09-23-2011 06:06 AM - edited 03-11-2019 02:29 PM
I am setting up a new ASA and I have configured it for multiple contexts. I created subinterfaces for each physical interface (including the inside and outside). All physical interfaces have been plugged into trunk ports. I have configured all with VLANs in the system context and have assigned the appropriate subinterfaces to my contexts. Each subinterface has an IP address appropriate for the network it is attached to. On one of my contexts I have setup ACLs and NAT to allow traffic from my inside network to my test network, DMZ and outside. I have configured a NAT rule for inside to outside access that PATs the IP address to a public IP address. I have set up a PC with the IP address of my inside interface on one of my contexts as the default gateway.
When I try to access my DMZ and my test network I have no issues. However when I try to access the Internet it's like nothing is getting routed out. I have set up the default route to our ISP's router (which is the same way we have the existing ASA setup). If I run through the packet tracer the ASA says that the packet is allowed out.
I've been trying to figure out what I'm missing that would prevent traffic from accessing the Internet. Can anyone help?
Thanks.
09-26-2011 01:27 PM
ASA 5510 running version 8.4.2(1).
09-26-2011 02:04 PM
Sorry i was thinking in FWSM terms. You don't need to use subinterfaces you just share the same physical interface into both contexts and then you assign the physical interface with an IP from the ISP subnet (so you only need 2 IPs).
When you do this the classifier needs to use the mac-address to decide which context to send the traffic to so you either need to specify a different mac-address for the same interface in each context when you set them up or use the "mac-address auto" command in system execution space.
Jon
09-27-2011 06:33 AM
Thanks Jon. Getting rid of the subinterfaces fixed my issue. I already had the "mac-address auto" command configured so I shouldn't have any issues with mac addresses when I set up my guest network contexts.Now I just have to figure out how I'm going to do my IPS configuration. Is it better to have separate virtual sensors for each context or just configure one?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide