cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
514
Views
0
Helpful
5
Replies

create a context in routed mode-ASA

Hi, 

I know that might be over asked this, but just wondering if you can assist me on how to set up a context to be routed and in a way that it will be and act as the gateway of the LAN. 

the requirement is this:

I have the following on the asa 5585

I need to create a new subnet that the firewall will be the gateway for this LAN.

do I need to have a seperate cable connection ?

the giga 0/3 is for the failover, just omit it.

the switches are connected directly to the Core routers and then via trunk I supposed, they will go to the Firewall to reach the gateway and the retun the traffic 

any ideas or post on how to set up that?

thanks for your assistance, 

1 Accepted Solution

Accepted Solutions

Francesco Molino
VIP Alumni
VIP Alumni

Hi 

I don't know what are your actual contexts about but you can create a subinterface within 1 of your actual context to create a new l3 interface acting as default gateway for your new subnet. 

As you asked for a new context, below is the way to process: 

1. On system context (changeto system)

context CTX3
config-url disk0:CTX3.cfg
allocate-interface Te0/8 --> i used this one as it is already a shared interface between the 2 existing context. 

If you want to use a gig interface, it will be the same config but if this gig is already used on another context, you'll need to trunk the vlan from the switch and adapt the interface config on asa.

As you've failover you need to attach a failover group for this new context: 


context CTX3
join-failover-group X --> based on your configuration as the fail over groups are already created
!
 

As you already have shared interface, the Mac address has been setup. If you have the command mac-address auto then it's fine otherwise a manual mac address has been setup. If this is the case then you need to move on your new context and configured for the interface the Mac address as well as fitted your secondary firewall.

2. On new context (changeto context CTX3)

Configured your interface like:

Interface te0/8.xxx --> xxx corresponds to your new vlan id

  ip address x.x.x.x x.x.x.x

  security-level 100 --> adapt the security level based on your requirements. 

   nameif xxxx --> named if your new zone 

Continue the configuration for nat, routing, acl....

Thanks 

PS: Please don't forget to rate and mark as correct answer if this answered your question


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

5 Replies 5

Francesco Molino
VIP Alumni
VIP Alumni

Hi 

I don't know what are your actual contexts about but you can create a subinterface within 1 of your actual context to create a new l3 interface acting as default gateway for your new subnet. 

As you asked for a new context, below is the way to process: 

1. On system context (changeto system)

context CTX3
config-url disk0:CTX3.cfg
allocate-interface Te0/8 --> i used this one as it is already a shared interface between the 2 existing context. 

If you want to use a gig interface, it will be the same config but if this gig is already used on another context, you'll need to trunk the vlan from the switch and adapt the interface config on asa.

As you've failover you need to attach a failover group for this new context: 


context CTX3
join-failover-group X --> based on your configuration as the fail over groups are already created
!
 

As you already have shared interface, the Mac address has been setup. If you have the command mac-address auto then it's fine otherwise a manual mac address has been setup. If this is the case then you need to move on your new context and configured for the interface the Mac address as well as fitted your secondary firewall.

2. On new context (changeto context CTX3)

Configured your interface like:

Interface te0/8.xxx --> xxx corresponds to your new vlan id

  ip address x.x.x.x x.x.x.x

  security-level 100 --> adapt the security level based on your requirements. 

   nameif xxxx --> named if your new zone 

Continue the configuration for nat, routing, acl....

Thanks 

PS: Please don't forget to rate and mark as correct answer if this answered your question


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Thank you, I followed your steps with some minor details, but it worked, :) appreciate that.

You're welcome.

Did you get any issues?


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

:) 

yep, since Im not used to ASA deployments, cause they were already set up here, so I took this chance to learn and deploy, 

I had some vlans missing and ACLs, at the beggining I missconfigured the interfaces, but I had to remake it all, from the start, lucky for me that these ASAs are empty in the DC, so no problem editing the entire config, 

OK nice :-)


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
Review Cisco Networking for a $25 gift card