Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Communication Between ASA Multiple Contexts

Is it possible to create the following design:

1) Multiple Contexts: Customer Internal Network; Business Partner A, Business Partner B

2) Customer net can talk to Business Partner A and B (from the inside)

3) Business Partners can't talk to each other.

If this is possible, am I gaining any additional security with using this type of context design vs. putting the business partner connectivity in DMZ interfaces and using ACLs?

  • Firewalling
5 REPLIES

Re: Communication Between ASA Multiple Contexts

Is there a specific reason why you would not have a single context and use a different interface for Internal, BP-A, and BP-B? It's possible to do it with multiple contexts, but I think it would be easier to do it with a single context.

Hope that helps.

New Member

Re: Communication Between ASA Multiple Contexts

No specific reason. My reasoning (which may be convoluted are completely off) was to give each business partner the security of being seperated by a virtual firewall from one another. It's not a strict requirement, but more of a design "thought" I had when reviewing the functionality of contexts. It sounds like I'm making it more complicated than it needs to be?

Re: Communication Between ASA Multiple Contexts

I can understand your thinking, but IMO using a single context can be just as secure. I only use multiple contexts when necessary. Also keep in mind that you can not use VPN with multiple contexts.

New Member

Re: Communication Between ASA Multiple Contexts

Hi Colin - Thanks for the feedback. I've had similar feedback from other engineers I spoke with offline. I will very likely go back to the single context mode. Would you suggest using DMZ's as part of the design?

Re: Communication Between ASA Multiple Contexts

Absolutely. I would create a new DMZ for each customer. Use 'inside' for your internal network and 'outside' for the public network if you have that connection.

168
Views
0
Helpful
5
Replies
This widget could not be displayed.