• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2135
  • Last Modified:

ASA with Multiple Contexts Accessing Shared Outside Interface

I am setting up a new ASA and I have configured it for multiple contexts. I created subinterfaces for each physical interface (including the inside and outside). All physical interfaces have been plugged into trunk ports. I have configured all with VLANs in the system context and have assigned the appropriate subinterfaces to my contexts. Each subinterface has an IP address appropriate for the network it is attached to. On one of my contexts I have setup ACLs and NAT to allow traffic from my inside network to my test network, DMZ and outside. I have configured a NAT rule for inside to outside access that PATs the IP address to a public IP address.  I have set up a PC with the IP address of my inside interface on one of my contexts as the default gateway.

 
When I try to access my DMZ and my test network I have no issues. However when I try to access the Internet it's like nothing is getting routed out. I have set up the default route to our ISP's router (which is the same way we have the existing ASA setup). If I run through the packet tracer the ASA says that the packet is allowed out.

 
I've been trying to figure out what I'm missing that would prevent traffic from accessing the Internet. Can anyone help?

 
Thanks
0
snowmizer
Asked:
snowmizer
  • 8
  • 6
  • 2
  • +1
1 Solution
 
jmeggersSr. Network and Security EngineerCommented:
Are you sharing the outside interface between the contexts?
0
 
jmeggersSr. Network and Security EngineerCommented:
If so, you may have a MAC address overlap issue.  See http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/mode_contexts.html#wp1145162 about Unique MAC Addresses.
0
 
snowmizerAuthor Commented:
I am sharing the outside interface between contexts. I issued the "mac-address auto" command in the system context when I was initially configuring the contexts. Is there something else I need to do?

Thanks.
0
SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

 
IronmannenCommented:
Have you tried using the capture function, it like packet-tracer but collects the real packets flowing which can help you to spot errors, here is an article in the subject Troubleshooting traffic through an Cisco ASA: using the capture feature
0
 
snowmizerAuthor Commented:
Yeah I have. I'm not seeing packets coming into the outside interface or out of the outside interface even though it shows as up.
0
 
IronmannenCommented:
Can you post the following:
* sanitized config from system
* sanitized config from your context
* show interface <outside> from system
* show interface <outside> from context
* output of packet tracer
* if your firewalls is internet connected, ping 8.8.8.8 from your context, otherwise some other address you now on your outside
* then do the same from an inside host with a capture on your inside and outside
0
 
snowmizerAuthor Commented:
I'll see if I can get configs I can post. One thing I did notice though is that if I do a "show arp" I see all records for all of my interfaces EXCEPT my outside interface. Could this be related to an arp issue?
0
 
snowmizerAuthor Commented:
Could the VLAN on my outside interface be causing the issue? I've got the outside interface plugged into a trunk port on my switch and my understanding is that a trunk port will forward traffic on all VLANs.
0
 
IronmannenCommented:
Hello
Of course can the vlan's cause an error, if you add the switch  configuration for the port with the above we will see.
Allowing all vlans is (almost) never a not a good idea from a security perspective. If you are running cisco equipment and you have vlan 10 and 20 on your trunk then you issue the following command on your switch port:
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk allowed vlan 10,20

Open in new window

0
 
snowmizerAuthor Commented:
Unfortunately the switch is a Catalyst Express 500 series switch so I'm limited in what I can do. I thought maybe I needed to add the vlan to the switch so that it knew what VLANs are allowed but that didn't work either.

I looked at how my DMZ switch is set up and this switch matches exactly as far as the type of port and trunk port configuration.

My thought is that It's got to be something on either the switch or the ISPs router that's blocking this since the ASA can't ping the ISPs router either.
0
 
IronmannenCommented:
yes it could be, but you say that you do not see the traffic leaving the ASA when capturing and you would see that traffic if it is blocked outside the ASA
0
 
snowmizerAuthor Commented:
Sounds like a routing issue getting out of the ASA when it's got to go through the outside interface on the ASA. I have the "route outside 0.0.0.0 0.0.0.0 1.2.3.4" (where 1.2.3.4 is the ISPs router IP address and matches the route in the existing ASA). Is there something different that has to be done with the default gateway route when using multiple contexts?
0
 
IronmannenCommented:
no you use the routing in the contexts like you should have done in a single context environment
0
 
snowmizerAuthor Commented:
So the route statement in my context is correct. Hummmmm.....
0
 
snowmizerAuthor Commented:
Figured out the issue was related to the fact that I had sub-interfaces configured on my outside interface. Once I removed these and shared the outside interface between contexts I was able to browse web pages on the Internet.

Thanks.
0
 
IronmannenCommented:
ok, good luck
0
 
Ernie BeekExpertCommented:
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

  • 8
  • 6
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now