Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
456
Views
0
Helpful
6
Replies

ASA basics

Go to solution
Maro.Cisco
Level 1
Level 1

‎07-09-2013 11:15 PM - edited ‎03-11-2019 07:10 PM

                  Dears please correct me if im wrong , i have a question by default when im configuring ASA , i'll have only 1 exit interface , 1 internal , 1 DMZ and will apply my policies to this interfaces however if i need to apply different external , internal and DMZ policies i'll have to use security context which basically split my ASA into two different firewall system and i have the ability to either use the same interface i used on context1 or chooose other interfaces???

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Maro.Cisco

‎07-10-2013 01:24 AM

Hi,

Yes, usually if you want to keep certain networks apart from eachother then you would configure ASA in Multiple Context mode. For example in my work I constantly deal with virtualized ASAs since I work for an ISP.

Sometimes I guess configuring Multiple Context mode might be needed because you have some overlapping networks which naturally cant be really used with a single ASA.

A key thing to notice with Multiple Context mode ASAs is usually the fact that you will loose the ability to configure VPN client connections of any type on that ASA. Thats a deal breaker for some. Naturally you can always host VPN services on a separate device if needed also.

You should be able to control traffic on a single ASA with ACLs attached to each interface. Even if you had for example global inspection enabled for ICMP and FTP, you could still simply block those connections from behind a single interface if you wanted. The "inspect" commands wont affect what traffic is allowed if the ACL is already defined to block that traffic.

- Jouni

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎07-10-2013 12:01 AM

Hi,

I am not sure what you mean by policies. If you simply mean "access-list" that control traffic then you can naturally configure ACLs for each interface separately.

You would typically virtualize the ASA to Multiple Context mode when you want to "completely" separate the 2 LAN/DMZ networks. In this case you could naturally share the same "outside" interface on both Security Context if you wanted. Naturally if you have a small public subnet the choice would probably be to share the "outside" interface

- Jouni

0 Helpful

Go to solution
Maro.Cisco
Level 1
Level 1
In response to Jouni Forss

‎07-10-2013 12:47 AM

what i mean that if you have configured on ASA ICMP inspection then all ICMP traffic coming  on your  interfaces will be allowed lets say your attaching this new LAN to your ASA and you dont want to enable ICMP inspection then this when u will use context first to have a seperate firewall for this new lan and where you can apply what type of packets you want to inspect ????

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Maro.Cisco

‎07-10-2013 12:56 AM

Hi,

Even if you use the ASAs default global inspection policy for all the ASA interfaces then you still naturally have the option to block the ICMP in an interface ACL. You can simply build an ACL to the new interface on the ASA that blocks the ICMP traffic.

Even though I have never done so, I guess you could always remove the default inspection policy that is attached globally and configure a separate policy for each interface and configure them in different ways.

But if you only goal is to limit traffic from a new interface on the ASA then you could naturally just use interface ACLs to block the traffic you need and allow the traffic you need.

- Jouni

0 Helpful

Go to solution
Maro.Cisco
Level 1
Level 1
In response to Jouni Forss

‎07-10-2013 01:17 AM

so basically i'll only need to use mutliple context if i need to seperate the new LANS , as if each is connected to seperate firewall , but if im not using mutlicontext i shouldnt find anyyyyyyy limitations with controlling my traffic

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Maro.Cisco

‎07-10-2013 01:24 AM

Hi,

Yes, usually if you want to keep certain networks apart from eachother then you would configure ASA in Multiple Context mode. For example in my work I constantly deal with virtualized ASAs since I work for an ISP.

Sometimes I guess configuring Multiple Context mode might be needed because you have some overlapping networks which naturally cant be really used with a single ASA.

A key thing to notice with Multiple Context mode ASAs is usually the fact that you will loose the ability to configure VPN client connections of any type on that ASA. Thats a deal breaker for some. Naturally you can always host VPN services on a separate device if needed also.

You should be able to control traffic on a single ASA with ACLs attached to each interface. Even if you had for example global inspection enabled for ICMP and FTP, you could still simply block those connections from behind a single interface if you wanted. The "inspect" commands wont affect what traffic is allowed if the ACL is already defined to block that traffic.

- Jouni

0 Helpful

Go to solution
Maro.Cisco
Level 1
Level 1
In response to Jouni Forss

‎07-10-2013 01:28 AM

Thank you , you were great help.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card