Solved: Source and Destination In context Mode

mahesh18 · ‎05-30-2013

Hi Everyone,

Need to learn basic thing in ASA when in multiple context mode.

Let says we have given source and destination and we need to open port https on destination ip.

I went to switch where source is connected.

Then did sh ip route for source IP address .

It shows Switch learn the source IP from context admin of the ASA.

also i did sh ip route for destination IP on same switch .

It shows that destination IP it learn from context y of the ASA.

Need to know where should i config the ACL?

My thinking is that i should go to context admin as switch is learning the source ip from context admin?

but need to know the reason for this?

Regards

Mahesh

Jouni Forss · ‎05-30-2013

Hi,

If you have 2 networks protected by separate Security Context you would typically be allowing the traffic on both of the Security Contexts. This is only natural since the traffic will be essentially passing two different firewalls.

If I understood you correctly there is a network behind context "admin" and needs to access a server with HTTPS that is located behind context "y". This would mean the connection would probably entering some interface on the context "admin" before heading out to the switch which is connected to both contexts. Therefore "admin" context needs an ACL rule that allows that connection through its interface which has the source network behind it. Next the connection will arrive on some interface on the context "y" and naturally will also need an ACL rule there to allow the HTTPS traffic coming from the host behind the other context.

It would be a lot clearer if we had a precise picture of the topology. Possibly even routing tables of each router involved and the configurations of the Security Contexts.

This is because I cant be 100% sure of your setup on the basis of your description.

- Jouni

View solution in original post

Jouni Forss · ‎05-30-2013

Hi,

On which interface of a context you control the traffic is a matter of preference. But I would have to say that in 99% of the cases you allow the traffic on the firewall interface closest to the source. And in this case based on your posts it seems that the "admin" contexts interface "Y" is the correct interface on which ACL you configure the rule to allow the HTTPS traffic.

But as I said, according to your information the destination address for this traffic that we are allowing is located yet behind another context which makes it logical that you will also have to allow the traffic in that other context as the traffic will eventually reach that context when it has gone through context "admin".

I am not sure if I understood your final questions correctly but here goes,

I would imagine that the Switch (you are probably referring to L3 switch) either has a Static route configured which tells that the source host is found behind the IP address of context "admin" interface "x".

If you issue the "show ip route " on the switch it should tell you how the route is learned. If its a static route it should be mentioned. It should also mention if its learned by some other means.

On the ASA naturally we are probably dealing with the same things as with the switch. The source hosts network is either directly connected network of the ASA (configured on some ASA interface) OR the ASA has a static route configured that tells the ASA where the source hosts network is located.

You should be able to confirm the ASA side with "show route" command. The letter infront of the correct route should tell if its a Static route for example which is identified with the letter "S". The letter "C" would refer to a directly connected network.

- Jouni

View solution in original post

Jouni Forss · ‎05-30-2013

Hi,

If you have 2 networks protected by separate Security Context you would typically be allowing the traffic on both of the Security Contexts. This is only natural since the traffic will be essentially passing two different firewalls.

If I understood you correctly there is a network behind context "admin" and needs to access a server with HTTPS that is located behind context "y". This would mean the connection would probably entering some interface on the context "admin" before heading out to the switch which is connected to both contexts. Therefore "admin" context needs an ACL rule that allows that connection through its interface which has the source network behind it. Next the connection will arrive on some interface on the context "y" and naturally will also need an ACL rule there to allow the HTTPS traffic coming from the host behind the other context.

It would be a lot clearer if we had a precise picture of the topology. Possibly even routing tables of each router involved and the configurations of the Security Contexts.

This is because I cant be 100% sure of your setup on the basis of your description.

- Jouni

mahesh18 · ‎05-30-2013

Hi jouni,

My problem is i need to config the ACL on the ASA.So need to know which ASA should i go,

As source IP learning is from admin context.

ServerA is connected to Switch 1.

Switch 1 learns the Server A subnet via context admin IP say 172.17.x.x which is interface X of ASA

I went to admin context and saw the ASA interface X has IP 172.17.x.x.

On the context admin i did sh route and saw the subnet IP is learned via static interface Y of ASA.

So this shows that ASA is learning the source via interface Y of ASA.

Also this shows that Switch 1 is learning the source via inetrface X of ASA.

So my question is i need to config the ACL on interface Y of ASA right as this is source??

Also Jouni from above info if you can explain me how switch is learning server ip subnet via interface x and ASA is learning same IP via interface Y of ASA?

Thanks

Mahesh

Jouni Forss · ‎05-30-2013

Hi,

On which interface of a context you control the traffic is a matter of preference. But I would have to say that in 99% of the cases you allow the traffic on the firewall interface closest to the source. And in this case based on your posts it seems that the "admin" contexts interface "Y" is the correct interface on which ACL you configure the rule to allow the HTTPS traffic.

But as I said, according to your information the destination address for this traffic that we are allowing is located yet behind another context which makes it logical that you will also have to allow the traffic in that other context as the traffic will eventually reach that context when it has gone through context "admin".

I am not sure if I understood your final questions correctly but here goes,

I would imagine that the Switch (you are probably referring to L3 switch) either has a Static route configured which tells that the source host is found behind the IP address of context "admin" interface "x".

If you issue the "show ip route " on the switch it should tell you how the route is learned. If its a static route it should be mentioned. It should also mention if its learned by some other means.

On the ASA naturally we are probably dealing with the same things as with the switch. The source hosts network is either directly connected network of the ASA (configured on some ASA interface) OR the ASA has a static route configured that tells the ASA where the source hosts network is located.

You should be able to confirm the ASA side with "show route" command. The letter infront of the correct route should tell if its a Static route for example which is identified with the letter "S". The letter "C" would refer to a directly connected network.

- Jouni

mahesh18 · ‎05-31-2013

Hi jouni,

It all worked fine.

Thanks

Mahesh