Forward traffics between two security contexts

Answered Question
Jun 15th, 2010

Hi experts,

I have 5510 ASA with security plus license and can support two security contexts. In my case, I will share E0/0 as the outside interface to Internet. I will have VLANs on E0/1 (sub-interfaces) and I don't know if I should share them all between two contexts or assign half to one context and rest to another. Please note that I will have inter VLAN traffic between any two VLANs and the ASA needs to do inter-vlan routing.

I actually never really want to partition the firewall. The only reason is that I want to run active/active failover with another ASA5510. Do you think I should configure the failover this way or it will better just to keep it simple and run Active/Standby? Can anybody please provide me an example config?

Thanks!

Difan

I have this problem too.
0 votes
Correct Answer by edadios about 6 years 5 months ago

Remove the static you configured for Context1

no static (vlan20,outside) 10.1.20.0  10.1.20.0 netmask 255.255.255.0

Configure this in Context1

################

access-list 100 permit ip 10.1.20.0 255.255.255.0 10.1.100.0 255.255.255.0

static (vlan20,outside) 10.1.20.0 access-list 100

clear xlate

clear local-host

################

Last two lines will clear connections, and rebuild when traffic passes  again.

Here is the documentation for you:

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/s8.html#wp1414075

Regards,

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3.5 (2 ratings)
Loading.
edadios Tue, 06/15/2010 - 23:48

It will be best to set interfaces independently of contexts, specially if you plan to do active active.

If still sharing the outside, please note that you need to ensure you create the translations for the devices behind specific context, as this is the way for the firewall to determine which context traffic should be forward to.

http://www.cisco.com/en/US/customer/docs/security/asa/asa82/configuration/guide/contexts.html#wp1146806

Active active failover configuration guide is here :

http://www.cisco.com/en/US/customer/docs/security/asa/asa82/configuration/guide/ha_active_active.html

If you will be sharing interfaces and active active setup, the more you will need to be carefull about routing, and making sure you have classification of traffic for specific context defined.

If you need the badwidth then doing active active will help.

Do remeber that setting up for multicontext, and active active, will not support features like vpn termination among others.

http://www.cisco.com/en/US/customer/docs/security/asa/asa82/configuration/guide/contexts.html#wp1146747

If you want to make it simple, do subinterface on e0/0 too, do not share outside interfaces, and do active stand by setup.

Regards,

Difan Zhao Wed, 06/16/2010 - 16:08

Edadios,

Thanks for reply! K let's forget about the failover for now. Just two contexts (admin and Context1) and I want VLAN100 of admin be able to talk to VLAN20 of Context1. Here is my current config:

=========== sysetm ===============

interface Ethernet0/1.20
vlan 20
!
interface Ethernet0/1.100
vlan 100

!

admin-context admin
context admin
  allocate-interface Ethernet0/0
  allocate-interface Ethernet0/1.100
  allocate-interface Management0/0
  config-url disk0:/admin.cfg
!

context Context1
  description Test Context
  allocate-interface Ethernet0/0 visible
  allocate-interface Ethernet0/1.20 visible
  config-url disk0:/Context1.cfg

===========  admin  ==============

interface Ethernet0/0
nameif outside
security-level 0
ip address 1.1.1.2 255.255.255.128
!
interface Ethernet0/1.100
nameif vlan100
security-level 100
ip address 10.1.100.1 255.255.255.0

!

global (outside) 1 interface
nat (vlan100) 1 10.1.100.0 255.255.255.0
route outside 0.0.0.0 0.0.0.0 1.1.1.1 1
route outside 10.1.20.0 255.255.255.0 1.1.1.3 1
!

============= Context1 ==============

!
interface Ethernet0/0
nameif outside
security-level 0
ip address 1.1.1.3 255.255.255.128
!
interface Ethernet0/1.20
nameif vlan20
security-level 100
ip address 10.1.20.1 255.255.255.0
!

access-list ACL_outside extended permit icmp any any

access-group ACL_outside in interface outside

!

global (outside) 1 interface
nat (vlan20) 1 10.1.20.0 255.255.255.0

static (vlan20,outside) 10.1.20.0 10.1.20.0 netmask 255.255.255.0
route outside 0.0.0.0 0.0.0.0 1.1.1.1 1
route outside 10.1.100.0 255.255.255.0 1.1.1.2 1
!

The above configs (especially the ones in red) are required for a PC (10.1.100.100 of admin context) to ping another PC (10.1.20.100 of Context1). However in this case the PC 10.1.20.100 can't browse Internet anymore because of the "static ()" command... There is no easier way of doing this?

Thanks!

Correct Answer
edadios Wed, 06/16/2010 - 20:08

Remove the static you configured for Context1

no static (vlan20,outside) 10.1.20.0  10.1.20.0 netmask 255.255.255.0

Configure this in Context1

################

access-list 100 permit ip 10.1.20.0 255.255.255.0 10.1.100.0 255.255.255.0

static (vlan20,outside) 10.1.20.0 access-list 100

clear xlate

clear local-host

################

Last two lines will clear connections, and rebuild when traffic passes  again.

Here is the documentation for you:

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/s8.html#wp1414075

Regards,

Difan Zhao Fri, 06/18/2010 - 15:46

The command works! Now traffic can pass between two contexts. However I also find out that the number of configs will increase exponentially if I have more than one VLAN that I want traffic to pass through... So I decide to give up the active/active failover setup... Thanks a lot for your help!

Actions

This Discussion