08-15-2017 07:10 PM - edited 03-12-2019 02:49 AM
Hi,
I know that might be over asked this, but just wondering if you can assist me on how to set up a context to be routed and in a way that it will be and act as the gateway of the LAN.
the requirement is this:
I have the following on the asa 5585
I need to create a new subnet that the firewall will be the gateway for this LAN.
do I need to have a seperate cable connection ?
the giga 0/3 is for the failover, just omit it.
the switches are connected directly to the Core routers and then via trunk I supposed, they will go to the Firewall to reach the gateway and the retun the traffic
any ideas or post on how to set up that?
thanks for your assistance,
Solved! Go to Solution.
08-15-2017 08:19 PM
Hi
I don't know what are your actual contexts about but you can create a subinterface within 1 of your actual context to create a new l3 interface acting as default gateway for your new subnet.
As you asked for a new context, below is the way to process:
1. On system context (changeto system)
context CTX3
config-url disk0:CTX3.cfg
allocate-interface Te0/8 --> i used this one as it is already a shared interface between the 2 existing context.
If you want to use a gig interface, it will be the same config but if this gig is already used on another context, you'll need to trunk the vlan from the switch and adapt the interface config on asa.
As you've failover you need to attach a failover group for this new context:
context CTX3
join-failover-group X --> based on your configuration as the fail over groups are already created
!
As you already have shared interface, the Mac address has been setup. If you have the command mac-address auto then it's fine otherwise a manual mac address has been setup. If this is the case then you need to move on your new context and configured for the interface the Mac address as well as fitted your secondary firewall.
2. On new context (changeto context CTX3)
Configured your interface like:
Interface te0/8.xxx --> xxx corresponds to your new vlan id
ip address x.x.x.x x.x.x.x
security-level 100 --> adapt the security level based on your requirements.
nameif xxxx --> named if your new zone
Continue the configuration for nat, routing, acl....
Thanks
PS: Please don't forget to rate and mark as correct answer if this answered your question
08-15-2017 08:19 PM
Hi
I don't know what are your actual contexts about but you can create a subinterface within 1 of your actual context to create a new l3 interface acting as default gateway for your new subnet.
As you asked for a new context, below is the way to process:
1. On system context (changeto system)
context CTX3
config-url disk0:CTX3.cfg
allocate-interface Te0/8 --> i used this one as it is already a shared interface between the 2 existing context.
If you want to use a gig interface, it will be the same config but if this gig is already used on another context, you'll need to trunk the vlan from the switch and adapt the interface config on asa.
As you've failover you need to attach a failover group for this new context:
context CTX3
join-failover-group X --> based on your configuration as the fail over groups are already created
!
As you already have shared interface, the Mac address has been setup. If you have the command mac-address auto then it's fine otherwise a manual mac address has been setup. If this is the case then you need to move on your new context and configured for the interface the Mac address as well as fitted your secondary firewall.
2. On new context (changeto context CTX3)
Configured your interface like:
Interface te0/8.xxx --> xxx corresponds to your new vlan id
ip address x.x.x.x x.x.x.x
security-level 100 --> adapt the security level based on your requirements.
nameif xxxx --> named if your new zone
Continue the configuration for nat, routing, acl....
Thanks
PS: Please don't forget to rate and mark as correct answer if this answered your question
08-16-2017 07:06 PM
Thank you, I followed your steps with some minor details, but it worked, :) appreciate that.
08-16-2017 07:11 PM
You're welcome.
Did you get any issues?
08-17-2017 07:09 AM
:)
yep, since Im not used to ASA deployments, cause they were already set up here, so I took this chance to learn and deploy,
I had some vlans missing and ACLs, at the beggining I missconfigured the interfaces, but I had to remake it all, from the start, lucky for me that these ASAs are empty in the DC, so no problem editing the entire config,
08-17-2017 08:31 AM
OK nice :-)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide