I am implementing a Multi context ASA Firewall on our network. We have a few customers coming from the Internet via VRF's. Firewall is directly connected to the core switch which is directly connected to the Core Router (VRF) which is connected to the Internet.
Does anybody know what would be the ideal scenario for designing a Multicontext ASA with VRF's? I have never done anything using VRF's so I am out of ideas on this one. Any customer who needs access to the Internet would have their own Firewall context.
I am planning to keep the outside interfaces for all customers as a shared interface (same VLAN) and all the inside interfaces as unique vlans. So if doing this what important configs should I keep in mind while configuring shared interfaces on the ASA?
I would also need to configure SNMP on the contexts. Some where I read that you cant configure snmp on the system context. What kind of MIB's can I configure on all the contexts?
Personally, I don't like to use shared interface. But if you would like to use it, you need to pay attention to the following
- make sure the unique MAC address is used for the shared interface in each context. You can use mac-address auto feature. Please read the link provided by Mike in the post below to understand how ASA to classify the packet in this situation.
- Since you can not use VLAN to seperate the traffic between different customers, you have to relay on the routing to make sure the traffic is forward to correct customer.
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...