default route problem with ASA in Multiple context mode

Answered Question
Apr 26th, 2010

Hi

I have two ASA in active/active, multiple context, routed mode setup

The inside interface for each ASA is split into 4 subinterfaces corresponding to the 4 contexts and each subinterface has an IP.

The end users are not connected directly to the ASA but are two routers downstream (ASA -> core (Layer 3) -> distribution (Layer 3) -> access (end user)

All traffic whose destination is internal to the campus network is routed internally either via VRRP at the distribution switches or via a routing protocol (OSPF) between the distribution switches and core switches

My question is:

When traffic is destined outside the campus network (to the internet for example through the ASA), what should the default route be on the distribution routers and core routers given that the inside interface for the ASA has 4 different IP addresses corresponding to 4 subnets.

Thanks

I have this problem too.
0 votes
Correct Answer by jcosgrove about 6 years 7 months ago

Yes you need to policy route based on source IP to the spacific ASA context.  This is how I solve this problem.

Correct Answer by francisco_1 about 6 years 7 months ago

How are you going to make routing decision for users on the core?

You might have to use policy routing on the core for routing to contexts on ASA based on source of the traffic.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
r.adlouni Tue, 04/27/2010 - 02:00

Hi Guys

Has anyone come across the problem above? Thanks for your help

MATEE WITAWASIRI Tue, 04/27/2010 - 02:14

ASA is stateful firewall, so outgoing and incoming must be on the same context.  I think that it your problem to control the traffic through each context.  If you select first context, you must make sure that return traffic be back the first one.

If you want the load balance all context, you need the load balance switch.

r.adlouni Tue, 04/27/2010 - 03:08

Hi Matee

The requirment is to route traffic properly from the end users at the access level to the context corresponding to their VLAN

I have 4 contexts on the ASA, and each context should process data from a certain VLAN.

When an end user wants to access a resource external to the campus network, there should be a default route on the core or distribution switches pointing towards the default gateway (The ASA in this case), but the ASA has an inside interface partitioned into 4 subinterfaces, each subinterface has its own IP address. Each subinterface corresponds to a security context

So how can I make sure that the traffic is routed properly so that traffic from a VLAN will use the subinterface on the ASA corresponding to its assigned security context.

Thanks

Correct Answer
francisco_1 Tue, 04/27/2010 - 04:34

How are you going to make routing decision for users on the core?

You might have to use policy routing on the core for routing to contexts on ASA based on source of the traffic.

r.adlouni Tue, 04/27/2010 - 04:56

Hi Francisco

Routing decision for end users is made on the distribution switches using VRRP or OSPF.

Your suggestion seems to be very logical, i have been trying to think of a way to route traffic properly to the different contexts, but without luck. Policy based routing seems to be the only way.

Thanks for your help

Correct Answer
jcosgrove Tue, 04/27/2010 - 06:35

Yes you need to policy route based on source IP to the spacific ASA context.  This is how I solve this problem.

Actions

This Discussion