Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Cascading contexts

Can anybody give me further information about cascading contexts other than what's on the documentation CD which is very little? Isn't a cascading context nothing but a shared interface? You're basically sharing context A's outside interface and context B's inside interface. Isn't it?

Thank you

6 REPLIES
New Member

Re: Cascading contexts

Hi,

When cascading contexts you need to avoid sharing inside interfaces to avoid limitations in the FW classifier. Only the outside interface is what needs to be shared.

Cascading two contexts via their outside interfaces is possible. You need to NAT the internal network on Context B for Context A can see it, then a static route must be installed in Context A to point to B as a next-hop, and vice versa.

Hope this is clear.

Regards,

Haitham

New Member

Re: Cascading contexts

On the DOC CD, the definition of cascading contexts is below while you seem to be stating that the outside interfaces of the contexts can be shared. I'm confused

Placing a context directly in front of another context is called cascading contexts; the outside interface of one context is the same interface as the inside interface of another context

Hall of Fame Super Blue

Re: Cascading contexts

Hi

You are correct in what you say. A cascading context is having one virtual firewall behind another. So yes the outside interface of one context will connect to the same shared vlan as the inside interface of another context.

And this is where the problems begin. As the docs on v3.1 state if you have Context A which connects to the Internet. Behind that you have context B. Context A inside interface is on the same shared vlan as context B outside interface.

If a user on the inside of context B wants to connect to the Internet there must be a static translation on the context A for the Internet address.

Otherwise the classifier has no idea which context to send the traffic to. This as you can imagine would be failry limiting if you had to enter every Internet address you wanted to reach as a static translation.

I don't wish to second guess Haitham but it sounds like what he is describing is not cascaded contexts but contexts that share a vlan for their outside interfaces. This is not the same although you still face issues with the classifier.

Hope this makes sense

Jon

New Member

Re: Cascading contexts

Please have a look at the attached doc; it is very helpful.

Regards,

Haitham

New Member

Re: Cascading contexts

Jon

I apologize that I didn't previously mention that I'm doing this on ASA appliances and not a FWSM. When you refer to v3.1, I guess you're referring to the FWSM version and it also seems that contexts are more popular in the FWSM world as that's what large service providers use

Jon, is your explanation for the last post valid for appliances too?

Hall of Fame Super Blue

Re: Cascading contexts

Hi

No need to apologize, i just made the wrong assumption. Yes version 3.1 is the equivalent of version 7.x for the standalone ASA & pix devices.

I haven't used the ASA appliances in a cascading scenario so the answer is i'm not sure. I checked the config guides for ASA and up to v7.1 the same caveats apply to the ASA as the FWSM.

Interestingly the v7.2 config guide makes no mention of having to have static translations for all destinations on your outside context but it does talk about having unique MAC addresses for each context interface.

http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a0080636f9b.html#wp1121392

I would need to test this before i could be certain. We are getting 2 ASA devices in a a couple of weeks so if i get a chance i'll have a look.

HTH

Jon

1116
Views
0
Helpful
6
Replies