We used to manage two Cisco ASA firewalls in our network environment: one to terminate site-to-site IPsec VPNs for remote client sites connecting back to our HQ and another ASA firewall to run multiple security context. The second ASA is used to NAT multiple downstream clients but now I just use a single ASA with 9.x image having site-to-site IPsec VPNs under the admin context and NAT on multiple security context. I've demonstrated a context-based ASA firewall using 9.0 code running S2S VPN in a previous blog.
I was creating a new context for a customer last time and after configuring nameif on the shared outside interface, management traffic (like ping and SNMP) to our upstream Internet edge router was cut off. I tried to troubleshoot and then recalled that by default, all context uses the same MAC address for its shared outside interface. The best practice is to have a unique MAC address on the outside interface for individual security context. We can manually assign a unique MAC address on the shared outside interface for each context or do it automatically under system context using the mac-address auto command. I was able to ping the Internet again under the new context and our NMS was able to poll the ASA via SNMP after issuing this command.
ciscoasa# show interface g0/0 | include MAC
MAC address a46c.2a65.83d9, MTU not set
ciscoasa/admin# show interface g0/0 | include MAC
MAC address a46c.2a65.83d9, MTU 1500
ciscoasa/NEW# show interface g0/0 | include MAC
MAC address a46c.2a65.83d9, MTU 1500
ciscoasa/admin# changeto context NEW
ciscoasa/NEW(config)# interface GigabitEthernet0/0
ciscoasa/NEW(config-if)# mac-address a46c.2a65.1111 // MANUAL APPROACH; NETWORK TRAFFIC WENT BACK TO NORMAL
ciscoasa/NEW(config)# interface GigabitEthernet0/0
ciscoasa/NEW(config-if)# no mac-address a46c.2a65.1111
ciscoasa/NEW(config-if)# changeto system
ciscoasa(config)# mac-address auto
INFO: Converted to mac-address auto prefix 33748
ciscoasa# show interface g0/0 | include MAC // SYSTEM CONTEXT
MAC address a46c.2a65.83d9, MTU not set
ciscoasa/admin# show interface g0/0 | include MAC // ADMIN CONTEXT
MAC address a2d4.8300.0004, MTU 1500
ciscoasa/NEW# show interface g0/0 | include MAC // NEW CONTEXT
MAC address a2d4.8300.0002, MTU 1500
I was creating a new context for a customer last time and after configuring nameif on the shared outside interface, management traffic (like ping and SNMP) to our upstream Internet edge router was cut off. I tried to troubleshoot and then recalled that by default, all context uses the same MAC address for its shared outside interface. The best practice is to have a unique MAC address on the outside interface for individual security context. We can manually assign a unique MAC address on the shared outside interface for each context or do it automatically under system context using the mac-address auto command. I was able to ping the Internet again under the new context and our NMS was able to poll the ASA via SNMP after issuing this command.
ciscoasa# show interface g0/0 | include MAC
MAC address a46c.2a65.83d9, MTU not set
ciscoasa/admin# show interface g0/0 | include MAC
MAC address a46c.2a65.83d9, MTU 1500
ciscoasa/NEW# show interface g0/0 | include MAC
MAC address a46c.2a65.83d9, MTU 1500
ciscoasa/admin# changeto context NEW
ciscoasa/NEW(config)# interface GigabitEthernet0/0
ciscoasa/NEW(config-if)# mac-address a46c.2a65.1111 // MANUAL APPROACH; NETWORK TRAFFIC WENT BACK TO NORMAL
ciscoasa/NEW(config)# interface GigabitEthernet0/0
ciscoasa/NEW(config-if)# no mac-address a46c.2a65.1111
ciscoasa/NEW(config-if)# changeto system
ciscoasa(config)# mac-address auto
INFO: Converted to mac-address auto prefix 33748
ciscoasa# show interface g0/0 | include MAC // SYSTEM CONTEXT
MAC address a46c.2a65.83d9, MTU not set
ciscoasa/admin# show interface g0/0 | include MAC // ADMIN CONTEXT
MAC address a2d4.8300.0004, MTU 1500
ciscoasa/NEW# show interface g0/0 | include MAC // NEW CONTEXT
MAC address a2d4.8300.0002, MTU 1500
No comments:
Post a Comment