I need to set up a new pair of ASA's in active-standby configuration, on the ASA I need to configure 2 contexts.
Each of these contexts will have about 5 interfaces that connect to the network, now comes the part that I don't seem to grasp, I also need to interconnect the 2 contexts because there will be some flows that need to go from networks that are connected on Context A to networks that are connected on Context B and vice versa.
This 'transit network' in between the 2 contexts doesn't really leave the ASA, but I think I still need to assign an interface to it and connect it on a switch ?
Do I really need to do that ? Do I need to assign 1 interface to the context A and another one to the context B and have both of them connected to switchports in the same Vlan then ? And what about the failover configuration of this segment between the 2 contexts ?
Also in the documentation I saw something about using unique mac addresses in case of cascading contexts, do I need to do this ? And how exactly do I do this ?
Thank you for your answer but I'm afraid I'm even more confused than before. My ASA's will be in routing mode, I don't see how these 2 contexts will be able to communicate with eachother over this transport vlan if the IP addresses on both ends are in different IP subnets.
Maybe I didn't make myself clear enough, I made a few simplified draw pictures of what I want to do, this is the locical setup :
The physical setup would be something like this :
Does this make sense ? Do I really need to waste 2 Interfaces on each ASA for this transit Vlan between the 2 Contexts ?
I was planning to assign a /29 network to this transit vlan because I need at least 4 IP's in this range.
Do I need to use this "unique mac addresses" feature in this setup ?
Or am I seeing this completely wrong and is there a better way to achieve this ?
The documentation around cascading contexts seems to be very limited, I really need some guidance here.
Sorry, I meant to say that the shared interface needs to be on the same network. (must have been thinking about something else when I was writing.
you do not need to waste 2 interfaces on the ASA to get this working, however, if your security policy dictates that you need to have the two contexts physically seperate then you must use two interfaces.
ip address 10.1.0.1 255.255.255.0
ip address 10.0.0.1 255.255.255.0
route outside 10.0.10.0 255.255.255.0 10.1.0.2 1
ip address 10.1.0.2 255.255.255.0
ip address 10.0.10.1 255.255.255.0
access-list outside_access_in extended permit ip any any
route outside 10.0.0.0 255.255.255.0 10.1.0.1 1
Please remember to rate and select a correct answer
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :