01-09-2010 11:22 PM - edited 03-11-2019 09:55 AM
Cisco ASA5520
Created two different context - Context A and Context B
Objective:- I would like to route between this 2 context INTERNALLY.
Is this achievable? Ive read from the cisco doc examples, most of it illustrates routing outside to the internet before coming back in to the other context.
I have a customer requirement whereby users on Context A would need to access some servers from Context B, that is, without routing out to the internet.
Please advise
01-10-2010 01:42 AM
J_Vansen_S wrote:
Cisco ASA5520
Created two different context - Context A and Context B
Objective:- I would like to route between this 2 context INTERNALLY.
Is this achievable? Ive read from the cisco doc examples, most of it illustrates routing outside to the internet before coming back in to the other context.
I have a customer requirement whereby users on Context A would need to access some servers from Context B, that is, without routing out to the internet.
Please advise
Well you shouldn't have to go out to the Internet altho it does depend on your topology setup. There are 2 ways to do this -
1) traffic from A is routed out of context A and then routed to context B and vice-versa. So the 2 contexts are completely separate and you just need to make sure that there is a routed path between A and B. This in theory i guess could be the next-hop towards the internet.
2) each context has an interface connected to subnet which the servers are on. So you don't need to route out of A and back into B, you can simply go straight from A to the server subnet.
Which one to use is a matter of security requirements. But one thing i would recommend is that traffic to servers from A -> B should not go via the internet.
Jon
01-10-2010 12:32 PM
Are there any shared interfaces between the contexts?
01-10-2010 05:57 PM
No there isnt any sharede interface on my setup.
Is the concept of shared interface the way to go to meet my objectives?
01-10-2010 06:15 PM
J_Vansen_S wrote:
No there isnt any sharede interface on my setup.
Is the concept of shared interface the way to go to meet my objectives?
As i said, it depends on your security requirements. If you are happy to have both contexts having direct access to the server LAN then yes a shared interface is one way to do it.
Jon
01-10-2010 10:39 PM
Thanks for the advice.
I have altered my design slightly to cater for shared interface.
The users on both context can now access to the server zone. Thanks!!
However, i am having a slight problem.
On the other hand, my servers could not access to the user zone instead?
I believe i have put in the necessary routes.
PLease advise
01-10-2010 10:43 PM
01-11-2010 01:09 AM
I have a similar network that i am designing now and i can really use your help.
First of all, what is the gateway of your servers located in 192.168.1.x ? Do they have internet feed ?
Do you use nat exemption for internal traffic ? for example from traffic flowing from zone_users to servers and vice versa or do you nat them ?
What if you need to provide access from zone 1 to zone users, what will you do then ?
I am posting my config here just to tell me if it is correct or not :
Asa 5510
----------------------
01-11-2010 01:34 AM
Hi,
Apparently i point my servers to the gateway on Context B for internet feed.
I did not use nat exemption for traffic flowing from zone_users to servers.
Instead i use dynamic pat
global (shared) 1 interface
global (zone_users) 1 interface
nat (zone_users) 1 192.168.7.0 255.255.255.0
01-11-2010 01:46 AM
Yes you are right i missed the L3 on your diagram, i am asking you this cause my network is exactly like yours with the diferrence that mine fully L2.
That's why i am asking you for the gateway, any ideas for my case ?
01-11-2010 02:13 AM
Why you have to use dynamic pat instead of nat exemption with access lists and a static route for your L3 network ?
01-11-2010 03:37 AM
J_Vansen_S wrote:
Hi,
Apparently i point my servers to the gateway on Context B for internet feed.
I did not use nat exemption for traffic flowing from zone_users to servers.
Instead i use dynamic pat
global (shared) 1 interface
global (zone_users) 1 interface
nat (zone_users) 1 192.168.7.0 255.255.255.0
Are you still having a problem with your setup or is it fixed ?
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide