Cascading Contexts on ASA

Cisco Ham · ‎11-17-2013

Hi,

I need to set up a new pair of ASA's in active-standby configuration, on the ASA I need to configure 2 contexts.

Each of these contexts will have about 5 interfaces that connect to the network, now comes the part that I don't seem to grasp, I also need to interconnect the 2 contexts because there will be some flows that need to go from networks that are connected on Context A to networks that are connected on Context B and vice versa.

This 'transit network' in between the 2 contexts doesn't really leave the ASA, but I think I still need to assign an interface to it and connect it on a switch ?

Do I really need to do that ? Do I need to assign 1 interface to the context A and another one to the context B and have both of them connected to switchports in the same Vlan then ? And what about the failover configuration of this segment between the 2 contexts ?

Also in the documentation I saw something about using unique mac addresses in case of cascading contexts, do I need to do this ? And how exactly do I do this ?

Any help would be much appreciated.

Marius Gunnerud · ‎11-20-2013

You have two options when wanting to send traffic between the contexts.

allocate a physical interface to each context and then connect those interface to a switch in a dedicated transport VLAN.
Assign sub interfaces of the same interface to each context and assign an IP in different subnet to them

context 1

int ten0/1.101

security-level 100

nameif Context1

ip address 10.10.10.1 255.255.255.0

context 2

int ten0/1.102

security-level 100

nameif Contex2

ip address 10.10.11.1 255.255.255.0

In the second option the traffic will hit the interface and then do a U-turn and come back in the same interface. The ASA will act as a router between the contexts.

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/fwmode.html#wp1220886

--

Please rate all helpful posts

--
Please remember to select a correct answer and rate helpful posts

Cisco Ham · ‎11-21-2013

Hi Marius,

Thank you for your answer but I'm afraid I'm even more confused than before. My ASA's will be in routing mode, I don't see how these 2 contexts will be able to communicate with eachother over this transport vlan if the IP addresses on both ends are in different IP subnets.

Maybe I didn't make myself clear enough, I made a few simplified draw pictures of what I want to do, this is the locical setup :

The physical setup would be something like this :

Does this make sense ? Do I really need to waste 2 Interfaces on each ASA for this transit Vlan between the 2 Contexts ?

I was planning to assign a /29 network to this transit vlan because I need at least 4 IP's in this range.

Do I need to use this "unique mac addresses" feature in this setup ?

Or am I seeing this completely wrong and is there a better way to achieve this ?

The documentation around cascading contexts seems to be very limited, I really need some guidance here.

Marius Gunnerud · ‎11-21-2013

Sorry, I meant to say that the shared interface needs to be on the same network. (must have been thinking about something else when I was writing.

you do not need to waste 2 interfaces on the ASA to get this working, however, if your security policy dictates that you need to have the two contexts physically seperate then you must use two interfaces.

context1

interface outside

nameif outside

security-level 0

ip address 10.1.0.1 255.255.255.0

interface inside

nameif inside

security-level 100

ip address 10.0.0.1 255.255.255.0

route outside 10.0.10.0 255.255.255.0 10.1.0.2 1

context2

interface outside

nameif outside

security-level 0

ip address 10.1.0.2 255.255.255.0

interface inside

nameif inside

security-level 100

ip address 10.0.10.1 255.255.255.0

access-list outside_access_in extended permit ip any any

route outside 10.0.0.0 255.255.255.0 10.1.0.1 1

--
Please remember to select a correct answer and rate helpful posts