In my network have a lot of different subnets and in security cases some of subnets must be access to others and some of them are not. In network have 2 Cisco catalyst 6513 switch which use core device and have 2xASA 5525 which are use internal firewall and access switch catalyst 3750 which is use floor switch.
I want to grouped some subnets(Vlans) so I configurate multicontext in ASA and configurate ASA in active active mode. So some vlans include in some contexts in ASA1 (this contexts are active In ASA1) and other contexts in ASA2(that conetxts are active in ASA2). I use Eigrp dynamic routing protocol in ASA's. In ASA's the new IOS 9.1. ( as you know eigrp is working in multicontext active active mode).
As you know the in default the contexts are not access each other so i decide to use vrf-lite for this in Core switch.
traffic flow(logicaly): the users default gateway are ASA's. The packet is coming from users to internal ASA then go to core switch.
For example; 10.30.40.0 subnet is in ASA1 in active context and i want to access 10.30.44.0 subnet in ASA2 active context.
when i do ping from 10.30.40.10 user (ASA1 context: C1(active) to 10.40.44.10 (ASA2 conetext:C2 active) user. The ping is not going.
The active active mode failover is working. when i turn off the ASA2 the all traffic is pass thougth the ASA1 and in this case C2 is active in ASA1 and in this time i can ping form C1 to C2 . In ASA1 different contexs are working.
The problem is in active active mode in different contexts are not working.
I attach logical and physical topology and configuration files of devices and routing tables of devieces.
I think it would be best to open a ticket with TAC since they can use collaborations between routing and ASA teams. Also you need to be more specific, I believe that what you are talking about is the concept of cascading but you need to give out details of what context and what traffic you are originating from the test PC that indicates that when traffic is set on one ASA it works fine but when having both units running active/active mode it does not.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...