I have an issue with the ASA, multiple contexts and shared interfaces. I have read through the documentation on Cisco.com and also looked through the posts here, but my specific question is not really answered.
I have two contexts running on an ASA v8. I have two interfaces which are configured as trunks on a switch carrying vlans to two ports on the ASA for an inner and outer firewall.
Switch Port 1 (Trunk)---------- ASA Gig0/1 = outer firewall context
Switch Port 2 (trunk)---------- ASA Gig0/2 = inner firewall context
there are two shared vlans between the firewalls, which happen to be on switch port 2 trunk. I have enabled mac-address auto on the system context to enable unique mac addresses.
I am able to ping across from Vlan 1 to Vlan 200 effectively traversing both firewalls. All interfaces including the shared one(s) are on the same security level with open rules for testing. I am unable to get from the shared VLAN to either Vlan 1 or vlan 200. If I use the packet tracer I get the (ifc-classify) Virtual Firewall Classification failed message. So I obviously understand that the ASA does not know which context should handle the incoming packet although the destination ip address is unique and only behind one firewall and unique mac addresses are being used.
My question is then is it possible to have shared inside interfaces if you will be talking to other inside interfaces (or same level interfaces), I believe it is, and if so do I still have to use NAT to tell the ASA which networks are behind which firewalls ?
Pinging should be possible since in most cases this setup resembles a shared outside address, keypoint is that IP addresses should be different, with your mac address automatic you should not have a problem as to how to classify traffic here. When you are pinging are you pinging from a host on the shared network or from the actual interface? what is the route or how is the route defined when reaching either LAN (1 or 200)?
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :