can be just as secure. I only use multiple contexts when necessary. Also keep in mind that you can not use VPN with multiple contexts.

captain131 Thu, 04/02/2009 - 06:35
User Badges:

Hi Colin - Thanks for the feedback. I've had similar feedback from other engineers I spoke with offline. I will very likely go back to the single context mode. Would you suggest using DMZ's as part of the design?

Collin Clark Thu, 04/02/2009 - 06:42
User Badges:
  • Purple, 4500 points or more

Absolutely. I would create a new DMZ for each customer. Use 'inside' for your internal network and 'outside' for the public network if you have that connection.


This Discussion