topic You're welcome. in Network Security

create a context in routed mode-ASA

Kn1ghtR1d3rOfD00m — Tue, 12 Mar 2019 09:49:52 GMT

Hi,

I know that might be over asked this, but just wondering if you can assist me on how to set up a context to be routed and in a way that it will be and act as the gateway of the LAN.

the requirement is this:

I have the following on the asa 5585

I need to create a new subnet that the firewall will be the gateway for this LAN.

do I need to have a seperate cable connection ?

the giga 0/3 is for the failover, just omit it.

the switches are connected directly to the Core routers and then via trunk I supposed, they will go to the Firewall to reach the gateway and the retun the traffic

any ideas or post on how to set up that?

thanks for your assistance,

Hi

Francesco Molino — Wed, 16 Aug 2017 03:19:52 GMT

I don't know what are your actual contexts about but you can create a subinterface within 1 of your actual context to create a new l3 interface acting as default gateway for your new subnet.

As you asked for a new context, below is the way to process:

1. On system context (changeto system)

context CTX3
config-url disk0:CTX3.cfg
allocate-interface Te0/8 --> i used this one as it is already a shared interface between the 2 existing context.

If you want to use a gig interface, it will be the same config but if this gig is already used on another context, you'll need to trunk the vlan from the switch and adapt the interface config on asa.

As you've failover you need to attach a failover group for this new context:

context CTX3
join-failover-group X --> based on your configuration as the fail over groups are already created
!

As you already have shared interface, the Mac address has been setup. If you have the command mac-address auto then it's fine otherwise a manual mac address has been setup. If this is the case then you need to move on your new context and configured for the interface the Mac address as well as fitted your secondary firewall.

2. On new context (changeto context CTX3)

Configured your interface like:

Interface te0/8.xxx --> xxx corresponds to your new vlan id

ip address x.x.x.x x.x.x.x

security-level 100 --> adapt the security level based on your requirements.

nameif xxxx --> named if your new zone

Continue the configuration for nat, routing, acl....

Thanks

PS: Please don't forget to rate and mark as correct answer if this answered your question

Thank you, I followed your

Kn1ghtR1d3rOfD00m — Thu, 17 Aug 2017 02:06:21 GMT

Thank you, I followed your steps with some minor details, but it worked, 🙂 appreciate that.

You're welcome.

Francesco Molino — Thu, 17 Aug 2017 02:11:32 GMT

You're welcome.

Did you get any issues?

:)

Kn1ghtR1d3rOfD00m — Thu, 17 Aug 2017 14:09:58 GMT

🙂

yep, since Im not used to ASA deployments, cause they were already set up here, so I took this chance to learn and deploy,

I had some vlans missing and ACLs, at the beggining I missconfigured the interfaces, but I had to remake it all, from the start, lucky for me that these ASAs are empty in the DC, so no problem editing the entire config,

OK nice :-)

Francesco Molino — Thu, 17 Aug 2017 15:31:28 GMT

OK nice 🙂