Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA Internal Routing

Is there a way to internally route between contexts on an ASA firewall. For example: say I have two contexts on my ASA (Context A and Context B). Is there a way to route from Context A to Context B without the use of another device?

1 ACCEPTED SOLUTION

Accepted Solutions
Super Bronze

Hi, We have usually done this

Hi,

 

We have usually done this through another device (core router/switch) but I guess this is something that you specifically want to avoid.

 

Only thing I can think of fast but something that I have not tested myself would be to configure a shared interface for both Security Context and configure the necesary routes required to reach the networks in the other Security Context.

 

I guess for traffic forwarding to work between 2 Security Contexts would atleast require you to have an unique MAC address for each shared interface. In some older software levels the default setting was that if you configured an interface and shared it between multiple Security Contexts it would have identical MAC address. In the newer softwares the default setting is that the ASA chooses unique MAC address for each Security Context (for the shared interface). The command/setting is configured in System Context mode and is "mac-address auto" and the other setting for it is "no mac-address auto". You can check this command from the ASA Command Reference.

 

But I think this should be possible by simply using a shared interface and configuring a link network between the Security Context using that interface. If the unique MAC address aint enough to help the ASA classify the packet to the correct Security Context I guess you might need to configure Identity NAT for each internal network that you want to be reached from the other Security Context.

 

Its quite a smiliar idea to Cascading Contexts which Cisco has mentioned in the ASA Configuration Guide. Heres a link

http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/general/asa_91_general_config/ha_contexts.html#pgfId-1121392

 

Hope this helps :)

 

- Jouni

 

1 REPLY
Super Bronze

Hi, We have usually done this

Hi,

 

We have usually done this through another device (core router/switch) but I guess this is something that you specifically want to avoid.

 

Only thing I can think of fast but something that I have not tested myself would be to configure a shared interface for both Security Context and configure the necesary routes required to reach the networks in the other Security Context.

 

I guess for traffic forwarding to work between 2 Security Contexts would atleast require you to have an unique MAC address for each shared interface. In some older software levels the default setting was that if you configured an interface and shared it between multiple Security Contexts it would have identical MAC address. In the newer softwares the default setting is that the ASA chooses unique MAC address for each Security Context (for the shared interface). The command/setting is configured in System Context mode and is "mac-address auto" and the other setting for it is "no mac-address auto". You can check this command from the ASA Command Reference.

 

But I think this should be possible by simply using a shared interface and configuring a link network between the Security Context using that interface. If the unique MAC address aint enough to help the ASA classify the packet to the correct Security Context I guess you might need to configure Identity NAT for each internal network that you want to be reached from the other Security Context.

 

Its quite a smiliar idea to Cascading Contexts which Cisco has mentioned in the ASA Configuration Guide. Heres a link

http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/general/asa_91_general_config/ha_contexts.html#pgfId-1121392

 

Hope this helps :)

 

- Jouni

 

43
Views
0
Helpful
1
Replies