I'd like to start a conversation here with some that is using multiple security contexts, sharing the same outside interface.
This is discussion started here elsewhere but I wanted to get it out under the right subject.
I'm considering using multiple security contexts as a solution to a problem.
In a nutshell, I want any inbound SMTP to be forwarded to an internal SMTP server A, except inbound SMTP from a -specific- network, which I want forwarded to a second internal SMTP server B.
My idea to solve this with multiple contexts would be:
Security context A:
Access List:
1. Deny SMTP packets from Specific_Network
2. Permit SMTP packets from anywhere else
3. all other non-SMTP access rules go here
NAT:
1. Route all SMTP packets to server A
2. other non-SMTP NAT rules go here
Security context B:
Access List:
1. Permit SMTP packets from Specific_Network
2. Deny SMTP packets from anywhere else
NAT:
1. Route all SMTP packets to server B
Both contexts share the same interface and the same outside network, but have unique MAC addresses, which can be done on the ASA 5510 according to David Huckaby/Cisco Press.
I'm making a broad assumption here, and that is that both contexts see all of the same packets arriving on the interface that they share.
In other words, for our email problem, both contexts get the same SMTP packets but each deals with one condition or other, in an un-ambiguous way. One context denies what the other context permits.
Does anyone know if this is feasable, or if there is another more direct solution?
This is discussion started here elsewhere but I wanted to get it out under the right subject.
I'm considering using multiple security contexts as a solution to a problem.
In a nutshell, I want any inbound SMTP to be forwarded to an internal SMTP server A, except inbound SMTP from a -specific- network, which I want forwarded to a second internal SMTP server B.
My idea to solve this with multiple contexts would be:
Security context A:
Access List:
1. Deny SMTP packets from Specific_Network
2. Permit SMTP packets from anywhere else
3. all other non-SMTP access rules go here
NAT:
1. Route all SMTP packets to server A
2. other non-SMTP NAT rules go here
Security context B:
Access List:
1. Permit SMTP packets from Specific_Network
2. Deny SMTP packets from anywhere else
NAT:
1. Route all SMTP packets to server B
Both contexts share the same interface and the same outside network, but have unique MAC addresses, which can be done on the ASA 5510 according to David Huckaby/Cisco Press.
I'm making a broad assumption here, and that is that both contexts see all of the same packets arriving on the interface that they share.
In other words, for our email problem, both contexts get the same SMTP packets but each deals with one condition or other, in an un-ambiguous way. One context denies what the other context permits.
Does anyone know if this is feasable, or if there is another more direct solution?