Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1636
Views
0
Helpful
3
Replies

Cisco ASA design guide for use with Contexts

Go to solution
Marius Gunnerud
VIP
VIP

‎05-29-2013 01:25 AM - edited ‎03-11-2019 06:50 PM

I am looking for a design guide for when using contexts.  More specifically when setting up 2 contexts (one for an un-secure zone the second for a secure zone).  Am a little curious on the best practices for routing between the two contexts, as from my understanding the ASA can not route traffic itselft between the two contexts?

We are working with ASA5585's.

Any advice, tips or links would be much appreciated.

Thanks.           

--
Please remember to select a correct answer and rate helpful posts
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Andrew Phirsov
Level 7
Level 7
In response to Marius Gunnerud

‎05-29-2013 03:49 AM

I personally never did so, but it's possible to pass traffic between context, when using so called cascading. In this case, outisde interface of one context is located on the same phisical interface (shared interface) as the inside interface of another context. Those two interfaces should use different mac-addresses for ASA to be able to classify to wich context packet is directed. Here's the link where it's described a little:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/contexts.html

But to me it seems more practical and logical not to share any phisical interfaces of the ASA, and direct traffic between context using external switches and additional cables. So say out of four interfaces of one phisical appliance you may bind two to one context and another two to another. For traffic to go between them, just properly connect inside-outside interfaces of corresponding contexts.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Andrew Phirsov
Level 7
Level 7

‎05-29-2013 03:10 AM

Why would you need two contexts, if you're planning to pass traffic between them? Firewall in sinlge context mode will perfectly suit your need for separation secure and unsecure segments.

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to Andrew Phirsov

‎05-29-2013 03:23 AM

Thanks for your reply.

Yes I know, but we have a requirement that the secure and not secure are to be separeted by "2 different firewalls".

for example:

WAN ----------- outside-ASA ---------- Unsecure client access ------------- inside-ASA ------------- Servers / sensitive information

Now I realize that this can be done with 1 context aka "single mode".  But the client has security policies that state that the secure and unsecure portions of the network need to be separted by 2 seperate firewalls.  To save on costs they have purchased 2 ASA5585 to be used in 2 different data centers, and ustilize the Contexts for the physical separation of the networks.

Now, I am wondering if my understanding of the ASA is incorrect, that it is able to pass traffic from one context to another.  Or, would I need to do a bit of cable magic and use a transport VLAN through the switch to the secure context to get the routing to work?

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
Andrew Phirsov
Level 7
Level 7
In response to Marius Gunnerud

‎05-29-2013 03:49 AM

I personally never did so, but it's possible to pass traffic between context, when using so called cascading. In this case, outisde interface of one context is located on the same phisical interface (shared interface) as the inside interface of another context. Those two interfaces should use different mac-addresses for ASA to be able to classify to wich context packet is directed. Here's the link where it's described a little:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/contexts.html

But to me it seems more practical and logical not to share any phisical interfaces of the ASA, and direct traffic between context using external switches and additional cables. So say out of four interfaces of one phisical appliance you may bind two to one context and another two to another. For traffic to go between them, just properly connect inside-outside interfaces of corresponding contexts.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card