Solved: Re: pix 8.0 security context

roussillon · ‎11-24-2009

Hi

i want to have two security context for active/active failover. but I have a problem with the admin context

I want the context 1 to be empty and the context 2 to contient one gateway(on outside interface) and several vlans.

The context2 will be part of the failover group2 wich willbe active on security appliance2.

the context 1 will be part of the failover group1 wich will be active on security appliance1.

But wath do I do with the admin context? wath do I put or remove from this context? does it have to contains all the interfaces?

I have 802.1Q trunks for both, outside & inside interfaces

I want vlan2, vlan3, vlan4,vlan5 in the inside & vlan 10, vlan 11 in the outside

Security appliance1 would have:

context context1
allocate-interface GigabitEthernet0.10 outside_context1
allocate-interface GigabitEthernet1.2 vlan2

allocate-interface GigabitEthernet1.3 vlan3

config-url flash:/context1.cfg

context context2

config-url flash:/context2.cfg

Security appliance2 would have:

context context1

config-url flash:/context1.cfg

context context2
allocate-interface GigabitEthernet0.11 outside_context1
allocate-interface GigabitEthernet1.4 vlan4

allocate-interface GigabitEthernet1.5 vlan5

config-url flash:/context2.cfg

Wath about context admin wath do I out or wath doit remove?

Actually it has everithing:

context admin

allocate-interface GigabitEthernet0.10

allocate-interface GigabitEthernet0.11

allocate-interface GigabitEthernet1.2

allocate-interface GigabitEthernet1.3

allocate-interface GigabitEthernet1.4

allocate-interface GigabitEthernet1.5

config-url flash:/admin.cfg

Thanks you very much

Jon Marshall · ‎11-24-2009

roussillon wrote:

Hi

i want to have two security context for active/active failover. but I have a problem with the admin context

I want the context 1 to be empty and the context 2 to contient one gateway(on outside interface) and several vlans.

The context2 will be part of the failover group2 wich willbe active on security appliance2.

the context 1 will be part of the failover group1 wich will be active on security appliance1.

But wath do I do with the admin context? wath do I put or remove from this context? does it have to contains all the interfaces?

I have 802.1Q trunks for both, outside & inside interfaces

I want vlan2, vlan3, vlan4,vlan5 in the inside & vlan 10, vlan 11 in the outside

Security appliance1 would have:

context context1
allocate-interface GigabitEthernet0.10 outside_context1
allocate-interface GigabitEthernet1.2 vlan2

allocate-interface GigabitEthernet1.3 vlan3

config-url flash:/context1.cfg

context context2

config-url flash:/context2.cfg

Security appliance2 would have:

context context1

config-url flash:/context1.cfg

context context2
allocate-interface GigabitEthernet0.11 outside_context1
allocate-interface GigabitEthernet1.4 vlan4

allocate-interface GigabitEthernet1.5 vlan5

config-url flash:/context2.cfg

Wath about context admin wath do I out or wath doit remove?

Actually it has everithing:

context admin

allocate-interface GigabitEthernet0.10

allocate-interface GigabitEthernet0.11

allocate-interface GigabitEthernet1.2

allocate-interface GigabitEthernet1.3

allocate-interface GigabitEthernet1.4

allocate-interface GigabitEthernet1.5

config-url flash:/admin.cfg

Thanks you very much

The admin context is used purely for administering the ASA so it doesn't need to have all the interfaces in it. It should have it's own interfaces that ar used purely to remotely logon to the ASA and also for remotely accessing config files etc.

Jon

View solution in original post

Jon Marshall · ‎11-24-2009

roussillon wrote:

Hi

i want to have two security context for active/active failover. but I have a problem with the admin context

I want the context 1 to be empty and the context 2 to contient one gateway(on outside interface) and several vlans.

The context2 will be part of the failover group2 wich willbe active on security appliance2.

the context 1 will be part of the failover group1 wich will be active on security appliance1.

But wath do I do with the admin context? wath do I put or remove from this context? does it have to contains all the interfaces?

I have 802.1Q trunks for both, outside & inside interfaces

I want vlan2, vlan3, vlan4,vlan5 in the inside & vlan 10, vlan 11 in the outside

Security appliance1 would have:

context context1
allocate-interface GigabitEthernet0.10 outside_context1
allocate-interface GigabitEthernet1.2 vlan2

allocate-interface GigabitEthernet1.3 vlan3

config-url flash:/context1.cfg

context context2

config-url flash:/context2.cfg

Security appliance2 would have:

context context1

config-url flash:/context1.cfg

context context2
allocate-interface GigabitEthernet0.11 outside_context1
allocate-interface GigabitEthernet1.4 vlan4

allocate-interface GigabitEthernet1.5 vlan5

config-url flash:/context2.cfg

Wath about context admin wath do I out or wath doit remove?

Actually it has everithing:

context admin

allocate-interface GigabitEthernet0.10

allocate-interface GigabitEthernet0.11

allocate-interface GigabitEthernet1.2

allocate-interface GigabitEthernet1.3

allocate-interface GigabitEthernet1.4

allocate-interface GigabitEthernet1.5

config-url flash:/admin.cfg

Thanks you very much

The admin context is used purely for administering the ASA so it doesn't need to have all the interfaces in it. It should have it's own interfaces that ar used purely to remotely logon to the ASA and also for remotely accessing config files etc.

Jon

roussillon · ‎11-24-2009

yes it worked, Thank.

but I can not make ping & traceroute work

I added

access-list outside_access_in extended permit icmp any any time-exceeded log disable 
access-list outside_access_in extended permit icmp any any echo-reply log disable

access-group outside_access_in in interface outside

It works fine in single mode but it seems to have no effect in context mode

is there something missing?

Thanks