Re: Communication Between ASA Multiple Contexts

captain131 · ‎04-01-2009

Is it possible to create the following design:

1) Multiple Contexts: Customer Internal Network; Business Partner A, Business Partner B

2) Customer net can talk to Business Partner A and B (from the inside)

3) Business Partners can't talk to each other.

If this is possible, am I gaining any additional security with using this type of context design vs. putting the business partner connectivity in DMZ interfaces and using ACLs?

Collin Clark · ‎04-01-2009

Is there a specific reason why you would not have a single context and use a different interface for Internal, BP-A, and BP-B? It's possible to do it with multiple contexts, but I think it would be easier to do it with a single context.

Hope that helps.

captain131 · ‎04-02-2009

No specific reason. My reasoning (which may be convoluted are completely off) was to give each business partner the security of being seperated by a virtual firewall from one another. It's not a strict requirement, but more of a design "thought" I had when reviewing the functionality of contexts. It sounds like I'm making it more complicated than it needs to be?

Collin Clark · ‎04-02-2009

I can understand your thinking, but IMO using a single context can be just as secure. I only use multiple contexts when necessary. Also keep in mind that you can not use VPN with multiple contexts.

captain131 · ‎04-02-2009

Hi Colin - Thanks for the feedback. I've had similar feedback from other engineers I spoke with offline. I will very likely go back to the single context mode. Would you suggest using DMZ's as part of the design?

Collin Clark · ‎04-02-2009

Absolutely. I would create a new DMZ for each customer. Use 'inside' for your internal network and 'outside' for the public network if you have that connection.