06-15-2010 11:04 PM - edited 03-11-2019 11:00 AM
Hi experts,
I have 5510 ASA with security plus license and can support two security contexts. In my case, I will share E0/0 as the outside interface to Internet. I will have VLANs on E0/1 (sub-interfaces) and I don't know if I should share them all between two contexts or assign half to one context and rest to another. Please note that I will have inter VLAN traffic between any two VLANs and the ASA needs to do inter-vlan routing.
I actually never really want to partition the firewall. The only reason is that I want to run active/active failover with another ASA5510. Do you think I should configure the failover this way or it will better just to keep it simple and run Active/Standby? Can anybody please provide me an example config?
Thanks!
Difan
Solved! Go to Solution.
06-16-2010 08:08 PM
Remove the static you configured for Context1
no static (vlan20,outside) 10.1.20.0 10.1.20.0 netmask 255.255.255.0
Configure this in Context1
################
access-list 100 permit ip 10.1.20.0 255.255.255.0 10.1.100.0 255.255.255.0
static (vlan20,outside) 10.1.20.0 access-list 100
clear xlate
clear local-host
################
Last two lines will clear connections, and rebuild when traffic passes again.
Here is the documentation for you:
http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/s8.html#wp1414075
Regards,
06-15-2010 11:48 PM
It will be best to set interfaces independently of contexts, specially if you plan to do active active.
If still sharing the outside, please note that you need to ensure you create the translations for the devices behind specific context, as this is the way for the firewall to determine which context traffic should be forward to.
Active active failover configuration guide is here :
If you will be sharing interfaces and active active setup, the more you will need to be carefull about routing, and making sure you have classification of traffic for specific context defined.
If you need the badwidth then doing active active will help.
Do remeber that setting up for multicontext, and active active, will not support features like vpn termination among others.
If you want to make it simple, do subinterface on e0/0 too, do not share outside interfaces, and do active stand by setup.
Regards,
06-16-2010 04:08 PM
Edadios,
Thanks for reply! K let's forget about the failover for now. Just two contexts (admin and Context1) and I want VLAN100 of admin be able to talk to VLAN20 of Context1. Here is my current config:
=========== sysetm ===============
interface Ethernet0/1.20
vlan 20
!
interface Ethernet0/1.100
vlan 100
!
admin-context admin
context admin
allocate-interface Ethernet0/0
allocate-interface Ethernet0/1.100
allocate-interface Management0/0
config-url disk0:/admin.cfg
!
context Context1
description Test Context
allocate-interface Ethernet0/0 visible
allocate-interface Ethernet0/1.20 visible
config-url disk0:/Context1.cfg
=========== admin ==============
interface Ethernet0/0
nameif outside
security-level 0
ip address 1.1.1.2 255.255.255.128
!
interface Ethernet0/1.100
nameif vlan100
security-level 100
ip address 10.1.100.1 255.255.255.0
!
global (outside) 1 interface
nat (vlan100) 1 10.1.100.0 255.255.255.0
route outside 0.0.0.0 0.0.0.0 1.1.1.1 1
route outside 10.1.20.0 255.255.255.0 1.1.1.3 1
!
============= Context1 ==============
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 1.1.1.3 255.255.255.128
!
interface Ethernet0/1.20
nameif vlan20
security-level 100
ip address 10.1.20.1 255.255.255.0
!
access-list ACL_outside extended permit icmp any any
access-group ACL_outside in interface outside
!
global (outside) 1 interface
nat (vlan20) 1 10.1.20.0 255.255.255.0
static (vlan20,outside) 10.1.20.0 10.1.20.0 netmask 255.255.255.0
route outside 0.0.0.0 0.0.0.0 1.1.1.1 1
route outside 10.1.100.0 255.255.255.0 1.1.1.2 1
!
The above configs (especially the ones in red) are required for a PC (10.1.100.100 of admin context) to ping another PC (10.1.20.100 of Context1). However in this case the PC 10.1.20.100 can't browse Internet anymore because of the "static ()" command... There is no easier way of doing this?
Thanks!
06-16-2010 08:08 PM
Remove the static you configured for Context1
no static (vlan20,outside) 10.1.20.0 10.1.20.0 netmask 255.255.255.0
Configure this in Context1
################
access-list 100 permit ip 10.1.20.0 255.255.255.0 10.1.100.0 255.255.255.0
static (vlan20,outside) 10.1.20.0 access-list 100
clear xlate
clear local-host
################
Last two lines will clear connections, and rebuild when traffic passes again.
Here is the documentation for you:
http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/s8.html#wp1414075
Regards,
06-18-2010 03:46 PM
The command works! Now traffic can pass between two contexts. However I also find out that the number of configs will increase exponentially if I have more than one VLAN that I want traffic to pass through... So I decide to give up the active/active failover setup... Thanks a lot for your help!
06-18-2010 06:45 PM
Happy to be of help to you.
Regards,
06-21-2010 11:40 PM
Great solution.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide