ASA Multi context routing

yannaing00 · ‎05-07-2016

Hi All,

Now I have two ASA 5585-x firewall in my office. I want to use multi context for two department (context Admin and context HR). But this two department need to communicate each other. Could you please help me how to do for my requirement. And how many method we can communicate for these two department two context?

Regards,

Marvin Rhoads · ‎05-07-2016

Why do you want separate contexts? We generally use contexts when we want to completely isolate two sets of users and give each their own unique external access policies.

If HR and admin need to communicate, what policy do you want to implement? (any-any, only access certain servers, only use specific defined protocols etc.).

I would generally advocate use of zones and/or separate firewall interfaces when faced with this type of requirement. You can then use access lists as appropriate to restrict and permit inter-department communications.

yannaing00 · ‎05-07-2016

Hi Marvin,

Yes, I see your point but my real requirement is not HR and admin department. I want to separate two zone (one zone is billing server and another zone is web server). Normal time no need to communicate between this two zone but sometime web server zone need to communicate billing server zone for some reason. At this time we need to configure this two server communication. So I want to use multiple context and separate zone.

Regards,

Paul Chapman · ‎05-08-2016

Hi -

For the purposes of routing logic, treat each context as a separate standalone firewall. You route between contexts the same way you route between standalone firewalls. This means that you will need a common network between the two or a routed path through another network.

PSC

Marvin Rhoads · ‎05-08-2016

As Paul noted, context do not talk to each other within the ASA. That is by design and a fundamental part of why we use contexts.

The use case you are describing is a classic description of why we would use a DMZ.