jacksch4820
asked on
ASA security contexts
How can I route between 2 different security contexts.
Please advice.
Please advice.
you can do the routing from one context with gw of other context interface ip also .
ASKER
ok i dont have shared interface how can i add a route please advice
For adding the Context interface has gateway , there should be commin subnet exists between interfaces in both context .. Sorry I missed the same in my last commments
see below example ( assume nat-control is disabled.)
Context A:
Inside Ip: 10.1.1.1/24 ( nameif inside,Sec 100)
Outside IP: 192.168.100.1/24 ( nameif outside,Sec 0 )
PC behind context having the gateway 10.1.1.1 or route the traffic to 10.1.2.x via 10.1..1 ( ASA inside )
Context B
Inside IP : 10.1.1.2/24 ( nameif inside,Sec 100)
Outside IP: 192.168.100.2/24 ( nameif outside,Sec 0 )
PC behind context having the gateway 10.1.1.2 or route the traffic to 10.1.1.x via 10.1.1.2 ( ASA inside )
Suppose 10.1.1.x/24 is behind context A wants to communicate to 10.1.2.x/24
we can add the below configs
ON context A
route outside 10.1.2.0 255.255.255.0 192.168.100.2
if an access-group exists on the outside interface , then need to permit the necessary traffic also.
ON context B
route outside 10.1.1.0 255.255.255.0 192.168.100.1
if an access-group exists on the outside interface , then need to permit the necessary traffic also.
see below example ( assume nat-control is disabled.)
Context A:
Inside Ip: 10.1.1.1/24 ( nameif inside,Sec 100)
Outside IP: 192.168.100.1/24 ( nameif outside,Sec 0 )
PC behind context having the gateway 10.1.1.1 or route the traffic to 10.1.2.x via 10.1..1 ( ASA inside )
Context B
Inside IP : 10.1.1.2/24 ( nameif inside,Sec 100)
Outside IP: 192.168.100.2/24 ( nameif outside,Sec 0 )
PC behind context having the gateway 10.1.1.2 or route the traffic to 10.1.1.x via 10.1.1.2 ( ASA inside )
Suppose 10.1.1.x/24 is behind context A wants to communicate to 10.1.2.x/24
we can add the below configs
ON context A
route outside 10.1.2.0 255.255.255.0 192.168.100.2
if an access-group exists on the outside interface , then need to permit the necessary traffic also.
ON context B
route outside 10.1.1.0 255.255.255.0 192.168.100.1
if an access-group exists on the outside interface , then need to permit the necessary traffic also.
In anoopkmr's example the route command on context B would not be needed as both ASAs are directly connected to that network.
But in essence that is the way to do it if you have a layer 2 switch between the contexts. The other option would be to route between the contexts using a layer 3 switch or router.
But in essence that is the way to do it if you have a layer 2 switch between the contexts. The other option would be to route between the contexts using a layer 3 switch or router.
MAG03:
its required for the reply traffic or packets initiated from network behind context b ... isn't it ? correct me if i am wrong
other wise how the context b knows abt the network behind context A .
its required for the reply traffic or packets initiated from network behind context b ... isn't it ? correct me if i am wrong
other wise how the context b knows abt the network behind context A .
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Sorry its a type error
it should be like below
Context B
Inside IP : 10.1.2.1/24 ( nameif inside,Sec 100)
it should be like below
Context B
Inside IP : 10.1.2.1/24 ( nameif inside,Sec 100)
ASKER
Thanks all for feedback
Please see attached my ASA config.
What command must I add into context a and b to route all data between context a and b everything permitted nothing blocked.
system-config.txt
context-a.txt
context-b.txt
Please see attached my ASA config.
What command must I add into context a and b to route all data between context a and b everything permitted nothing blocked.
system-config.txt
context-a.txt
context-b.txt
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
One way is to have both contexts share an interface. so lets say that context 1 has interface Gig0/1.1 and context 2 has Gig0/1.2.
The other way is to send inter context traffic to a router or layer 3 switch which then routes the traffic between the two contexts.