ASA Multiple contexts with inter-context communication

Billy Dodson · ‎11-12-2010

I am trying to wrap my head around the ASA with multiple context. I understand how you assign interfaces and what not to the context, what I am trying to figure out is how to allow the context to communicate with each other.

Say I have an organization with 3 seperate companies, owned by the own parent organization. These 3 companies are going to share the same data center.

I need 4 context + admin. One for each company, plus a shared zone with things like webservers, they are also going to share the same callmanager cluster.

I need to be able to firewall the connectivity between the 3 different companies, and unsure how to use contexts to do this. If I have a seperate vlan for each company with a sub interface tagged in the respected vlan for each company, how to you permit traffic to flow from one to the other? Do you need a shared zone where the traffic would be routed?

I found a document detailing how the shared network will function and be configured, but I have not seen any documentation on traffic between the contexts.

Jon Marshall · ‎11-12-2010

Billy

You basically have 2 options for inter-context traffic -

1) use shared interfaces as you have already suggested and these can be useful for shared resources

2) route between the contexts ie. if company A being context A wants to get to company B behind context B you go through the inside interface of context A out the outside to the next-hop router and then route the traffic to the outside interface of company B and then through context B to the inside interface.

Obviously using 2 is keepoing complete segregation between the companies and treating each companies firewall as a completely independant firewall.

Jon