Routing between 2 Multiple Context

Unanswered Question
Jan 9th, 2010
User Badges:

Cisco ASA5520

Created two different context - Context A and Context B


Objective:- I would like to route between this 2 context INTERNALLY.


Is this achievable? Ive read from the cisco doc examples, most of it illustrates routing outside to the internet before coming back in to the other context.

I have a customer requirement whereby users on Context A would need to access some servers from Context B, that is, without routing out to the internet.


Please advise

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Sun, 01/10/2010 - 01:42
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

J_Vansen_S wrote:


Cisco ASA5520

Created two different context - Context A and Context B


Objective:- I would like to route between this 2 context INTERNALLY.


Is this achievable? Ive read from the cisco doc examples, most of it illustrates routing outside to the internet before coming back in to the other context.

I have a customer requirement whereby users on Context A would need to access some servers from Context B, that is, without routing out to the internet.


Please advise


Well you shouldn't have to go out to the Internet altho it does depend on your topology setup.  There are 2 ways to do this -


1) traffic from A is routed out of context A and then routed to context B and vice-versa. So the 2 contexts are completely separate and you just need to make sure that there is a routed path between A and B. This in theory i guess could be the next-hop towards the internet.


2) each context has an interface connected to subnet which the servers are on. So you don't need to route out of A and back into B, you can simply go straight from A to the server subnet.


Which one to use is a matter of security requirements. But one thing i would recommend is that traffic to servers from A -> B should not go via the internet.


Jon

Kent Heide Sun, 01/10/2010 - 12:32
User Badges:

Are there any shared interfaces between the contexts?

J_Vansen_S Sun, 01/10/2010 - 17:57
User Badges:

No there isnt any sharede interface on my setup.

Is the concept of shared interface the way to go to meet my objectives?

Jon Marshall Sun, 01/10/2010 - 18:15
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

J_Vansen_S wrote:


No there isnt any sharede interface on my setup.

Is the concept of shared interface the way to go to meet my objectives?


As i said, it depends on your security requirements. If you are happy to have both contexts having direct access to the server LAN then yes a shared interface is one way to do it.


Jon

J_Vansen_S Sun, 01/10/2010 - 22:39
User Badges:

Thanks for the advice.


I have altered my design slightly to cater for shared interface.


The users on both context can now access to the server zone. Thanks!!


However, i am having a slight problem.

On the other hand, my servers could not access to the user zone instead?

I believe i have put in the necessary routes.


PLease advise

J_Vansen_S Sun, 01/10/2010 - 22:43
User Badges:

Attached is my update diagram.

Please advise


Apparently i cant access from the servers zone to zone1

But vice versa is working fine

Attachment: 
trustcisco Mon, 01/11/2010 - 01:09
User Badges:

I have a similar network that i am designing now and i can really use your help.


First of all, what is the gateway of your servers located in 192.168.1.x ? Do they have internet feed ?


Do you use nat exemption for internal traffic ? for example from traffic flowing from zone_users to servers and vice versa or do you nat them ?


What if you need to provide access from zone 1 to zone users, what will you do then ?


I am posting my config here just to tell me if it is correct or not :


Asa 5510
----------------------

-------------------
System


iinterface e0/0
no shut

interface e0/1
no shut
no ip address

interface e0/1.1
vlan 2

interface e0/1.2
vlan3

interface e0/2
no shut

interface e0/3
no shut
no ip address

interface e0/3.1
vlan 4
--------------------------------------------
context1


interface e0/0
ip address x.x.x.x
nameif outside
sec-level 0


interface e0/1.1
description users_lan
ip address 1.1.1.1 255.255.255.0
nameif inside1
sec-level 100
vlan 2


interface e0/1.2
description shared_services
ip address 2.2.2.1 255.255.255.0
nameif inside2
sec-level 90
vlan 3


route outside 0 0 router1_inside_if
------------------------------------------------
context2


interface e0/2
ip address x.x.x.x
nameif outside
sec-level0


interface e0/3.1
description users_lan
ip address 3.3.3.1  255.255.255.0
nameif inside1
sec-level 100
vlan 4


interface e0/1.2
description shared_services
ip address 2.2.2.2 255.255.255.0
nameif inside2
sec-level 90
vlan 3

route outside 0 0 router2_inside_if

Thanks.
J_Vansen_S Mon, 01/11/2010 - 01:34
User Badges:

Hi,


Apparently i point my servers to the gateway on Context B for internet feed.


I did not use nat exemption for traffic flowing from zone_users to servers.

Instead i use dynamic pat


global (shared) 1 interface
global (zone_users) 1 interface
nat (zone_users) 1 192.168.7.0 255.255.255.0

trustcisco Mon, 01/11/2010 - 01:46
User Badges:

Yes you are right i missed the L3 on your diagram, i am asking you this cause my network is exactly like yours with the diferrence that mine fully L2.


That's why i am asking you for the gateway, any ideas for my case ?

trustcisco Mon, 01/11/2010 - 02:13
User Badges:

Why you have to use dynamic pat instead of nat exemption with access lists and a static route for your L3 network ?

Jon Marshall Mon, 01/11/2010 - 03:37
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

J_Vansen_S wrote:


Hi,


Apparently i point my servers to the gateway on Context B for internet feed.


I did not use nat exemption for traffic flowing from zone_users to servers.

Instead i use dynamic pat


global (shared) 1 interface
global (zone_users) 1 interface
nat (zone_users) 1 192.168.7.0 255.255.255.0


Are you still having a problem with your setup or is it fixed ?


Jon

Actions

This Discussion