09-09-2010 04:45 PM - edited 03-11-2019 11:38 AM
Hi All,
I am implementing a Multi context ASA Firewall on our network. We have a few customers coming from the Internet via VRF's. Firewall is directly connected to the core switch which is directly connected to the Core Router (VRF) which is connected to the Internet.
Does anybody know what would be the ideal scenario for designing a Multicontext ASA with VRF's? I have never done anything using VRF's so I am out of ideas on this one. Any customer who needs access to the Internet would have their own Firewall context.
Thanks
09-09-2010 11:24 PM
Per my understanding, your topology is like following.
Internet---VRF_router-------CoreSwitch--------ASA
I don't think ASA can terminiate VRF, so have to use vlan to separate the different customers.
Saying you have Customer A, B and C coming into VRF router on vrf A, B and C respectively.
On Core Switch
You can create 3 Vlans, vlan A, vlan B and vlan C for each customer, no layer 3 interface for those vlans are needed on core switch.
Then you can configure the ports which are facing to ASA and VRF_router in the related VLAN or using trunk if mulitple customers share one physical port.
On VRF Router
You need configure the physical interface or subinterface with IP address and put them in the related VRF. If it's a subinterface, make sure your vlan and VRF match.
On ASA
You need put the port in the related vlan and create the context for each customers.
09-09-2010 11:48 PM
Thanks for the reply Yudong.
I am planning to keep the outside interfaces for all customers as a shared interface (same VLAN) and all the inside interfaces as unique vlans. So if doing this what important configs should I keep in mind while configuring shared interfaces on the ASA?
I would also need to configure SNMP on the contexts. Some where I read that you cant configure snmp on the system context. What kind of MIB's can I configure on all the contexts?
Thanks
09-10-2010 05:21 AM
Hello,
This link outlines the caveats to shared interfaces and how the packet classifier works:
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/contexts.html#wp1146806
This link describes how to setup SNMP monitoring:
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/monitor_snmp.html
And this link contains the supported MIBs on the ASA:
ftp://ftp-sj.cisco.com/pub/mibs/supportlists/asa/asa-supportlist.html
You can also do a 'show snmp-server oidlist' on the ASA and that will list the supported OIDs that you can poll.
Hope that helps.
-Mike
09-10-2010 08:50 AM
Personally, I don't like to use shared interface. But if you would like to use it, you need to pay attention to the following
- make sure the unique MAC address is used for the shared interface in each context. You can use mac-address auto feature. Please read the link provided by Mike in the post below to understand how ASA to classify the packet in this situation.
- Since you can not use VLAN to seperate the traffic between different customers, you have to relay on the routing to make sure the traffic is forward to correct customer.
Mike has provided SNMP info to you.
09-12-2010 10:22 PM
Thanks to Yudong and Mike for helping me with this!!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: