[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

asa virtual firewall

Posted on 2013-06-28
7
Medium Priority
?
462 Views
Last Modified: 2013-07-07
I have customer want to setup a test environment with servers that are in same IP but in different vlan.
Im proposing a virtual firewall from asa. The question is cani have 2virtual firewall where both inside interface in same IP?
Then i will do NAT for both server to communicate.
Is best if can provide any link as reference...
Tks in advance
0
Comment
Question by:hell_angel
  • 4
  • 3
7 Comments
 
LVL 65

Assisted Solution

by:btan
btan earned 2000 total points
ID: 39286308
This has related useful discussion and below are extracted relevant info from Cisco doc (the last link on classifier will be more useful and probably what you are looking for)
https://learningnetwork.cisco.com/thread/9864

Assigning the same IP address to the shared interface is not possible. A shared interface over multiple contexts allows us to simulate virtual firewalls over the same LAN segment. When the same IP address is assigned to the shared interface, for example shared over multiple contexts, it gives an IP address conflict error. The ASA will not allow this configuration because of the ARP issue between the contexts for the same IP address.

You can assign the same IP address to multiple interfaces in a different context. Although this is possible, a separate MAC address must be assigned for this interface in each context in order to classify the traffic into the context.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808d2b63.shtml#mul

If multiple contexts share an interface, then the classifier uses the interface MAC address. The security appliance lets you assign a different MAC address in each context to the same shared interface, whether it is a shared physical interface or a shared subinterface.

If you do not have unique MAC addresses, then the classifier intercepts the packet and performs a destination IP address lookup. All other fields are ignored; only the destination IP address is used. To use the destination address for classification, the classifier must have knowledge about the subnets located behind each security context. The classifier relies on the NAT configuration to determine the subnets in each context.

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/contexts.html#wp1124172
0
 

Author Comment

by:hell_angel
ID: 39286719
thanks, "multiple contexts " from your explanation meant..???
0
 
LVL 65

Expert Comment

by:btan
ID: 39286722
See this :)

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/contexts.html#wp1035807

You can partition a single security appliance into multiple virtual devices, known as security contexts. Each context is an independent device, with its own security policy, interfaces, and administrators. Multiple contexts are similar to having multiple standalone devices. Many features are supported in multiple context mode, including routing tables, firewall features, IPS, and management. Some features are not supported, including VPN and dynamic routing protocols.
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 

Author Comment

by:hell_angel
ID: 39286725
for virtual firewall thingy, can I have Ethernet 1 for virtual firewall 1 and ether 2 for virtual firewall 2?

is cisco VF concept works that way?
0
 

Author Comment

by:hell_angel
ID: 39286752
from the document said..
"You can partition a single security appliance into multiple virtual devices, known as security contexts. Each context is an independent device, with its own security policy, interfaces, and administrators. Multiple contexts are similar to having multiple standalone devices. Many features are supported in multiple context mode, including routing tables, firewall features, IPS, and management. Some features are not supported, including VPN and dynamic routing protocols. "

does it meant the context = to a virtual firewall.?
from the diagram 4.2, this should answered my query right?

which I can have multiple context in same subnet and use NAT for them to intercommunicate right?
0
 
LVL 65

Accepted Solution

by:
btan earned 2000 total points
ID: 39287837
Fig 4.1 or 4.2 should be able to provide it either based on MAC or NAT (dest IP). But there is a caveat - A shared interface over multiple contexts allows us to simulate virtual firewalls over the same LAN segment. When the same IP address is assigned to the shared interface, for example shared over multiple contexts, it gives an IP address conflict error. The ASA will not allow this configuration because of the ARP issue between the contexts for the same IP address.

You can define multiple security "contexts" on a single security appliance. Each context operates as an independent virtual device, with its own security policy, interfaces and administrators. Multiple contexts are similar to having multiple stand-alone devices. Many features are supported in multiple-context mode, including routing tables, firewall features, IPS, and management. Some features are not supported; for example, VPN, multicast, and dynamic routing protocols; security contexts support only static routes; and you cannot enable OSPF or RIP in multiple-context mode. Also, some features are not directly managed by Cisco Security Manager, such as the IPS feature set in ASA and PIX.


http://www.cisco.com/en/US/docs/security/security_management/cisco_security_manager/security_manager/4.0/user/guide/pxcontexts.html
0
 

Author Closing Comment

by:hell_angel
ID: 39305467
n/a
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
Last month Marc Laliberte, WatchGuard’s Senior Threat Analyst, contributed reviewed the three major email authentication anti-phishing technology standards: SPF, DKIM, and DMARC. Learn more in part 2 of the series originally posted in Cyber Defense …
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month17 days, 15 hours left to enroll

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question