Can anybody give me further information about cascading contexts other than what's on the documentation CD which is very little? Isn't a cascading context nothing but a shared interface? You're basically sharing context A's outside interface and context B's inside interface. Isn't it?
When cascading contexts you need to avoid sharing inside interfaces to avoid limitations in the FW classifier. Only the outside interface is what needs to be shared.
Cascading two contexts via their outside interfaces is possible. You need to NAT the internal network on Context B for Context A can see it, then a static route must be installed in Context A to point to B as a next-hop, and vice versa.
You are correct in what you say. A cascading context is having one virtual firewall behind another. So yes the outside interface of one context will connect to the same shared vlan as the inside interface of another context.
And this is where the problems begin. As the docs on v3.1 state if you have Context A which connects to the Internet. Behind that you have context B. Context A inside interface is on the same shared vlan as context B outside interface.
If a user on the inside of context B wants to connect to the Internet there must be a static translation on the context A for the Internet address.
Otherwise the classifier has no idea which context to send the traffic to. This as you can imagine would be failry limiting if you had to enter every Internet address you wanted to reach as a static translation.
I don't wish to second guess Haitham but it sounds like what he is describing is not cascaded contexts but contexts that share a vlan for their outside interfaces. This is not the same although you still face issues with the classifier.
I apologize that I didn't previously mention that I'm doing this on ASA appliances and not a FWSM. When you refer to v3.1, I guess you're referring to the FWSM version and it also seems that contexts are more popular in the FWSM world as that's what large service providers use
Jon, is your explanation for the last post valid for appliances too?
No need to apologize, i just made the wrong assumption. Yes version 3.1 is the equivalent of version 7.x for the standalone ASA & pix devices.
I haven't used the ASA appliances in a cascading scenario so the answer is i'm not sure. I checked the config guides for ASA and up to v7.1 the same caveats apply to the ASA as the FWSM.
Interestingly the v7.2 config guide makes no mention of having to have static translations for all destinations on your outside context but it does talk about having unique MAC addresses for each context interface.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...