12-11-2018 01:18 AM - edited 02-21-2020 08:33 AM
Hello.
We have now two asa 5525 in a ha active/pasive cluster. We are using 2 gigabit interfaces forming an etherchannel for the data traffic, 1 interface for the failover traffic and the management 0/0 interface for the firewall management. Now we have 4 different security context, all of them in routed mode. We have the etherchannel interface configured as a trunk and we use subinterfaces with vlan tagging for each security context. For example:
context Context-1
member default
allocate-interface Port-channel1.200 visible
allocate-interface Port-channel1.210 visible
Now we want to add a new security context in transparent mode. I have been reading different documents and I have still some doubts.
-Can I create new subinterfaces, in different vlans taht the ones that I am using in the other security contexts and allocate them to the new security context. For example:
context Context-Transparent
member default
allocate-interface Port-channel1.300 visible
allocate-interface Port-channel1.310 visible
Or do I have to use a completely different physical interfaces.
-The etherchannel port members are connected to a pair of nexus switches, using a VPC. The management 0/0 interface is connected to a OOB network in a different physical switch. Do I need to create a new management interface for this security context? Could it be a sub-interface in the etherchannel or does it have to be a different physical interface?
-I am managing this firewall using ssh through the management 0/0 interface. When I change the firewall mode for the new security context would I lost the management connection?
Thanks for your help.
Solved! Go to Solution.
12-12-2018 04:21 AM
01-16-2019 06:21 AM - edited 01-16-2019 06:28 AM
I had a thought of it. say system context you define the port/port-channel.
system
!
interface gig0/1
no nameif
no sec
no ip address
channel-group 2 mode active
no shut
!
interface gig0/2
no nameif
no sec
no ip address
channel-group 2 mode active
no shut
!
interface port-channel2
!
interface port-channel2.300
vlan 300
!
interface port-channel2.400
vlan 400
!
context c1
!
allocate-interface port-channel2.300 inside_c1
allocate-interface port-channel2.400 outside_c1
config-url disk0:/c1.cfg
!
changeto context c1
!
transparent
!
interface inside_c1
nameif inside
bridge-group 1
sec-level 100
!
interface outside_c1
nameif inside
bridge-group 1
sec-level 0
!
interface bvi1
ip address x.x.x.x. x.x.x.x.
12-11-2018 06:14 AM
for this
context Context-Transparent
member default
allocate-interface Port-channel1.300 visible
allocate-interface Port-channel1.310 visible
yes you can do it. but make sure you have the vlan 300 and 310 trunk coming from switch to firewall. i think for good practice make it separate bundle would be easy in case doing troubleshoot. routed and transport separate.
in regards to the management interface, why dont you create a admin-context and allocate the managment interface to it. would be easy for you to manage the remaining context.
let see what other say on this.
12-12-2018 03:34 AM
Hello.
Thanks for your help. We are already using an management context in wich we have the interface management0/0 for all the security context. My question about the management interface is related to how the asa discovers the mac-address for the next hop in transparent mode, I have been reading this thread: https://community.cisco.com/t5/firewalls/cisco-asa-in-transparent-mode-management/td-p/1498620
And I do not know if I do have to create another L3 management interface only for this security context.
Regards.
12-12-2018 04:21 AM
01-16-2019 05:17 AM - edited 01-16-2019 05:33 AM
Hello
Another question, Can two sub-interfaces from the same transparent security context be part of a bridge-group?
In this case interface Port-channel2.300 and interface Port-channel2.300
I have seen in the docs from cisco that you can use physical.subinterfaces but not if you can use etherchannel subinterfaces
Thanks for your help.
01-16-2019 05:40 AM - edited 01-16-2019 05:43 AM
to be honest i never tried it. but i do not think this is possible. might i am wrong here.
01-16-2019 05:44 AM
Sorry,
A typo, i meant interface port-channel2.300 and interface port-channel2.400. The external would be the interface port-channel2.300 and the internal the port-channel2.400.
regards
01-16-2019 06:21 AM - edited 01-16-2019 06:28 AM
I had a thought of it. say system context you define the port/port-channel.
system
!
interface gig0/1
no nameif
no sec
no ip address
channel-group 2 mode active
no shut
!
interface gig0/2
no nameif
no sec
no ip address
channel-group 2 mode active
no shut
!
interface port-channel2
!
interface port-channel2.300
vlan 300
!
interface port-channel2.400
vlan 400
!
context c1
!
allocate-interface port-channel2.300 inside_c1
allocate-interface port-channel2.400 outside_c1
config-url disk0:/c1.cfg
!
changeto context c1
!
transparent
!
interface inside_c1
nameif inside
bridge-group 1
sec-level 100
!
interface outside_c1
nameif inside
bridge-group 1
sec-level 0
!
interface bvi1
ip address x.x.x.x. x.x.x.x.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: