• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 474
  • Last Modified:

asa virtual firewall

I have customer want to setup a test environment with servers that are in same IP but in different vlan.
Im proposing a virtual firewall from asa. The question is cani have 2virtual firewall where both inside interface in same IP?
Then i will do NAT for both server to communicate.
Is best if can provide any link as reference...
Tks in advance
0
hell_angel
Asked:
hell_angel
  • 4
  • 3
2 Solutions
 
btanExec ConsultantCommented:
This has related useful discussion and below are extracted relevant info from Cisco doc (the last link on classifier will be more useful and probably what you are looking for)
https://learningnetwork.cisco.com/thread/9864

Assigning the same IP address to the shared interface is not possible. A shared interface over multiple contexts allows us to simulate virtual firewalls over the same LAN segment. When the same IP address is assigned to the shared interface, for example shared over multiple contexts, it gives an IP address conflict error. The ASA will not allow this configuration because of the ARP issue between the contexts for the same IP address.

You can assign the same IP address to multiple interfaces in a different context. Although this is possible, a separate MAC address must be assigned for this interface in each context in order to classify the traffic into the context.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808d2b63.shtml#mul

If multiple contexts share an interface, then the classifier uses the interface MAC address. The security appliance lets you assign a different MAC address in each context to the same shared interface, whether it is a shared physical interface or a shared subinterface.

If you do not have unique MAC addresses, then the classifier intercepts the packet and performs a destination IP address lookup. All other fields are ignored; only the destination IP address is used. To use the destination address for classification, the classifier must have knowledge about the subnets located behind each security context. The classifier relies on the NAT configuration to determine the subnets in each context.

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/contexts.html#wp1124172
0
 
hell_angelEngineerAuthor Commented:
thanks, "multiple contexts " from your explanation meant..???
0
 
btanExec ConsultantCommented:
See this :)

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/contexts.html#wp1035807

You can partition a single security appliance into multiple virtual devices, known as security contexts. Each context is an independent device, with its own security policy, interfaces, and administrators. Multiple contexts are similar to having multiple standalone devices. Many features are supported in multiple context mode, including routing tables, firewall features, IPS, and management. Some features are not supported, including VPN and dynamic routing protocols.
0
Choose an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

 
hell_angelEngineerAuthor Commented:
for virtual firewall thingy, can I have Ethernet 1 for virtual firewall 1 and ether 2 for virtual firewall 2?

is cisco VF concept works that way?
0
 
hell_angelEngineerAuthor Commented:
from the document said..
"You can partition a single security appliance into multiple virtual devices, known as security contexts. Each context is an independent device, with its own security policy, interfaces, and administrators. Multiple contexts are similar to having multiple standalone devices. Many features are supported in multiple context mode, including routing tables, firewall features, IPS, and management. Some features are not supported, including VPN and dynamic routing protocols. "

does it meant the context = to a virtual firewall.?
from the diagram 4.2, this should answered my query right?

which I can have multiple context in same subnet and use NAT for them to intercommunicate right?
0
 
btanExec ConsultantCommented:
Fig 4.1 or 4.2 should be able to provide it either based on MAC or NAT (dest IP). But there is a caveat - A shared interface over multiple contexts allows us to simulate virtual firewalls over the same LAN segment. When the same IP address is assigned to the shared interface, for example shared over multiple contexts, it gives an IP address conflict error. The ASA will not allow this configuration because of the ARP issue between the contexts for the same IP address.

You can define multiple security "contexts" on a single security appliance. Each context operates as an independent virtual device, with its own security policy, interfaces and administrators. Multiple contexts are similar to having multiple stand-alone devices. Many features are supported in multiple-context mode, including routing tables, firewall features, IPS, and management. Some features are not supported; for example, VPN, multicast, and dynamic routing protocols; security contexts support only static routes; and you cannot enable OSPF or RIP in multiple-context mode. Also, some features are not directly managed by Cisco Security Manager, such as the IPS feature set in ASA and PIX.


http://www.cisco.com/en/US/docs/security/security_management/cisco_security_manager/security_manager/4.0/user/guide/pxcontexts.html
0
 
hell_angelEngineerAuthor Commented:
n/a
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now