Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA Multiple contexts with inter-context communication

I am trying to wrap my head around the ASA with multiple context.  I understand how you assign interfaces and what not to the context, what I am trying to figure out is how to allow the context to communicate with each other.

Say I have an organization with 3 seperate companies, owned by the own parent organization.  These 3 companies are going to share the same data center.

I need 4 context + admin.  One for each company, plus a shared zone with things like webservers, they are also going to share the same callmanager cluster.

I need to be able to firewall the connectivity between the 3 different companies, and unsure how to use contexts to do this.  If I have a seperate vlan for each company with a sub interface tagged in the respected vlan for each company, how to you permit traffic to flow from one to the other?  Do you need a shared zone where the traffic would be routed?

I found a document detailing how the shared network will function and be configured, but I have not seen any documentation on traffic between the contexts.

Hall of Fame Super Blue

Re: ASA Multiple contexts with inter-context communication


You basically have 2 options for inter-context traffic -

1) use shared interfaces as you have already suggested and these can be useful for shared resources

2) route between the contexts ie. if company A being context A wants to get to company B behind context B you go through the inside interface of context A out the outside to the next-hop router and then route the traffic to the outside interface of company B and then through context B to the inside interface.

Obviously using 2 is keepoing complete segregation between the companies and treating each companies firewall as a completely independant firewall.