Solved: ASA Internal Routing

Mike Keenan · ‎07-16-2014

Is there a way to internally route between contexts on an ASA firewall. For example: say I have two contexts on my ASA (Context A and Context B). Is there a way to route from Context A to Context B without the use of another device?

Jouni Forss · ‎07-16-2014

Hi,

We have usually done this through another device (core router/switch) but I guess this is something that you specifically want to avoid.

Only thing I can think of fast but something that I have not tested myself would be to configure a shared interface for both Security Context and configure the necesary routes required to reach the networks in the other Security Context.

I guess for traffic forwarding to work between 2 Security Contexts would atleast require you to have an unique MAC address for each shared interface. In some older software levels the default setting was that if you configured an interface and shared it between multiple Security Contexts it would have identical MAC address. In the newer softwares the default setting is that the ASA chooses unique MAC address for each Security Context (for the shared interface). The command/setting is configured in System Context mode and is "mac-address auto" and the other setting for it is "no mac-address auto". You can check this command from the ASA Command Reference.

But I think this should be possible by simply using a shared interface and configuring a link network between the Security Context using that interface. If the unique MAC address aint enough to help the ASA classify the packet to the correct Security Context I guess you might need to configure Identity NAT for each internal network that you want to be reached from the other Security Context.

Its quite a smiliar idea to Cascading Contexts which Cisco has mentioned in the ASA Configuration Guide. Heres a link

http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/general/asa_91_general_config/ha_contexts.html#pgfId-1121392

Hope this helps :)

- Jouni

View solution in original post

Jouni Forss · ‎07-16-2014

Hi,

We have usually done this through another device (core router/switch) but I guess this is something that you specifically want to avoid.

Only thing I can think of fast but something that I have not tested myself would be to configure a shared interface for both Security Context and configure the necesary routes required to reach the networks in the other Security Context.

I guess for traffic forwarding to work between 2 Security Contexts would atleast require you to have an unique MAC address for each shared interface. In some older software levels the default setting was that if you configured an interface and shared it between multiple Security Contexts it would have identical MAC address. In the newer softwares the default setting is that the ASA chooses unique MAC address for each Security Context (for the shared interface). The command/setting is configured in System Context mode and is "mac-address auto" and the other setting for it is "no mac-address auto". You can check this command from the ASA Command Reference.

But I think this should be possible by simply using a shared interface and configuring a link network between the Security Context using that interface. If the unique MAC address aint enough to help the ASA classify the packet to the correct Security Context I guess you might need to configure Identity NAT for each internal network that you want to be reached from the other Security Context.

Its quite a smiliar idea to Cascading Contexts which Cisco has mentioned in the ASA Configuration Guide. Heres a link

http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/general/asa_91_general_config/ha_contexts.html#pgfId-1121392

Hope this helps :)

- Jouni