Right now I have two contexts set up (admin and context A). I have created sub-interfaces on my inside interface of my ASA (one for the admin vlan (vlan 50) and one for the internal traffic vlan (vlan 10)). I have attached both of these interfaces to context A. When I run the packet tracer it looks like my NAT isn't working (it's showing Identity NAT instead of the translation I specified).

I just want to make sure I understand what is necessary to allow for inter-vlan routing on the ASA. Maybe another question would be how do people handle the admin of contexts? Do you just set up one context and then use that to manage everything or do you allow for management of each context individually (kind of a separation of duties)?

Thanks.

Have you tried :

same-security-traffic permit inter-interface

This will enable interfaces with same security level to communicate with each other.

You can access each context as admin.

If your networks are on different security levels you need ACL from the lower security level to higher security level.

You cannot use routing protocols with multiple contexts, you must use static routing.

They are the same security level. Yeah I tried the same-security-traffic permit inter-interface. I'm wondering if it's related to a routing issue regarding the fact that currently my core switch is my default gateway and it has a route to our existing production ASA. I'm thinking there may be a routing issue going on between these devices which is probably going to be easier to solve once I get this ASA in production and have everyone pointed to it.

Sound like this could be the problem?

Use "no nat cotrol" command when using 

same-security-traffic permit inter-interface

Not sure this is your issue but -

your client traffic coming to the management interface on the ASA will be routed back via the inside interface because presumably you have a route for the client subnet via the core switch ?

If so then you have 3 options.

1) If your core switch happens to be a 6500 then you can NAT your source IPs to a specific IP if going to the management interface and then have a host route on the ASA for that IP pointing back out of the management interface

or

2) you can use a dedicated subnet for managing the ASA and have a specific route for this subnet back out of the management interface. The obvious problem with this is you need dedicated PCs etc. for managing the ASA so it's not particularly practical.

or

3) have a dedicated context for the management interface only so it has it's own routing table.

Jon

What is your ASA model and licence?

If you want to manage the ASA from specific vlan (e.g. VLAN 50  which you use throughout your organization and is management hosts  vlan)add subinterface with this vlan, ip address, nameif and  "management-only" command. You can lookup in the following command  refence:

http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/m.html#wp2112283

If  you do not have specific vlan for management, why would you create one  only for this ASA and NAT, ACL etc. you can just point out the addresses  of the management hosts.

E.g.  # ssh 172.16.1.1 255.255.255.255 inside

If  you have specific design which you are trying to implement please provide a diagram and/or some part of the config.

Regards,

Alex

I want to keep the original admin context for management and that is working fine. My original thought was that I would set up a specific interface on my internal network context for management purposes only. The reason being I don't want people who don't know how contexts work in the admin context trying to figure out how to look something up. These people don't need access to all contexts. They only need access to the internal network context to add/remove ACLs when testing to see if our web filtering software is blocking access to sites (sometimes we don't always get a block message). I figured it would be easier/safer to give them the IP address of the interface that is on the management vlan.

Thanks.