ASA multiple context mode - need help
From: Truman Ford (truman.ccie@gmail.com)
Date: Mon Oct 13 2008 - 14:36:34 ART
Hi Expert,
I want to configure multiple context mode in ASA 5520 with version 7.0(4)
for two customer- customerA & CustomerB.
For this, I have created two contexts (as attached).
The requirement is that the customer has " hostel vlans" from vlan 23 - 29
which he wants to use in ContextA. Similarly with the Context B.
(The two WAN link is directly terminated to the ASA, and is connected to the
switch.
The configs are attached as below:
1. Old ASA config under production(need to be changed to multiple context)
2. Switch config
3. dummy multiple context config
Please suggest me how to go forward with the configuration.
--
warm regards, Truman
--
warm regards, Truman
ciscoasa# sh run
: Saved
:
ASA Version 7.0(4)
!
hostname ciscoasa
names
!
interface GigabitEthernet0/0
nameif Wan_Port
security-level 0
ip address 10.1.1.2 255.255.255.0
!
interface GigabitEthernet0/1
nameif WAN_MRTEL
security-level 0
ip address 223.168.128.147 255.255.255.248
!
interface GigabitEthernet0/2
shutdown
no nameif
security-level 0
no ip address
!
interface GigabitEthernet0/3
nameif Internal
security-level 100
ip address 192.168.1.6 255.255.255.0
!
interface Management0/0
nameif Mngt_Port
security-level 100
ip address 10.81.199.1 255.255.255.0
management-only
!
!
time-range Hostel_Time_Range
periodic weekdays 8:00 to 17:00
!
time-range test2
absolute start 12:09 26 February 2008 end 12:13 26 April 2008
!
ftp mode passive
clock timezone IST 5 30
access-list Wan_Port_access_in extended permit icmp any any
access-list Internal_access_in extended permit ip any any
!
http-map help
!
pager lines 24
logging console informational
logging asdm informational
logging device-id ipaddress Internal
logging host Internal 192.168.1.51 format emblem
logging debug-trace
logging class ip trap critical
no logging message 101001
mtu Wan_Port 1500
mtu Internal 1500
mtu Mngt_Port 1500
mtu WAN_MTEL 1500
no failover
asdm image disk0:/asdm504.bin
no asdm history enable
arp timeout 14400
nat-control
nat (Internal) 0 0.0.0.0 0.0.0.0
access-group Wan_Port_access_in in interface Wan_Port
access-group Internal_access_in in interface Internal
route Wan_Port 0.0.0.0 0.0.0.0 10.1.1.1 1
route Internal 192.168.0.0 255.255.0.0 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.51 255.255.255.255 Internal
http 192.168.1.69 255.255.255.255 Internal
http 192.168.1.100 255.255.255.255 Internal
http 192.168.1.4 255.255.255.255 Internal
http 192.168.1.43 255.255.255.255 Internal
http 192.168.1.3 255.255.255.255 Internal
http 10.81.199.0 255.255.255.0 Mngt_Port
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
snmp-server enable traps ipsec start stop
snmp-server enable traps entity config-change fru-insert fru-remove
snmp-server enable traps remote-access session-threshold-exceeded
sysopt connection tcpmss 0
telnet 0.0.0.0 0.0.0.0 Wan_Port
telnet 192.168.1.0 255.255.255.0 Internal
telnet 10.81.199.0 255.255.255.0 Mngt_Port
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 50
Cryptochecksum:
: end
ciscoasa# sh ver
Cisco Adaptive Security Appliance Software Version 7.0(4)
Device Manager Version 5.0(4)
Compiled on Thu 13-Oct-05 21:43 by builders
System image file is "disk0:/asa704-k8.bin"
Config file at boot was "startup-config"
ciscoasa up 1 day 17 hours
Hardware: ASA5520, 512 MB RAM, CPU Pentium 4 Celeron 2000 MHz
Internal ATA Compact Flash, 64MB
BIOS Flash AT49LW080: @ 0xffe00000, 1024KB
Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
Boot microcode : �CNlite-MC-Boot-Cisco-1.2
SSL/IKE microcode: �CNlite-MC-IPSEC-Admin-3.03
IPSec microcode : �CNlite-MC-IPSECm-MAIN-2.04
0: Ext: GigabitEthernet0/0 : address is 0015.c6fa.259a, irq 9
1: Ext: GigabitEthernet0/1 : address is 0015.c6fa.259b, irq 9
2: Ext: GigabitEthernet0/2 : address is 0015.c6fa.259c, irq 9
3: Ext: GigabitEthernet0/3 : address is 0015.c6fa.259d, irq 9
4: Ext: Management0/0 : address is 0015.c6fa.259e, irq 11
5: Int: Not licensed : irq 11
6: Int: Not licensed : irq 5
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 25
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
VPN Peers : 300
This platform has a Base license.
Configuration register is 0x1
Configuration last modified by enable_15 at 15:31:10.762 IST Wed Sep 10 2008
ciscoasa# exit
Logoff
Core_Switch_Router#sh run
Building configuration...
Current configuration : 4702 bytes
!
! Last configuration change at 18:55:07 gmt Wed Sep 10 2008
! NVRAM config last updated at 10:38:41 gmt Wed Sep 10 2008
!
version 12.2
service tcp-keepalives-in
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Core_Switch_Router
!
clock timezone gmt 5 30
ip subnet-zero
!
!
ip name-server 202.138.96.2
!
ip dhcp pool IP_Phone
network 192.168.2.0 255.255.255.0
next-server 192.168.2.5
domain-name MANIT
default-router 192.168.2.1
!
ipv6 unicast-routing
redundancy
high-availability
single-router-mode
mode none
!
!
!
interface Vlan1
ip address 192.168.1.1 255.255.255.0
ip helper-address 192.168.1.3
ipv6 address 2001:DB8:1:1::1/64
ipv6 enable
!
interface Vlan2
description VoIP VLAN
ip address 192.168.2.1 255.255.255.0
ip helper-address 192.168.1.3
ip helper-address 192.168.1.4
shutdown
ipv6 address 2001:DB8:1:2::1/64
ipv6 enable
!
interface Vlan5
description IT VLAN
ip address 192.168.5.1 255.255.255.0
ip helper-address 192.168.1.3
ip helper-address 192.168.1.4
!
interface Vlan6
description CSE VLAN
ip address 192.168.6.1 255.255.255.0
ip helper-address 192.168.1.3
!
interface Vlan7
description ARCH VLAN
ip address 192.168.7.1 255.255.255.0
ip helper-address 192.168.1.3
!
interface Vlan8
description ELECTRICAL VLAN
ip address 192.168.8.1 255.255.255.0
ip helper-address 192.168.1.3
!
interface Vlan9
description ELECTRONICs VLAN
ip address 192.168.9.1 255.255.255.0
ip helper-address 192.168.1.3
!
interface Vlan10
description MECH VLAN
ip address 192.168.10.1 255.255.255.0
ip helper-address 192.168.1.3
!
interface Vlan11
description LIBRARY VLAN
ip address 192.168.11.1 255.255.255.0
ip helper-address 192.168.1.3
!
interface Vlan12
description CIVIL VLAN
ip address 192.168.12.1 255.255.255.0
ip helper-address 192.168.1.3
!
interface Vlan13
description MCA VLAN
ip address 192.168.13.1 255.255.255.0
ip helper-address 192.168.1.3
!
interface Vlan14
description ADMIN VLAN
ip address 192.168.14.1 255.255.255.0
ip helper-address 192.168.1.3
!
interface Vlan15
description DEAN VLAN
ip address 192.168.15.1 255.255.255.0
ip helper-address 192.168.1.3
!
interface Vlan16
description CC VLAN
ip address 192.168.16.1 255.255.255.0
ip helper-address 192.168.1.3
!
interface Vlan17
no ip address
!
interface Vlan21
description Energy_Center VLAN
ip address 192.168.21.1 255.255.255.0
ip helper-address 192.168.1.3
!
interface Vlan22
description App_Mech VLAN
ip address 192.168.22.1 255.255.255.0
ip helper-address 192.168.1.3
!
interface Vlan23
description Hostel-2 VLAN
ip address 192.168.23.1 255.255.255.0
ip access-group FOR_WEEKDAYS out
ip helper-address 192.168.1.3
!
interface Vlan24
description Hostel-3 VLAN
ip address 192.168.24.1 255.255.255.0
ip access-group FOR_WEEKDAYS out
ip helper-address 192.168.1.3
!
interface Vlan25
description Hostel-4 VLAN
ip address 192.168.25.1 255.255.255.0
ip access-group FOR_WEEKDAYS out
ip helper-address 192.168.1.3
!
interface Vlan26
description Hostel-5 VLAN
ip address 192.168.26.1 255.255.255.0
ip access-group FOR_WEEKDAYS out
ip helper-address 192.168.1.3
!
interface Vlan27
description Hostel-6 VLAN
ip address 192.168.27.1 255.255.255.0
ip access-group FOR_WEEKDAYS out
ip helper-address 192.168.1.3
!
interface Vlan28
description Hostel-NRI VLAN
ip address 192.168.28.1 255.255.255.0
ip access-group FOR_WEEKDAYS out
ip helper-address 192.168.1.3
!
interface Vlan29
description Hostel-7 VLAN
ip address 192.168.29.1 255.255.255.0
ip access-group FOR_WEEKDAYS out
ip helper-address 192.168.1.3
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.1.6
no ip http server
!
!
ip access-list extended FOR_WEEKDAYS
permit udp any host 192.168.1.3 eq bootps
deny ip any any time-range WEEKDAYS
permit ip any any
!
logging trap debugging
logging source-interface Vlan1
logging 192.168.1.51
access-list 99 permit 192.168.1.0 0.0.0.255
access-list 99 deny any log
!
!
banner motd ^C
WELCOME TO CORE SWITCH ROUTER(mode). ONLY AUTHORIZED PERSON CAN ACCESS THIS DEVI
CE.
^C
!
!
ntp clock-period 17180100
ntp update-calendar
ntp server 207.46.197.32 prefer
time-range WEEKDAYS
periodic weekdays 8:00 to 16:00
!
end
Core_Switch_Router# exit
Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4
: Sat Nov 01 2008 - 15:35:20 ARST