Solved

asa virtual firewall

Posted on 2013-06-28
7
405 Views
Last Modified: 2013-07-07
I have customer want to setup a test environment with servers that are in same IP but in different vlan.
Im proposing a virtual firewall from asa. The question is cani have 2virtual firewall where both inside interface in same IP?
Then i will do NAT for both server to communicate.
Is best if can provide any link as reference...
Tks in advance
0
Comment
Question by:hell_angel
  • 4
  • 3
7 Comments
 
LVL 61

Assisted Solution

by:btan
btan earned 500 total points
Comment Utility
This has related useful discussion and below are extracted relevant info from Cisco doc (the last link on classifier will be more useful and probably what you are looking for)
https://learningnetwork.cisco.com/thread/9864

Assigning the same IP address to the shared interface is not possible. A shared interface over multiple contexts allows us to simulate virtual firewalls over the same LAN segment. When the same IP address is assigned to the shared interface, for example shared over multiple contexts, it gives an IP address conflict error. The ASA will not allow this configuration because of the ARP issue between the contexts for the same IP address.

You can assign the same IP address to multiple interfaces in a different context. Although this is possible, a separate MAC address must be assigned for this interface in each context in order to classify the traffic into the context.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808d2b63.shtml#mul

If multiple contexts share an interface, then the classifier uses the interface MAC address. The security appliance lets you assign a different MAC address in each context to the same shared interface, whether it is a shared physical interface or a shared subinterface.

If you do not have unique MAC addresses, then the classifier intercepts the packet and performs a destination IP address lookup. All other fields are ignored; only the destination IP address is used. To use the destination address for classification, the classifier must have knowledge about the subnets located behind each security context. The classifier relies on the NAT configuration to determine the subnets in each context.

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/contexts.html#wp1124172
0
 

Author Comment

by:hell_angel
Comment Utility
thanks, "multiple contexts " from your explanation meant..???
0
 
LVL 61

Expert Comment

by:btan
Comment Utility
See this :)

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/contexts.html#wp1035807

You can partition a single security appliance into multiple virtual devices, known as security contexts. Each context is an independent device, with its own security policy, interfaces, and administrators. Multiple contexts are similar to having multiple standalone devices. Many features are supported in multiple context mode, including routing tables, firewall features, IPS, and management. Some features are not supported, including VPN and dynamic routing protocols.
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 

Author Comment

by:hell_angel
Comment Utility
for virtual firewall thingy, can I have Ethernet 1 for virtual firewall 1 and ether 2 for virtual firewall 2?

is cisco VF concept works that way?
0
 

Author Comment

by:hell_angel
Comment Utility
from the document said..
"You can partition a single security appliance into multiple virtual devices, known as security contexts. Each context is an independent device, with its own security policy, interfaces, and administrators. Multiple contexts are similar to having multiple standalone devices. Many features are supported in multiple context mode, including routing tables, firewall features, IPS, and management. Some features are not supported, including VPN and dynamic routing protocols. "

does it meant the context = to a virtual firewall.?
from the diagram 4.2, this should answered my query right?

which I can have multiple context in same subnet and use NAT for them to intercommunicate right?
0
 
LVL 61

Accepted Solution

by:
btan earned 500 total points
Comment Utility
Fig 4.1 or 4.2 should be able to provide it either based on MAC or NAT (dest IP). But there is a caveat - A shared interface over multiple contexts allows us to simulate virtual firewalls over the same LAN segment. When the same IP address is assigned to the shared interface, for example shared over multiple contexts, it gives an IP address conflict error. The ASA will not allow this configuration because of the ARP issue between the contexts for the same IP address.

You can define multiple security "contexts" on a single security appliance. Each context operates as an independent virtual device, with its own security policy, interfaces and administrators. Multiple contexts are similar to having multiple stand-alone devices. Many features are supported in multiple-context mode, including routing tables, firewall features, IPS, and management. Some features are not supported; for example, VPN, multicast, and dynamic routing protocols; security contexts support only static routes; and you cannot enable OSPF or RIP in multiple-context mode. Also, some features are not directly managed by Cisco Security Manager, such as the IPS feature set in ASA and PIX.


http://www.cisco.com/en/US/docs/security/security_management/cisco_security_manager/security_manager/4.0/user/guide/pxcontexts.html
0
 

Author Closing Comment

by:hell_angel
Comment Utility
n/a
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Before I go to far, let's explain HA (High Availability) and why you should consider it.  High availability is the mechanism used to provide redundancy to any service at the same site and appears as a single service to the users of that service.  As…
Using in-flight Wi-Fi when you travel? Business travelers beware! In-flight Wi-Fi networks could rip the door right off your digital privacy portal. That’s no joke either, as it might also provide a convenient entrance for bad threat actors.
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now