Cross VRF connectivity via ASA firewall

ikaralli99 · December 20, 2025, 10:33pm

Could you please share cross-VRF communication via Cisco ASA firewall, which has been separated into a multi-context mode scenario, including a topology diagram and configuration example, please?

Appreciate your response on this.

jsh3323 · December 21, 2025, 8:33pm

What has your own reading and labbing yielded? I assume it isn’t working?

lagapidis · December 22, 2025, 9:19am

Hello Indika

Thanks for your post and your suggestion. Although we can’t immediately create a lab topology with detailed configs, you can go into the Lesson Ideas page below and make your detailed suggestions there. You may find that others have made similar suggestions and you can add your voice to theirs:

In the meantime, I can share with you some thoughts concerning your scenario that may help you along the way to deploy the topology that you are envisioning.

Cross-VRF communication through a Cisco ASA in multi-context mode requires an external Layer 3 device (typically your core switch or upstream router) to perform the inter-VRF routing, while the ASA provides security policy enforcement. ASA contexts cannot directly communicate with each other. They are completely isolated virtual firewalls with separate routing tables.

If you share a little bit more about what you want to achieve and the reasons for it, we may be able to provide you with some more info in this direction.

I hope this has been helpful!

Laz

ikaralli99 · December 22, 2025, 10:28pm

Hi @lagapidis,

Thanks for your message and details below.

Current set-up is we have Nexus switches upstream connecting to an ASA multi-context firewall that connects to another Nexus switch and connects to a server.

NEXUS(L3) –>ASA MULTI-CONTEXT —>NEXUS—>SERVER

Nexus is configured with VRFs and I want to understand how the connectivity works from VRF A user accessing VRF-B server.

Appreciate your advice on this..

lagapidis · December 24, 2025, 6:22am

Hello Indika

Thanks for the extra info. Remember, when you create Multi-Context in an ASA, you have to consider each context as a separate physical device, with the ports on the ASA assigned to a particular context. That means that your diagram should reflect that. It shows only one connection between the Nexus(L3) and the ASA, as well as between the ASA and the next Nexus device. To which context is each device connecting?

Direct internal inter-context communication is not possible. Now, having said that, here are some thoughts concerning your topology:

You can achieve inter-context communication via the Nexus L3 device, where routing can take place between the contexts. But you need two connections from the Nexus(L3), one to each context.
You mention that the Nexus device has two VRFs. Nexus devices can achieve inter-VRF communication, so you may want to apply that there instead of dealing with the ASA directly.
Alternatively, if you want direct communication between the contexts, you can connect the port of one context to the port of another context with a physical cable, thus connecting the two contexts either at L2 or L3, but that depends upon what you actually want to achieve.

So you should resolve the connectivity issue between the devices (i.e. the ASA is actually two devices, so your connectivity should reflect that), and see how some of the additional info I have suggested helps you out. Feel free to continue the discussion if you like, so we can give you some more insight if needed.

I hope this has been helpful!

Laz