Thanks very much for the confirmation Hang. I can't believe how difficult this A/A is getting!

Dave

Hi Hang,

I was reviewing your response and I have a quick question if you may allow me; since we can configure 2 interfaces (one from each context) on the outside zone, why do we need here to configure VLAN routing using router-in-the-stick, because I believe both contexts should route the traffic to the inside interface of the router which is basically part of the same subnet of the outside interfaces of the ASA?!

Second, I recall there was a limitation in the ASA A/A setup which doesnt allow configuring the same NAT and static rules for the same inside subnet to outside (i.e. when you configure the same static commands to publish your DMZ services as an example on both context to the outside zone, you get an error related to duplicate static entrie); have you ever come across such problem or are you aware of such limitation in ASA A/A setup? My understanding is that Cisco A/A is mainly designed to support different inside zones and NOT the same inside zone!!

Appreciate your feedback.

Regards,

Haitham

Haitham,

You are right. If the outside zone of both contexts are on the same subnet (with the upstream router), router-in-the-stick approach is not needed.

I don't think I understand your second question completely. But I give it a try. You can treat different context as two different security appliance. Therefore, the configuration on one context is independent of configuration on another context. I used to put an identical configuration (with NAT) on two contexts. Even this setup does not do me any good, network wise, but my PIX never complains. A/A just provides high availability and load balancing. From the configuration point of view, it should not be any difference with an individual ASA.

Hope I answer your question,

Hang

Hang,

Thanks for your response... regarding the second part, can you please confirm to me if I have a shared DMZ between the 2 contexts, will I be able to configure the same static rule to publish my web server, for example, on the 2 different contexts with no errors? I tried this case with version 7.1 and it gave me duplicate static entries when I entried the same static rule on both contexts!!

In summary, will you be able to apply exactly the same ACL and NAT rules on both contexts for redundancy and Load Balancing?

I hope I have clarified my question better.

Regards,

Haitham

Haitham,

It should work, below is the config I put in, no complaint. I created two contexts here, TAC and SHUB. They both share interface e2 for DMZ.

interface Ethernet0

!

interface Ethernet0.1

vlan 11

!

interface Ethernet0.2

vlan 12

!

interface Ethernet0.3

vlan 13

!

interface Ethernet1

!

interface Ethernet1.1

vlan 21

!

interface Ethernet1.2

vlan 22

!

interface Ethernet1.3

vlan 23

!

interface Ethernet2

!

hostname TAC

domain-name tac.com

enable password xxx

names

!

interface Ethernet0.2

nameif outside

security-level 0

ip address 10.2.2.1 255.255.255.0

!

interface Ethernet1.2

nameif inside

security-level 100

ip address 10.2.0.1 255.255.255.0

!

interface Ethernet2

nameif DMZ

security-level 50

ip address 192.168.0.1 255.255.255.0

!

global (outside) 1 10.2.2.3

nat (inside) 1 0.0.0.0 0.0.0.0

static (DMZ,outside) 10.2.2.5 192.168.0.5 netmask 255.255.255.255

hostname SHUB

enable password xxx

names

!

interface Ethernet0.3

nameif outside

security-level 0

ip address 10.2.2.2 255.255.255.0

!

interface Ethernet1.3

nameif inside

security-level 100

ip address 10.2.0.1 255.255.255.0

!

interface Ethernet2

nameif DMZ

security-level 80

ip address 192.168.0.2 255.255.255.0

!

global (outside) 1 10.2.2.3

nat (inside) 1 0.0.0.0 0.0.0.0

static (DMZ,outside) 10.2.2.5 192.168.0.5 netmask 255.255.255.255