04-26-2010 02:04 PM - edited 03-11-2019 10:37 AM
Hi
I have two ASA in active/active, multiple context, routed mode setup
The inside interface for each ASA is split into 4 subinterfaces corresponding to the 4 contexts and each subinterface has an IP.
The end users are not connected directly to the ASA but are two routers downstream (ASA -> core (Layer 3) -> distribution (Layer 3) -> access (end user)
All traffic whose destination is internal to the campus network is routed internally either via VRRP at the distribution switches or via a routing protocol (OSPF) between the distribution switches and core switches
My question is:
When traffic is destined outside the campus network (to the internet for example through the ASA), what should the default route be on the distribution routers and core routers given that the inside interface for the ASA has 4 different IP addresses corresponding to 4 subnets.
Thanks
Solved! Go to Solution.
04-27-2010 04:34 AM
How are you going to make routing decision for users on the core?
You might have to use policy routing on the core for routing to contexts on ASA based on source of the traffic.
04-27-2010 06:35 AM
Yes you need to policy route based on source IP to the spacific ASA context. This is how I solve this problem.
04-27-2010 02:00 AM
Hi Guys
Has anyone come across the problem above? Thanks for your help
04-27-2010 02:14 AM
ASA is stateful firewall, so outgoing and incoming must be on the same context. I think that it your problem to control the traffic through each context. If you select first context, you must make sure that return traffic be back the first one.
If you want the load balance all context, you need the load balance switch.
04-27-2010 03:08 AM
Hi Matee
The requirment is to route traffic properly from the end users at the access level to the context corresponding to their VLAN
I have 4 contexts on the ASA, and each context should process data from a certain VLAN.
When an end user wants to access a resource external to the campus network, there should be a default route on the core or distribution switches pointing towards the default gateway (The ASA in this case), but the ASA has an inside interface partitioned into 4 subinterfaces, each subinterface has its own IP address. Each subinterface corresponds to a security context
So how can I make sure that the traffic is routed properly so that traffic from a VLAN will use the subinterface on the ASA corresponding to its assigned security context.
Thanks
04-27-2010 04:34 AM
How are you going to make routing decision for users on the core?
You might have to use policy routing on the core for routing to contexts on ASA based on source of the traffic.
04-27-2010 04:56 AM
Hi Francisco
Routing decision for end users is made on the distribution switches using VRRP or OSPF.
Your suggestion seems to be very logical, i have been trying to think of a way to route traffic properly to the different contexts, but without luck. Policy based routing seems to be the only way.
Thanks for your help
04-27-2010 06:35 AM
Yes you need to policy route based on source IP to the spacific ASA context. This is how I solve this problem.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: