topic Re: Forward traffics between two security contexts in Network Security

Forward traffics between two security contexts

Difan Zhao — Mon, 11 Mar 2019 18:00:01 GMT

Hi experts,

I have 5510 ASA with security plus license and can support two security contexts. In my case, I will share E0/0 as the outside interface to Internet. I will have VLANs on E0/1 (sub-interfaces) and I don't know if I should share them all between two contexts or assign half to one context and rest to another. Please note that I will have inter VLAN traffic between any two VLANs and the ASA needs to do inter-vlan routing.

I actually never really want to partition the firewall. The only reason is that I want to run active/active failover with another ASA5510. Do you think I should configure the failover this way or it will better just to keep it simple and run Active/Standby? Can anybody please provide me an example config?

Thanks!

Difan

Re: Forward traffics between two security contexts

edadios — Wed, 16 Jun 2010 06:48:08 GMT

It will be best to set interfaces independently of contexts, specially if you plan to do active active.

If still sharing the outside, please note that you need to ensure you create the translations for the devices behind specific context, as this is the way for the firewall to determine which context traffic should be forward to.

http://www.cisco.com/en/US/customer/docs/security/asa/asa82/configuration/guide/contexts.html#wp1146806

Active active failover configuration guide is here :

http://www.cisco.com/en/US/customer/docs/security/asa/asa82/configuration/guide/ha_active_active.html

If you will be sharing interfaces and active active setup, the more you will need to be carefull about routing, and making sure you have classification of traffic for specific context defined.

If you need the badwidth then doing active active will help.

Do remeber that setting up for multicontext, and active active, will not support features like vpn termination among others.

http://www.cisco.com/en/US/customer/docs/security/asa/asa82/configuration/guide/contexts.html#wp1146747

If you want to make it simple, do subinterface on e0/0 too, do not share outside interfaces, and do active stand by setup.

Regards,

Re: Forward traffics between two security contexts

Difan Zhao — Wed, 16 Jun 2010 23:08:30 GMT

Edadios,

Thanks for reply! K let's forget about the failover for now. Just two contexts (admin and Context1) and I want VLAN100 of admin be able to talk to VLAN20 of Context1. Here is my current config:

=========== sysetm ===============

interface Ethernet0/1.20
vlan 20
!
interface Ethernet0/1.100
vlan 100

admin-context admin
context admin
allocate-interface Ethernet0/0
allocate-interface Ethernet0/1.100
allocate-interface Management0/0
config-url disk0:/admin.cfg
!

context Context1
description Test Context
allocate-interface Ethernet0/0 visible
allocate-interface Ethernet0/1.20 visible
config-url disk0:/Context1.cfg

=========== admin ==============

interface Ethernet0/0
nameif outside
security-level 0
ip address 1.1.1.2 255.255.255.128
!
interface Ethernet0/1.100
nameif vlan100
security-level 100
ip address 10.1.100.1 255.255.255.0

global (outside) 1 interface
nat (vlan100) 1 10.1.100.0 255.255.255.0
route outside 0.0.0.0 0.0.0.0 1.1.1.1 1
route outside 10.1.20.0 255.255.255.0 1.1.1.3 1
!

============= Context1 ==============

!
interface Ethernet0/0
nameif outside
security-level 0
ip address 1.1.1.3 255.255.255.128
!
interface Ethernet0/1.20
nameif vlan20
security-level 100
ip address 10.1.20.1 255.255.255.0
!

access-list ACL_outside extended permit icmp any any

access-group ACL_outside in interface outside

global (outside) 1 interface
nat (vlan20) 1 10.1.20.0 255.255.255.0

static (vlan20,outside) 10.1.20.0 10.1.20.0 netmask 255.255.255.0
route outside 0.0.0.0 0.0.0.0 1.1.1.1 1
route outside 10.1.100.0 255.255.255.0 1.1.1.2 1
!

The above configs (especially the ones in red) are required for a PC (10.1.100.100 of admin context) to ping another PC (10.1.20.100 of Context1). However in this case the PC 10.1.20.100 can't browse Internet anymore because of the "static ()" command... There is no easier way of doing this?

Thanks!

Re: Forward traffics between two security contexts

edadios — Thu, 17 Jun 2010 03:08:13 GMT

Remove the static you configured for Context1

no static (vlan20,outside) 10.1.20.0 10.1.20.0 netmask 255.255.255.0

Configure this in Context1

################

access-list 100 permit ip 10.1.20.0 255.255.255.0 10.1.100.0 255.255.255.0

static (vlan20,outside) 10.1.20.0 access-list 100

clear xlate

clear local-host

################

Last two lines will clear connections, and rebuild when traffic passes again.

Here is the documentation for you:

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/s8.html#wp1414075

Regards,

Re: Forward traffics between two security contexts

Difan Zhao — Fri, 18 Jun 2010 22:46:07 GMT

The command works! Now traffic can pass between two contexts. However I also find out that the number of configs will increase exponentially if I have more than one VLAN that I want traffic to pass through... So I decide to give up the active/active failover setup... Thanks a lot for your help!

Re: Forward traffics between two security contexts

edadios — Sat, 19 Jun 2010 01:45:04 GMT

Happy to be of help to you.

Regards,

Re: Forward traffics between two security contexts

game123 — Tue, 22 Jun 2010 06:40:29 GMT

Great solution.