[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

asa virtual firewall

Posted on 2013-06-28
7
Medium Priority
?
454 Views
Last Modified: 2013-07-07
I have customer want to setup a test environment with servers that are in same IP but in different vlan.
Im proposing a virtual firewall from asa. The question is cani have 2virtual firewall where both inside interface in same IP?
Then i will do NAT for both server to communicate.
Is best if can provide any link as reference...
Tks in advance
0
Comment
Question by:hell_angel
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 65

Assisted Solution

by:btan
btan earned 2000 total points
ID: 39286308
This has related useful discussion and below are extracted relevant info from Cisco doc (the last link on classifier will be more useful and probably what you are looking for)
https://learningnetwork.cisco.com/thread/9864

Assigning the same IP address to the shared interface is not possible. A shared interface over multiple contexts allows us to simulate virtual firewalls over the same LAN segment. When the same IP address is assigned to the shared interface, for example shared over multiple contexts, it gives an IP address conflict error. The ASA will not allow this configuration because of the ARP issue between the contexts for the same IP address.

You can assign the same IP address to multiple interfaces in a different context. Although this is possible, a separate MAC address must be assigned for this interface in each context in order to classify the traffic into the context.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808d2b63.shtml#mul

If multiple contexts share an interface, then the classifier uses the interface MAC address. The security appliance lets you assign a different MAC address in each context to the same shared interface, whether it is a shared physical interface or a shared subinterface.

If you do not have unique MAC addresses, then the classifier intercepts the packet and performs a destination IP address lookup. All other fields are ignored; only the destination IP address is used. To use the destination address for classification, the classifier must have knowledge about the subnets located behind each security context. The classifier relies on the NAT configuration to determine the subnets in each context.

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/contexts.html#wp1124172
0
 

Author Comment

by:hell_angel
ID: 39286719
thanks, "multiple contexts " from your explanation meant..???
0
 
LVL 65

Expert Comment

by:btan
ID: 39286722
See this :)

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/contexts.html#wp1035807

You can partition a single security appliance into multiple virtual devices, known as security contexts. Each context is an independent device, with its own security policy, interfaces, and administrators. Multiple contexts are similar to having multiple standalone devices. Many features are supported in multiple context mode, including routing tables, firewall features, IPS, and management. Some features are not supported, including VPN and dynamic routing protocols.
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 

Author Comment

by:hell_angel
ID: 39286725
for virtual firewall thingy, can I have Ethernet 1 for virtual firewall 1 and ether 2 for virtual firewall 2?

is cisco VF concept works that way?
0
 

Author Comment

by:hell_angel
ID: 39286752
from the document said..
"You can partition a single security appliance into multiple virtual devices, known as security contexts. Each context is an independent device, with its own security policy, interfaces, and administrators. Multiple contexts are similar to having multiple standalone devices. Many features are supported in multiple context mode, including routing tables, firewall features, IPS, and management. Some features are not supported, including VPN and dynamic routing protocols. "

does it meant the context = to a virtual firewall.?
from the diagram 4.2, this should answered my query right?

which I can have multiple context in same subnet and use NAT for them to intercommunicate right?
0
 
LVL 65

Accepted Solution

by:
btan earned 2000 total points
ID: 39287837
Fig 4.1 or 4.2 should be able to provide it either based on MAC or NAT (dest IP). But there is a caveat - A shared interface over multiple contexts allows us to simulate virtual firewalls over the same LAN segment. When the same IP address is assigned to the shared interface, for example shared over multiple contexts, it gives an IP address conflict error. The ASA will not allow this configuration because of the ARP issue between the contexts for the same IP address.

You can define multiple security "contexts" on a single security appliance. Each context operates as an independent virtual device, with its own security policy, interfaces and administrators. Multiple contexts are similar to having multiple stand-alone devices. Many features are supported in multiple-context mode, including routing tables, firewall features, IPS, and management. Some features are not supported; for example, VPN, multicast, and dynamic routing protocols; security contexts support only static routes; and you cannot enable OSPF or RIP in multiple-context mode. Also, some features are not directly managed by Cisco Security Manager, such as the IPS feature set in ASA and PIX.


http://www.cisco.com/en/US/docs/security/security_management/cisco_security_manager/security_manager/4.0/user/guide/pxcontexts.html
0
 

Author Closing Comment

by:hell_angel
ID: 39305467
n/a
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
Will you be ready when the clock on GDPR compliance runs out? Is GDPR even something you need to worry about? Find out more about the upcoming regulation changes and download our comprehensive GDPR checklist today !
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Suggested Courses

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question