Solved: Tracing Connection in Multi context ASA

mahesh18 · ‎05-24-2013

Hi Everyone,

Trying to trace the path going via the ASA in Multi context Active active Mode.

Need to check the port connection between 2 servers

Server A is connected to switch 1

Server B is connected to Switch 3

Here is topology

Sw1 Sw2 ASA Sw3

ASA has two context 1 and 2 and 1 is admin.

Context 1 has few interfaces.

Interface X of Context 1 has Server A subnet there

Interface Y of context has Server B subnet there.

In other words traffic going from server A to server B goes via interface x and interface y of ASA.

Or we can say that interface x of ASA has connection to Sw2 and interface y has connection to Sw3.

i try to run the packet tracer through the ASDM and CL it failed.

I verify that ASA which i log on is Active for group 1 and context 1 is member of group 1

I used source interface as X is this right interface to choose?

Thanks

Mahesh

Julio Carvajal · ‎05-24-2013

Hello Mahesh,

We are missing a little info

Interface Y of context has Server B subnet there.

You did not specify the context, is it on the same context(I mean context 1 as well)

If that is the case then is just a regular connection across a firewall like it were on single mode,

Make sure you have the right Policies,NAT,ACL in place and u should be good,

Let us know if it's a different context

Regards

Remember to rate all of the helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Julio Carvajal · ‎05-26-2013

Hello Mahesh,

Okey, I did not pay attention to the following

"I tested with existing ACL that allows traffic from source to destination server still packet tracer does not work

gives error Virtual firewall classification failed"

Is any of the interfaces in place being shared between multiple contexts ?

On the NAT statements you have, is there any being used with the keyword "any"

what is the exact version you are running?

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Julio Carvajal · ‎05-27-2013

Traffic from switch 1 goes all the way to SW 3 SVI VLAN say 1 passing via ASA.

Then to reach the destination server B does it touch the ASA or not?

It does not , traffic will reach the switch and it will get routed to the proper SVI, traffic will never reach the ASA.

As per my understanding it should not touch the ASA as SW3 is layer 3 switch and both the source and destination subnets are connected to sw3?

That is correct, it will not flow to the ASA,

Regards,

Remember to rate all of the helpful posts

Julio Carvajal

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Julio Carvajal · ‎05-24-2013

Hello Mahesh,

We are missing a little info

Interface Y of context has Server B subnet there.

You did not specify the context, is it on the same context(I mean context 1 as well)

If that is the case then is just a regular connection across a firewall like it were on single mode,

Make sure you have the right Policies,NAT,ACL in place and u should be good,

Let us know if it's a different context

Regards

Remember to rate all of the helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

mahesh18 · ‎05-25-2013

Hi Julio.

The interface Y is also in context 1

When i ran the packet tracer from CLI using source interface as X it do not work

There is ACL that allows the traffic from Source to destination.

But packet tracer does not work

I tested with existing ACL that allows traffic from source to destination server still packet tracer does not work

gives error Virtual firewall classification failed

Thanks

Mahesh

Julio Carvajal · ‎05-25-2013

Hello Mahesh,

Can you share the interface allocation configuration, the show run of that context and the exact packet tracer config and output?

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

mahesh18 · ‎05-25-2013

Hi Julio,

As packet tracer is even not working for ACL which is configured on the ASA and traffic for that is allowed that shows

some odd behaviour of packet tracer when ASA is configured with Multi context mode.

I fine some these urls about packet tracer in multi context mode.

https://supportforums.cisco.com/thread/2117679

http://www.mail-archive.com/ccie_security@onlinestudylist.com/msg02474.html //www.mail-archive.com/ccie_security@onlinestudylist.com/msg02474.html

Thanks

Mahesh

Julio Carvajal · ‎05-26-2013

Hello Mahesh,

Okey, I did not pay attention to the following

"I tested with existing ACL that allows traffic from source to destination server still packet tracer does not work

gives error Virtual firewall classification failed"

Is any of the interfaces in place being shared between multiple contexts ?

On the NAT statements you have, is there any being used with the keyword "any"

what is the exact version you are running?

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

mahesh18 · ‎05-26-2013

Hi Julio,

interfaces 0/3 is shared but interfaces x and y are not shared.

IOS is 8.05(28)

Interface X has

nat(X) 0 0.0.0.0.0 0.0.0.0.

Thanks

Mahesh

Julio Carvajal · ‎05-26-2013

Hello,

Okey but X and Y are not logical interfaces derived from ether 0/3 right?

Is there a way you can share the configuration and packet tracer you are doing

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

mahesh18 · ‎05-27-2013

Hi Julio,

After doing some more digging i fig out that Both source and destination are under same interface of ASA which is Y.

Interface X is not involved.

Here is update info

Sw3 has SVI VLAN for both the Servers.

Server A which is connected to Switch 1 has SVI VLAN in SW3.

Server B which is connected to Switch 3 has SVI VLAN in SW3.

Both the SVI vlans in SW3 have different subnets.

Need to understand the traffic flow from server A to server B

Traffic from switch 1 goes all the way to SW 3 SVI VLAN say 1 passing via ASA.

Then to reach the destination server B does it touch the ASA or not?

As per my understanding it should not touch the ASA as SW3 is layer 3 switch and both the source and destination subnets are connected to sw3?

Need to confirm with you?

Regards

Mahesh

Julio Carvajal · ‎05-27-2013

Traffic from switch 1 goes all the way to SW 3 SVI VLAN say 1 passing via ASA.

Then to reach the destination server B does it touch the ASA or not?

It does not , traffic will reach the switch and it will get routed to the proper SVI, traffic will never reach the ASA.

As per my understanding it should not touch the ASA as SW3 is layer 3 switch and both the source and destination subnets are connected to sw3?

That is correct, it will not flow to the ASA,

Regards,

Remember to rate all of the helpful posts

Julio Carvajal

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

mahesh18 · ‎05-27-2013

Hi Julio,

Many thanks again.

Its always good to have your confirmation.

Regards

Mahesh

Julio Carvajal · ‎05-27-2013

Hello Mahesh,

My pleasure to help,

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC