Solved

ASA with Multiple Contexts Accessing Shared Outside Interface

Posted on 2011-09-23
18
1,730 Views
Last Modified: 2012-05-12
I am setting up a new ASA and I have configured it for multiple contexts. I created subinterfaces for each physical interface (including the inside and outside). All physical interfaces have been plugged into trunk ports. I have configured all with VLANs in the system context and have assigned the appropriate subinterfaces to my contexts. Each subinterface has an IP address appropriate for the network it is attached to. On one of my contexts I have setup ACLs and NAT to allow traffic from my inside network to my test network, DMZ and outside. I have configured a NAT rule for inside to outside access that PATs the IP address to a public IP address.  I have set up a PC with the IP address of my inside interface on one of my contexts as the default gateway.

 
When I try to access my DMZ and my test network I have no issues. However when I try to access the Internet it's like nothing is getting routed out. I have set up the default route to our ISP's router (which is the same way we have the existing ASA setup). If I run through the packet tracer the ASA says that the packet is allowed out.

 
I've been trying to figure out what I'm missing that would prevent traffic from accessing the Internet. Can anyone help?

 
Thanks
0
Comment
Question by:snowmizer
  • 8
  • 6
  • 2
  • +1
18 Comments
 
LVL 18

Expert Comment

by:jmeggers
ID: 36589052
Are you sharing the outside interface between the contexts?
0
 
LVL 18

Expert Comment

by:jmeggers
ID: 36589078
If so, you may have a MAC address overlap issue.  See http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/mode_contexts.html#wp1145162 about Unique MAC Addresses.
0
 

Author Comment

by:snowmizer
ID: 36590962
I am sharing the outside interface between contexts. I issued the "mac-address auto" command in the system context when I was initially configuring the contexts. Is there something else I need to do?

Thanks.
0
 
LVL 7

Expert Comment

by:Ironmannen
ID: 36592137
Have you tried using the capture function, it like packet-tracer but collects the real packets flowing which can help you to spot errors, here is an article in the subject Troubleshooting traffic through an Cisco ASA: using the capture feature
0
 

Author Comment

by:snowmizer
ID: 36595359
Yeah I have. I'm not seeing packets coming into the outside interface or out of the outside interface even though it shows as up.
0
 
LVL 7

Expert Comment

by:Ironmannen
ID: 36597494
Can you post the following:
* sanitized config from system
* sanitized config from your context
* show interface <outside> from system
* show interface <outside> from context
* output of packet tracer
* if your firewalls is internet connected, ping 8.8.8.8 from your context, otherwise some other address you now on your outside
* then do the same from an inside host with a capture on your inside and outside
0
 

Author Comment

by:snowmizer
ID: 36599259
I'll see if I can get configs I can post. One thing I did notice though is that if I do a "show arp" I see all records for all of my interfaces EXCEPT my outside interface. Could this be related to an arp issue?
0
 

Author Comment

by:snowmizer
ID: 36599479
Could the VLAN on my outside interface be causing the issue? I've got the outside interface plugged into a trunk port on my switch and my understanding is that a trunk port will forward traffic on all VLANs.
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 7

Expert Comment

by:Ironmannen
ID: 36601121
Hello
Of course can the vlan's cause an error, if you add the switch  configuration for the port with the above we will see.
Allowing all vlans is (almost) never a not a good idea from a security perspective. If you are running cisco equipment and you have vlan 10 and 20 on your trunk then you issue the following command on your switch port:
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk allowed vlan 10,20

Open in new window

0
 

Author Comment

by:snowmizer
ID: 36601165
Unfortunately the switch is a Catalyst Express 500 series switch so I'm limited in what I can do. I thought maybe I needed to add the vlan to the switch so that it knew what VLANs are allowed but that didn't work either.

I looked at how my DMZ switch is set up and this switch matches exactly as far as the type of port and trunk port configuration.

My thought is that It's got to be something on either the switch or the ISPs router that's blocking this since the ASA can't ping the ISPs router either.
0
 
LVL 7

Expert Comment

by:Ironmannen
ID: 36601178
yes it could be, but you say that you do not see the traffic leaving the ASA when capturing and you would see that traffic if it is blocked outside the ASA
0
 

Author Comment

by:snowmizer
ID: 36601384
Sounds like a routing issue getting out of the ASA when it's got to go through the outside interface on the ASA. I have the "route outside 0.0.0.0 0.0.0.0 1.2.3.4" (where 1.2.3.4 is the ISPs router IP address and matches the route in the existing ASA). Is there something different that has to be done with the default gateway route when using multiple contexts?
0
 
LVL 7

Expert Comment

by:Ironmannen
ID: 36601439
no you use the routing in the contexts like you should have done in a single context environment
0
 

Author Comment

by:snowmizer
ID: 36601448
So the route statement in my context is correct. Hummmmm.....
0
 

Accepted Solution

by:
snowmizer earned 0 total points
ID: 36711709
Figured out the issue was related to the fact that I had sub-interfaces configured on my outside interface. Once I removed these and shared the outside interface between contexts I was able to browse web pages on the Internet.

Thanks.
0
 
LVL 7

Expert Comment

by:Ironmannen
ID: 36712147
ok, good luck
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37068342
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
OSPF Design NSSA 5 33
HP Laser Jet Errors 10 56
cisco nexus experiance 2 29
EIGRP Full Mesh 2 33
This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now