topic Re: Two contexts sharing the same physical interface in Network Security

Two contexts sharing the same physical interface

Marius Gunnerud — Tue, 12 Mar 2019 02:02:25 GMT

Hi,

I have been looking for a configuration guide on how to set up one physical trunked interface to be shared between two contexts. I am sure I am just using the wrong search words but have as of yet been unable to find anything on this. Anyone able to provide a link please?

Thanks

Two contexts sharing the same physical interface

Jouni Forss — Tue, 25 Jun 2013 07:16:51 GMT

Hi,

Other than wanting to use a single interface/subinterface in multiple contexts, can you elaborate a bit what kind of setup you are trying to achieve?

Generally I would say that you configure Subinterfaces in the System Context of the ASA and attach the required subinterfaces to the Security Contexts. We use shared interface for management/syslog purposes for example.

- Jouni

Two contexts sharing the same physical interface

Marius Gunnerud — Tue, 25 Jun 2013 07:20:33 GMT

Hi Jouni,

We are setting up 3 contexts one of them being a transport context between the sensitive zone and non-sensitive zone. So we would have 2 physical interfaces for this.

I understand that this is possible I am just having trouble finding documentation on how to configure it. As I said I am most likely using the wrong search words.

Thanks again

Re: Two contexts sharing the same physical interface

Jouni Forss — Tue, 25 Jun 2013 07:35:41 GMT

Hi,

Wouldnt this be possible to configure just by using the 2 Security Contexts and 1 Physical interface configured as Trunk between the core and the ASA. Naturally you could even implement Etherchannel/Port-channel to use multiple physical interfaces for the Trunk. Though you would need 8.4(1) software at minimum for Port-channel support on ASA.

For example

interface GigabitEthernet0/0

description TRUNK

interface GigabitEthernet0/0.100

description SC1 - OUTSIDE

vlan 100

interface GigabitEthernet0/0.200

description SC2 - OUTSIDE

vlan 200

interface GigabitEthernet0/0.10

description SC1 - INSIDE

vlan 10

interface GigabitEthernet0/0.20

description SC2 - INSIDE

vlan 20

interface GigabitEthernet0/0.12

description SC1 - SC2 LINK

vlan 12

context SC1

description SC1

allocate-interface GigabitEthernet0/0.100

allocate-interface GigabitEthernet0/0.10

allocate-interface GigabitEthernet0/0.12

config-url disk0:/SC1.cfg

context SC2

description SC2

allocate-interface GigabitEthernet0/0.200

allocate-interface GigabitEthernet0/0.20

allocate-interface GigabitEthernet0/0.12

config-url disk0:/SC2.cfg

Or something along those lines

- Jouni

Two contexts sharing the same physical interface

Marius Gunnerud — Tue, 25 Jun 2013 07:38:34 GMT

Yes it would but the idea is to have a buffer between the two zones and thereby adding another layer of security. so if the non-sensitive context is breached, then the attacker wont be able to go directly at the sensitiv context but instead must also get through the transport context.

thanks for the config there. That looks like what I am looking for.

Re: Two contexts sharing the same physical interface

Jouni Forss — Tue, 25 Jun 2013 08:07:12 GMT

Hi,

I have not linked (or have the need to) 3 Security Contexts before but I would imagine you could modify the above configuration a bit to achieve that also

interface GigabitEthernet0/0

description TRUNK

interface GigabitEthernet0/0.100

description SC1 - OUTSIDE

vlan 100

interface GigabitEthernet0/0.200

description SC2 - OUTSIDE

vlan 200

interface GigabitEthernet0/0.10

description SC1 - INSIDE

vlan 10

interface GigabitEthernet0/0.20

description SC2 - INSIDE

vlan 20

interface GigabitEthernet0/0.12

description SC1 - TRANSIT

vlan 12

interface GigabitEthernet0/0.21

description SC2 - TRANSIT

vlan 21

context TRANSIT

description SC1 to SC2 TRANSIT SC

allocate-interface GigabitEthernet0/0.12

allocate-interface GigabitEthernet0/0.21

config-url disk0:/TRANSIT.cfg

context SC1

description SC1

allocate-interface GigabitEthernet0/0.100

allocate-interface GigabitEthernet0/0.10

allocate-interface GigabitEthernet0/0.12

config-url disk0:/SC1.cfg

context SC2

description SC2

allocate-interface GigabitEthernet0/0.200

allocate-interface GigabitEthernet0/0.20

allocate-interface GigabitEthernet0/0.21

config-url disk0:/SC2.cfg

I am not sure if this would be the way but that is how I imagined at the moment.

The setup should look something like this

Totally different matter would there be a better way to achieve the same as above

- Jouni

Re: Two contexts sharing the same physical interface

Marius Gunnerud — Tue, 25 Jun 2013 08:14:57 GMT

Jepp, that was our first design. However we have limited ports and the budget doesnt allow for the purchase of more ports at the current time.

Thanks for knocking some ideas around with me

Two contexts sharing the same physical interface

Jouni Forss — Tue, 25 Jun 2013 08:32:51 GMT

Hi,

What do you mean with limited ports?

The above configuration only uses a single example interface of GigabitEthernet0/0 which is configured as Trunk (divided into subinterfaces)

Though as I said I dont know is this the best way to implement this but should be possible atleast.

- Jouni

Two contexts sharing the same physical interface

Marius Gunnerud — Tue, 25 Jun 2013 08:40:00 GMT

Sorry my bad I looked over it too fast thought there were several different ports.

But in either case, security policy dictates that the secure and non-secure contexts should be using seperate physical ports

Two contexts sharing the same physical interface

Jouni Forss — Tue, 25 Jun 2013 10:31:50 GMT

Hi,

What is the maximum physical interfaces you have available for use?

- Jouni

Two contexts sharing the same physical interface

Marius Gunnerud — Tue, 25 Jun 2013 10:41:40 GMT

We have 4 10Gig interfaces

Two contexts sharing the same physical interface

Jouni Forss — Tue, 25 Jun 2013 11:06:37 GMT

Hi,

So I guess we are perhaps talking about a ASA5585-X model? Or did the ASA5580 have these interfaces? I have never even seen those models live.

I guess you could use a singe physical inteface (as subinterfaces) for each Normal Security Context and some interface(s) for the Transit Context? Or perhaps include the LAN, WAN and TRANSIT link on each Normal Security Contexts own physical link as subinterfaces.

I imagined that this would be something lower end model ASA setup but I guess you are going to have some very heavy duty use considering the links you are going to use?

We have 5x ASA5585-X and 4x FWSMs in our datacenters and havent had the need to get the 10Gig licenses yet for the ASAs.

- Jouni