Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3667
Views
0
Helpful
17
Replies

ASA Multiple contexts accessing outside interface

snowmizer
Level 1
Level 1

‎09-23-2011 06:06 AM - edited ‎03-11-2019 02:29 PM

I am setting up a new ASA and I have configured it for multiple contexts. I created subinterfaces for each physical interface (including the inside and outside). All physical interfaces have been plugged into trunk ports. I have configured all with VLANs in the system context and have assigned the appropriate subinterfaces to my contexts. Each subinterface has an IP address appropriate for the network it is attached to. On one of my contexts I have setup ACLs and NAT to allow traffic from my inside network to my test network, DMZ and outside. I have configured a NAT rule for inside to outside access that PATs the IP address to a public IP address.  I have set up a PC with the IP address of my inside interface on one of my contexts as the default gateway.

When I try to access my DMZ and my test network I have no issues. However when I try to access the Internet it's like nothing is getting routed out. I have set up the default route to our ISP's router (which is the same way we have the existing ASA setup). If I run through the packet tracer the ASA says that the packet is allowed out.

I've been trying to figure out what I'm missing that would prevent traffic from accessing the Internet. Can anyone help?

Thanks.

Labels:
0 Helpful
17 Replies 17

snowmizer
Level 1
Level 1
In response to Jon Marshall

‎09-26-2011 01:27 PM

ASA 5510 running version 8.4.2(1).

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to snowmizer

‎09-26-2011 02:04 PM

Sorry i was thinking in FWSM terms. You don't need to use subinterfaces you just share the same physical interface into both contexts and then you assign the physical interface with an IP from the ISP subnet (so you only need 2 IPs).

When you do this the classifier needs to use the mac-address to decide which context to send the traffic to so you either need to specify a different mac-address for the same interface in each context when you set them up or use the "mac-address auto" command in system execution space.

Jon

0 Helpful

snowmizer
Level 1
Level 1
In response to Jon Marshall

‎09-27-2011 06:33 AM

Thanks Jon. Getting rid of the subinterfaces fixed my issue. I already had the "mac-address auto" command configured so I shouldn't have any issues with mac addresses when I set up my guest network contexts.Now I just have to figure out how I'm going to do my IPS configuration. Is it better to have separate virtual sensors for each context or just configure one?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card