02-09-2011 08:44 AM - edited 03-11-2019 12:48 PM
Hi all,
i have a problem with my ASA 5520 in Multiple context mode.
we have 4 context running, the management interface vlan 999 is on every context with different IP's configured and work fine.
Today i added the VPN vlan 2001 to the context d and the whole VPN traffic trough the context a stopped to work.
When i but the command allocate-interface GigabitEthernet0/1.2001 out of the context d the vpn traffic on the context a is working again fine.
can somebody explain me why ?
system 5520
Cisco Adaptive Security Appliance Software Version 7.0(8)
admin-context admin
context admin
allocate-interface GigabitEthernet0/0
allocate-interface GigabitEthernet0/1.999
config-url disk0:/admin.cfg
!
context a
allocate-interface GigabitEthernet0/0
allocate-interface GigabitEthernet0/1.800
allocate-interface GigabitEthernet0/1.999
allocate-interface GigabitEthernet0/1.1100
allocate-interface GigabitEthernet0/1.2001
config-url disk0:/a.cfg
!
context b
allocate-interface GigabitEthernet0/0
allocate-interface GigabitEthernet0/1.999
allocate-interface GigabitEthernet0/1.1200
config-url disk0:/b.cfg
!
context c
allocate-interface GigabitEthernet0/0
allocate-interface GigabitEthernet0/1.999
allocate-interface GigabitEthernet0/1.1250
config-url disk0:/c.cfg
!
context d
allocate-interface GigabitEthernet0/0
allocate-interface GigabitEthernet0/1.999
allocate-interface GigabitEthernet0/1.1300-GigabitEthernet0/1.1303
allocate-interface GigabitEthernet0/1.2001
config-url disk0:/d.cfg
BR,
Martin
02-09-2011 08:58 AM
You are sharing the same interface on two contexts. Are you using the same IP on both contexts? Do you have mac-address auto on the system context?
02-09-2011 09:23 AM
Hi Paul,
yes i WANT to share the same vlan 2001 interface on two contexts.It works with the vlan 999 this vlan interface is on every context with different IP's.
I use for the vlan 2001 different IP's on the two contexts and i have not configured the mac-address auto.
I saw it today that i have on more vlan interfaces the same mac address.
Would the command mac-address auto solve the Problem ? and what will happen on the other contexts they are all productive when i configure the mac auto on the system context ?
Br,
Martin
02-09-2011 09:34 AM
if you are not using the same IP on both interfaces then the mac-address auto is not necessary since the ASA will use the IP to classify the traffic to the right context.
This VPN traffic that you mention is just passing through the interface, correct? Since VPN is not supported to end on a ASA interface when configured in multiple context.
Can you describe better how the VPN traffic flows on each context? Is that traffic flowing from inside to outside or outside to inside? Are those source and destination addresses part of both contexts?
I am just trying to understand this scenario.
02-09-2011 10:58 AM
This VPN traffic that you mention is just passing through the interface, correct? Since VPN is not supported to end on a ASA interface when configured in multiple context.
Correct the vpn traffic is passing trough the Context Firewall.
My scenario is followed:
we have one ASA 5510 for VPN Service only and one ASA 5520 Context with the folloging contexts as you can see in the first post.
This two Firewalls are connected with a trunk on a 65k.
The context a has in the moment one inside interface, one outside, one dmz and one vpn this is vlan 2001, now i have another Customer this also wants to have VPN access and i want to connect a additional interface (vlan 2001) to the new context(it's context d). When i put the interface vlan 2001 to the context d the vpn traffic on the context a stops passing traffic trough.
02-10-2011 01:51 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide