cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
794
Views
0
Helpful
11
Replies

Routing between 2 Multiple Context

J_Vansen_S
Level 3
Level 3

Cisco ASA5520

Created two different context - Context A and Context B

Objective:- I would like to route between this 2 context INTERNALLY.

Is this achievable? Ive read from the cisco doc examples, most of it illustrates routing outside to the internet before coming back in to the other context.

I have a customer requirement whereby users on Context A would need to access some servers from Context B, that is, without routing out to the internet.

Please advise

11 Replies 11

Jon Marshall
Hall of Fame
Hall of Fame

J_Vansen_S wrote:

Cisco ASA5520

Created two different context - Context A and Context B

Objective:- I would like to route between this 2 context INTERNALLY.

Is this achievable? Ive read from the cisco doc examples, most of it illustrates routing outside to the internet before coming back in to the other context.

I have a customer requirement whereby users on Context A would need to access some servers from Context B, that is, without routing out to the internet.

Please advise

Well you shouldn't have to go out to the Internet altho it does depend on your topology setup.  There are 2 ways to do this -

1) traffic from A is routed out of context A and then routed to context B and vice-versa. So the 2 contexts are completely separate and you just need to make sure that there is a routed path between A and B. This in theory i guess could be the next-hop towards the internet.

2) each context has an interface connected to subnet which the servers are on. So you don't need to route out of A and back into B, you can simply go straight from A to the server subnet.

Which one to use is a matter of security requirements. But one thing i would recommend is that traffic to servers from A -> B should not go via the internet.

Jon

Are there any shared interfaces between the contexts?

No there isnt any sharede interface on my setup.

Is the concept of shared interface the way to go to meet my objectives?

J_Vansen_S wrote:

No there isnt any sharede interface on my setup.

Is the concept of shared interface the way to go to meet my objectives?

As i said, it depends on your security requirements. If you are happy to have both contexts having direct access to the server LAN then yes a shared interface is one way to do it.

Jon

Thanks for the advice.

I have altered my design slightly to cater for shared interface.

The users on both context can now access to the server zone. Thanks!!

However, i am having a slight problem.

On the other hand, my servers could not access to the user zone instead?

I believe i have put in the necessary routes.

PLease advise

J_Vansen_S
Level 3
Level 3

Attached is my update diagram.

Please advise

Apparently i cant access from the servers zone to zone1

But vice versa is working fine

I have a similar network that i am designing now and i can really use your help.

First of all, what is the gateway of your servers located in 192.168.1.x ? Do they have internet feed ?

Do you use nat exemption for internal traffic ? for example from traffic flowing from zone_users to servers and vice versa or do you nat them ?

What if you need to provide access from zone 1 to zone users, what will you do then ?

I am posting my config here just to tell me if it is correct or not :

Asa 5510
----------------------

-------------------
System

iinterface e0/0
no shut

interface e0/1
no shut
no ip address

interface e0/1.1
vlan 2

interface e0/1.2
vlan3

interface e0/2
no shut

interface e0/3
no shut
no ip address

interface e0/3.1
vlan 4
--------------------------------------------
context1

interface e0/0
ip address x.x.x.x
nameif outside
sec-level 0

interface e0/1.1
description users_lan
ip address 1.1.1.1 255.255.255.0
nameif inside1
sec-level 100
vlan 2

interface e0/1.2
description shared_services
ip address 2.2.2.1 255.255.255.0
nameif inside2
sec-level 90
vlan 3

route outside 0 0 router1_inside_if
------------------------------------------------
context2

interface e0/2
ip address x.x.x.x
nameif outside
sec-level0

interface e0/3.1
description users_lan
ip address 3.3.3.1  255.255.255.0
nameif inside1
sec-level 100
vlan 4

interface e0/1.2
description shared_services
ip address 2.2.2.2 255.255.255.0
nameif inside2
sec-level 90
vlan 3

route outside 0 0 router2_inside_if

Thanks.

Hi,

Apparently i point my servers to the gateway on Context B for internet feed.

I did not use nat exemption for traffic flowing from zone_users to servers.

Instead i use dynamic pat

global (shared) 1 interface
global (zone_users) 1 interface
nat (zone_users) 1 192.168.7.0 255.255.255.0

Yes you are right i missed the L3 on your diagram, i am asking you this cause my network is exactly like yours with the diferrence that mine fully L2.

That's why i am asking you for the gateway, any ideas for my case ?

Why you have to use dynamic pat instead of nat exemption with access lists and a static route for your L3 network ?

J_Vansen_S wrote:

Hi,

Apparently i point my servers to the gateway on Context B for internet feed.

I did not use nat exemption for traffic flowing from zone_users to servers.

Instead i use dynamic pat

global (shared) 1 interface
global (zone_users) 1 interface
nat (zone_users) 1 192.168.7.0 255.255.255.0

Are you still having a problem with your setup or is it fixed ?

Jon

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: