---------- Forwarded message ---------- From: Kingsley Charles <[email protected]> Date: Fri, Sep 11, 2009 at 11:07 AM Subject: Re: [OSL | CCIE_Security] ASA Ver 8.0 Multiple context mode To: Dnyaneshwar Gore <[email protected]>
Hi D.M.Gore In the admin context, allocate G0/1, G0/2, G0/3 to Context A,B and C respectively. Login into the context A and configure 10.10.10.1 for G0/1. Now if a host 10.10.10.2 initiates the traffic and the get backs, the return traffic, the destination IP will be 10.10.10.2. ASA knows that 10.10.10.0 is configured in Conext A and moves the packet to Context A. Same applies to other conexts. Or In the admin context, configure G0/1.1, G0/1.2 and G0/1 and associate vlan 1, 2 and 3 to them. vlan 1's subnet is 10.10.10.0, similarly 2 and 3 will have 10.20.20.0 and 10.30.30.0. Connect a switch's port to G0/1 in trunking mode and the switch is configured for vlan 1,2 and 3. Login into context A and configure 10.10.10.1 for inside interface. When the return traffic comes to 10.10.10.0 subnet, ASA moves it to context A. With regards Kings On Fri, Sep 11, 2009 at 9:14 AM, Dnyaneshwar Gore <[email protected]>wrote: > Hi Kings, > > I am still not clear. So lets take example with ip addresses. > > I want to use Gig0/0 int as outside for all three contexts with same ip > address, lets say 192.168.1.1/24. The Ip address assignment is as follows: > > Context Inside IP address Outside IP address > (with different Interfaces) (shared int > Giga0/0, no sub-interface) > A 10.10.10.1/24 > 192.168.1.1/24 > B 10.20.20.1/24 > 192.168.1.1/24 > C 10.30.30.1/24 > 192.168.1.1/24 > > Internet router is connected with outside interface of ASA with IP address > 192.168.1.2/24 > > Now in this case if context A users having ip address 10.10.1.0/24 intiate > connection to internet then how ASA will divert a packet returned from > internet to Context A only? > > How this can be achieved? > > Regards, > D.M.Gore > > On Thu, Sep 10, 2009 at 5:21 PM, Kingsley Charles < > [email protected]> wrote: > >> Hi D.M.Gore >> >> With mutliple context, you need an unique parameter to classify the packet >> and send it to appropriate context. For that we can use either IP address or >> vlans. >> The ASA checks for "Source interface vlan" and Destination IP address. >> >> Typically multiple contexts actual use come in place when two or more >> contexts shares the same interface. Let's say G 0/1 is the inside interface >> connected to LAN and G0/0 is outside interface connected to internet. Two >> contexts use G0/1 anf G0/0 with the same topology for dfferent set of users. >> To differentiate the incoming packets and move it to the appropiate, the ASA >> sees for parameters. >> >> >> You can use the following two rules: >> >> If the vlans is shared across mutliple context, the IP address subnet on >> each the vlans should be unique. >> >> If the IP address subnet is same, then the vlans should be unique for each >> contexts. >> >> For your question given below. You can either use three different inside >> physical interface for the three contexts or use one single physical >> interface and use three sub-interface with vlans in different subnets. If >> you want use the same subnet as source for all the three subnets, then >> destination routing should be different for the three contexts. >> >> >> >> "Lets take an example: ASA has three contexts A, B and C. They are sharing >> outside interface i.e. Giga0/0 with IP address. Internet router is attached >> to ASA's outside interface. Now in this scenario how ASA will divert a >> packet coming from internet to correct context from where connection is >> originated?" >> >> >> With regards >> Kings >> >> >> >> >> >> >> >> >> >> On Thu, Sep 10, 2009 at 12:59 PM, Dnyaneshwar Gore < >> [email protected]> wrote: >> >>> Hi All, >>> >>> I read in one of the doc that we can share IP address on shared interface >>> on different contexts. Is it correct? If yes then how packet classifier will >>> classify the packet? >>> Lets take an example: ASA has three contexts A, B and C. They are sharing >>> outside interface i.e. Giga0/0 with IP address. Internet router is attached >>> to ASA's outside interface. Now in this scenario how ASA will divert a >>> packet coming from internet to correct context from where connection is >>> originated? >>> >>> One way is separate mac address for outside interface. But in this case, >>> returned packet will go to all contexts as they are having same outside ip >>> address. >>> >>> Another way is NAT destination IP address. But in this case, destination >>> IP will be from outside ip address range only. So once again it will go to >>> all contexts. >>> >>> Kindly help me in this case. >>> >>> Regards, >>> D.M.Gore >>> >>> >>> >>> >>> >>> >>> >>> _______________________________________________ >>> For more information regarding industry leading CCIE Lab training, please >>> visit www.ipexpert.com >>> >>> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
