Multi context design question

sidcracker · ‎09-09-2010

Hi All,

I am implementing a Multi context ASA Firewall on our network. We have a few customers coming from the Internet via VRF's. Firewall is directly connected to the core switch which is directly connected to the Core Router (VRF) which is connected to the Internet.

Does anybody know what would be the ideal scenario for designing a Multicontext ASA with VRF's? I have never done anything using VRF's so I am out of ideas on this one. Any customer who needs access to the Internet would have their own Firewall context.

Thanks

Yudong Wu · ‎09-09-2010

Per my understanding, your topology is like following.

Internet---VRF_router-------CoreSwitch--------ASA

I don't think ASA can terminiate VRF, so have to use vlan to separate the different customers.

Saying you have Customer A, B and C coming into VRF router on vrf A, B and C respectively.

On Core Switch

You can create 3 Vlans, vlan A, vlan B and vlan C for each customer, no layer 3 interface for those vlans are needed on core switch.

Then you can configure the ports which are facing to ASA and VRF_router in the related VLAN or using trunk if mulitple customers share one physical port.

On VRF Router

You need configure the physical interface or subinterface with IP address and put them in the related VRF. If it's a subinterface, make sure your vlan and VRF match.

On ASA

You need put the port in the related vlan and create the context for each customers.

sidcracker · ‎09-09-2010

Thanks for the reply Yudong.

I am planning to keep the outside interfaces for all customers as a shared interface (same VLAN) and all the inside interfaces as unique vlans. So if doing this what important configs should I keep in mind while configuring shared interfaces on the ASA?

I would also need to configure SNMP on the contexts. Some where I read that you cant configure snmp on the system context. What kind of MIB's can I configure on all the contexts?

Thanks

mirober2 · ‎09-10-2010

Hello,

This link outlines the caveats to shared interfaces and how the packet classifier works:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/contexts.html#wp1146806

This link describes how to setup SNMP monitoring:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/monitor_snmp.html

And this link contains the supported MIBs on the ASA:

ftp://ftp-sj.cisco.com/pub/mibs/supportlists/asa/asa-supportlist.html

You can also do a 'show snmp-server oidlist' on the ASA and that will list the supported OIDs that you can poll.

Hope that helps.

-Mike

Yudong Wu · ‎09-10-2010

Personally, I don't like to use shared interface. But if you would like to use it, you need to pay attention to the following

- make sure the unique MAC address is used for the shared interface in each context. You can use mac-address auto feature. Please read the link provided by Mike in the post below to understand how ASA to classify the packet in this situation.

- Since you can not use VLAN to seperate the traffic between different customers, you have to relay on the routing to make sure the traffic is forward to correct customer.

Mike has provided SNMP info to you.

sidcracker · ‎09-12-2010

Thanks to Yudong and Mike for helping me with this!!