Hi Jouni,

We are setting up 3 contexts one of them being a transport context between the sensitive zone and non-sensitive zone.  So we would have 2 physical interfaces for this.

I understand that this is possible I am just having trouble finding documentation on how to configure it.  As I said I am most likely using the wrong search words.

Thanks again

Yes it would but the idea is to have a buffer between the two zones and thereby adding another layer of security.  so if the non-sensitive context is breached, then the attacker wont be able to go directly at the sensitiv context but instead must also get through the transport context.

thanks for the config there.  That looks like what I am looking for.

Hi,

I have not linked (or have the need to) 3 Security Contexts before but I would imagine you could modify the above configuration a bit to achieve that also

interface GigabitEthernet0/0

description TRUNK

interface GigabitEthernet0/0.100

description SC1 - OUTSIDE

vlan 100

interface GigabitEthernet0/0.200

description SC2 - OUTSIDE

vlan 200

interface GigabitEthernet0/0.10

description SC1 - INSIDE

vlan 10

interface GigabitEthernet0/0.20

description SC2 - INSIDE

vlan 20

interface GigabitEthernet0/0.12

description SC1 - TRANSIT

vlan 12

interface GigabitEthernet0/0.21

description SC2 - TRANSIT

vlan 21

context TRANSIT

  description SC1 to SC2 TRANSIT SC

  allocate-interface GigabitEthernet0/0.12

  allocate-interface GigabitEthernet0/0.21

  config-url disk0:/TRANSIT.cfg

context SC1

  description SC1

  allocate-interface GigabitEthernet0/0.100

  allocate-interface GigabitEthernet0/0.10

  allocate-interface GigabitEthernet0/0.12

  config-url disk0:/SC1.cfg

context SC2

  description SC2

  allocate-interface GigabitEthernet0/0.200

  allocate-interface GigabitEthernet0/0.20

  allocate-interface GigabitEthernet0/0.21

  config-url disk0:/SC2.cfg

I am not sure if this would be the way but that is how I imagined at the moment.

The setup should look something like this

Totally different matter would there be a better way to achieve the same as above

- Jouni

Jepp, that was our first design.  However we have limited ports and the budget doesnt allow for the purchase of more ports at the current time.

Thanks for knocking some ideas around with me

Hi,

What do you mean with limited ports?

The above configuration only uses a single example interface of GigabitEthernet0/0 which is configured as Trunk (divided into subinterfaces)

Though as I said I dont know is this the best way to implement this but should be possible atleast.

- Jouni

Sorry my bad I looked over it too fast thought there were several different ports.

But in either case, security policy dictates that the secure and non-secure contexts should be using seperate physical ports

Hi,

What is the maximum physical interfaces you have available for use?

- Jouni

Hi,

So I guess we are perhaps talking about a ASA5585-X model? Or did the ASA5580 have these interfaces? I have never even seen those models live.

I guess you could use a singe physical inteface (as subinterfaces) for each Normal Security Context and some interface(s) for the Transit Context? Or perhaps include the LAN, WAN and TRANSIT link on each Normal Security Contexts own physical link as subinterfaces.

I imagined that this would be something lower end model ASA setup but I guess you are going to have some very heavy duty use considering the links you are going to use?

We have 5x ASA5585-X and 4x FWSMs in our datacenters and havent had the need to get the 10Gig licenses yet for the ASAs.

- Jouni