ASA security contexts

How can I route between 2 different security contexts.
Please advice.
jacksch4820Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Marius GunnerudSenior Systems EngineerCommented:
there are two ways of achieving this.

One way is to have both contexts share an interface.  so lets say that context 1 has interface Gig0/1.1 and context 2 has Gig0/1.2.

The other way is to send inter context traffic to a router or layer 3 switch which then routes the traffic between the two contexts.
0
anoopkmrCommented:
you can do the routing  from one  context with gw of other  context  interface  ip also .
0
jacksch4820Author Commented:
ok i dont have shared interface how can i add a route please advice
0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

anoopkmrCommented:
For adding the  Context interface has gateway ,  there should be commin subnet exists between interfaces in both context .. Sorry  I  missed the same in my last commments

see below example  ( assume nat-control is disabled.)

Context A:
Inside Ip: 10.1.1.1/24 ( nameif inside,Sec 100)
Outside IP: 192.168.100.1/24 ( nameif outside,Sec 0 )
PC behind context having the gateway 10.1.1.1  or  route the traffic  to 10.1.2.x via 10.1..1 ( ASA  inside )

Context B
Inside IP :  10.1.1.2/24 ( nameif inside,Sec 100)
Outside IP: 192.168.100.2/24 ( nameif outside,Sec 0 )
PC behind context having the gateway 10.1.1.2  or  route the traffic to 10.1.1.x via 10.1.1.2 ( ASA  inside )


Suppose 10.1.1.x/24 is behind context A wants to communicate to  10.1.2.x/24
we can add the below configs

ON context A

route outside 10.1.2.0 255.255.255.0 192.168.100.2

if an access-group exists on the  outside interface , then need to permit the necessary traffic also.

ON context B

route outside 10.1.1.0 255.255.255.0 192.168.100.1
if an access-group exists on the  outside interface , then need to permit the necessary traffic also.
0
Marius GunnerudSenior Systems EngineerCommented:
In anoopkmr's example the route command on context B would not be needed as both ASAs are directly connected to that network.

But in essence that is the way to do it if you have a layer 2 switch between the contexts.  The other option would be to route between the contexts using a layer 3 switch or router.
0
anoopkmrCommented:
MAG03:
 its required for the reply traffic  or packets initiated  from network behind context b ... isn't it ?  correct me if i am wrong
other wise how the  context b knows abt the network behind context A .
0
Marius GunnerudSenior Systems EngineerCommented:
the network behind B which you have indicated as 10.1.2.0/24 yes you would need a static route on A to point to the outside interface of B to reach it.  However on B you have set a static route to 10.1.1.0/24 which is also assigned to both inside interfaces (perhaps a typo?) so in this case since both ASAs are directly connected to the network, a static route is not needed.
0
anoopkmrCommented:
Sorry its a type error

it should be like below
Context B
Inside IP :  10.1.2.1/24 ( nameif inside,Sec 100)
0
jacksch4820Author Commented:
Thanks all for feedback
Please see attached my ASA config.
What command must I add into context a and b to route all data between context a and b everything permitted nothing blocked.
system-config.txt
context-a.txt
context-b.txt
0
anoopkmrCommented:
Change the config as below

system config

context A
  allocate-interface Ethernet0/0
allocate-interface Ethernet0/2
  config-url disk0:/A
!

context b
  allocate-interface Ethernet0/1
allocate-interface Ethernet0/2
 
int eth 0/2
no shut

-...............


context a

int eth 0/2
nameif outside
ip add 192.168.100.1 255.255.255.0
no sh

route (outside) 10.10.10.0 255.255.255.0 192.168.100.2
access-list acl-out permit ip 10.10.10.0 255.255.255.0 192.168.1.0 255.255.255.0
access-group acl-out in int outside



...........

context b

int eth 0/2
nameif outside
ip add 192.168.100.2 255.255.255.0
no sh

route (outside) 192.168.1.0 255.255.255.0 192.168.100.1
access-list acl-out permit ip 192. 168.1.0 255.255.255.0 10.10.10.0 255.255.255.0
access-group acl-out in int outside



.../////////

pc gateway has to be corresponding context inside ip,, otherwise proper routing should ne there
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.