cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

Inter Context Routing in ASA

mbhatti1986
Beginner
Beginner

Hi All,

 

Need your help with Routing between Context. I have been reading some threads to see how best to do the Routing between two Contexts and what i have gathered is that if you want to Route lets say from Context A to Context B when traffic enters the Context A send it outside to some router or layer 3 switch and send it back to ASA in the Context B.

 

I have been testing this in the Lab and it worked but what i also test is if we are able to do the Inter Context Routing within the ASA. The topology i was using is simply a Layer 3 switch connecting to the ASA with two Context the first Context is Context A and the second one is Context B.

 

Client in VLAN 10 with ip add 10.1.1.1 -----> Layer 3 Switch ------> Interface Gig 0/1.10 (Context A ---- ASA ---- Context B) Interface Gig 0/2.20 ---------> Layer 3 switch-----> Client in Vlan 20 with ip add 20.1.1.1

 

I have also created one more subinterface Gig 0/1.30 and shared this interface on both Context A and Context B. This vlan doesnt exist in the both of the Layer 3 switches. 

 

As the Gig 0/1.30 is shared with both the Context i gave this interface following ip address:

 

Context A: Interface Gig 0/1.30 ----- ip address 30.1.1.1 255.255.255.0 nameif sharedifcontexta

Context B : Interface Gig 0/1.30 ----- Ip address 30.1.1.2 255.255.255.0 nameif sharedifcontextb

 

I then gave a route in Context A : route sharedifcontexta 20.1.1.0 255.255.255.0 30.1.1.2

I also gave the route in Context B as: route sharedifcontextb 10.1.1.0 255.255.255.0 30.1.1.1

 

After the test the flow worked which i wasn't expecting as both Context should have different Control plan. The flow works like this 

 

Packet that wants to go to 20.1.1.1 enters the ASA via Gig 0/1.10 in Context A -----> Context A has the route to send this  traffic to 30.1.1.1 via shared interface into the Context B Context B then has the network directly connected and it sends it towards 20.1.1.1.

 

Same flow vice versa. 

 

My Questions are:

 

Why did ASA allow to do the routing between context within the firewall as i thought that ASA Context works totally independent of each other and dont allow inter context routing within the same firewall?

Does this put extra burden on ASA to handle the Context routing ?

Can this be option be considered in the design ? 

Why did asa allowed to configure same subnet ip address on the shared interfaces. bear in mind if you try to configure the same ip address on both Contexts ASA wouldn't allow you it will give an error saying ip address already in use which means you can use the same subnet but not the same ip address on the shared interface ?

Also to mentioned as i was only testing this solution i configured the access-list as permit ip any any.

 

The ASA i was using in the lab is : ASA5520 with Cisco Adaptive Security Appliance Software Version 8.4(7) 

 

 

 

1 ACCEPTED SOLUTION

Accepted Solutions

Hi,

If you don't want traffic to move straight from one context to the other , you can point the route to the L3 device and then back to the other context.

As you already have a interface shared and route pointing to the other context interface , it will never leave the ASA device and will routed internally.

Thanks and Regards,

Vibhor Amrodia

View solution in original post

3 REPLIES 3

Vibhor Amrodia
Cisco Employee
Cisco Employee

Hi,

I think this is expected as this is cascading the ASA contexts.

Now , as per the IP configuration on the Shared interfaces being the same interfaces , that is permitted as the context is different.

This is explained in this document:-

http://www.cisco.com/c/en/us/td/docs/security/asa/asa80/configuration/guide/conf_gd/contexts.html#wp1121392
Thanks and Regards,

Vibhor Amrodia

Hi 

 

But my question is as the Context should work independent of each other if you want to do the inter context routing you should go out of the ASA to some Router and then come back to the other context which is not the case in my scenario i am point the route for Context B from Context A to the shared interface which means the Inter Context Routing happens within the ASA.

 

Thanks

Hi,

If you don't want traffic to move straight from one context to the other , you can point the route to the L3 device and then back to the other context.

As you already have a interface shared and route pointing to the other context interface , it will never leave the ASA device and will routed internally.

Thanks and Regards,

Vibhor Amrodia

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: