Cisco Systems CL-28826-01 Interfaces in Single and Multiple Contexts, About Asymmetric Routing Groups

45-5

User Guide for Cisco Security Manager 4.4

OL-28826-01

Chapter45 Managing Firewall Devices

Configuring Firewall Device Interfaces

Bridge Groups

Beginning with the ASA 8.4.1 and FWSM 3.1, in transparent mode, you can increase the number of

interfaces available to a device or context through use of bridge groups. You can configure up to eight

bridge groups; on an FWSM each group can contain two interfaces; on an ASA each group can contain

four interfaces. See Add/Edit Bridge Group Dialog Box, page 45-41 for more information.

Related Topics

•Chapter 46, “Configuring Bridging Policies on Firewall Devices”

Interfaces in Single and Multiple Contexts

Security “contexts” allow a single physical device to operate as multiple, independent firewalls. In

multiple-context mode, each context defines a single virtual firewall, complete with its own

configuration. Each context acts as a unique virtual firewall that inspects and filters traffic traversing the

interfaces allocated to that context. Each context is “unaware” of other contexts defined on the same

security appliance.

As with a single-context, routed-mode device, interfaces on a multiple-context device connect to

router-based networks, subinterfaces connect to switch-based networks, and each subinterface must be

associated with an interface that routes allowed traffic correctly.

However, you cannot define IP addresses, the routed-mode portion of the configuration, or identify the

management interface until you have defined and deployed the contexts. But you cannot define a security

context until you have defined the necessary interfaces and subinterfaces.

In other words, you must enable and configure the interfaces and subinterfaces on a device that will

provide multiple security contexts (in either routed or transparent mode) before you can define and

configure the security contexts themselves.

Refer to Chapter 57, “Configuring Security Contexts on Firewall Devices” for more information.

About Asymmetric Routing Groups

In some situations, return traffic for a session may be routed through a different interface than the one

from which it originated. Similarly, in failover configurations, return traffic for a connection that

originated on one unit may return through the peer unit. This most commonly occurs when two interfaces

on a single FWSM, or two FWSMs in a failover pair, are connected to different service providers and

the outbound connection does not use a NAT address. By default, the FWSM drops the return traffic

because there is no connection information for that traffic.

You can prevent return traffic being dropped by assigning the VLAN interfaces on which this is likely

to occur to an asymmetric routing (ASR) group. When a member interface receives a packet for which

it has no session information, it checks the session information for other interfaces that are members of

the same group.

If a match is not found, the packet is dropped. If a match is found, one of the following actions occurs:

•If the incoming traffic originated on a different interface on the same FWSM, some or all of the

Layer 2 header is rewritten and the packet is re-injected into the stream.

•If the incoming traffic originated on a peer unit in a failover configuration, some or all of the Layer

2 header is rewritten and the packet is redirected to the other unit. This redirection continues as long

as the session is active.