https://community.cisco.com/t5/network-security/cisco-asa-multi-context-mode-stretched-dmz/m-p/2910336#M171411 <P>You need to extend the LAN at layer 2. &nbsp;You could buy a layer 2 circuit (preferably QinQ) form your service provider and let them do it.</P> <P></P> <P>If you have routers you could also built an L2TPv3 tunnel between the sites and do it yourself.</P> Tue, 28 Jun 2016 19:43:26 GMT Philip D'Ath 2016-06-28T19:43:26Z https://community.cisco.com/t5/network-security/cisco-asa-multi-context-mode-stretched-dmz/m-p/2910333#M171406 <P>Hello,</P> <P></P> <P>I have two Cisco 5585 Firewalls across a stretched DMZ. &nbsp;I was hoping to create high availability by creating the two firewalls into Multi context mode. &nbsp;It failed miserably. &nbsp;Don't know if it was a configuration issue or just a bad idea but had to roll back both firewalls to stand alone again.</P> <P>Has anyone done this sort of project before?</P> <P>Is their a simple way of doing this like using two load balancers instead?</P> <P></P> <P>I really just want&nbsp;to create high availability for the servers &amp; applications on the DMZ off both firewalls. &nbsp;Its a pity cisco firewalls dont just do HSRP or something like that.</P> <P></P> <P>Could i use routers to do this?</P> <P></P> <P>any ideas appreciated</P> <P></P> <P>Kevin</P> <P></P> Tue, 12 Mar 2019 07:56:50 GMT https://community.cisco.com/t5/network-security/cisco-asa-multi-context-mode-stretched-dmz/m-p/2910333#M171406 ohareka70 2019-03-12T07:56:50Z https://community.cisco.com/t5/network-security/cisco-asa-multi-context-mode-stretched-dmz/m-p/2910334#M171407 <P>I have done it many times, using stretched VLANs between DC's. &nbsp;Works fine.</P> <P></P> <P>I recommend having redundant layer 2 patches, to prevent the "split brain" issue.</P> <P></P> <P>And make sure you stretch the failover network between them as well.</P> Sun, 26 Jun 2016 20:33:44 GMT https://community.cisco.com/t5/network-security/cisco-asa-multi-context-mode-stretched-dmz/m-p/2910334#M171407 Philip D'Ath 2016-06-26T20:33:44Z https://community.cisco.com/t5/network-security/cisco-asa-multi-context-mode-stretched-dmz/m-p/2910335#M171409 <P>What I want to do is have one subnet 192.168.180.x/24 running across two sites.&nbsp; I already have the physical subnet in place but each side has a different gateway on the 192.168.180.x network otherwise is would have a loop</P> <P></P> <P>What I then tried to do was have the Cisco 5585 firewalls in Multi context mode so they would replicate across the subnet.&nbsp; It seems to work ok for a few hours but then I had sync issues.</P> <P></P> <P>I just want to have high availability across the subnet for the servers but maybe I don't need to change the firewalls to be in multiple context mode</P> <P></P> <P>any ideas?</P> <P>Maybe use load balancers instead - between the two firewalls?</P> <P></P> Tue, 28 Jun 2016 15:40:50 GMT https://community.cisco.com/t5/network-security/cisco-asa-multi-context-mode-stretched-dmz/m-p/2910335#M171409 ohareka70 2016-06-28T15:40:50Z https://community.cisco.com/t5/network-security/cisco-asa-multi-context-mode-stretched-dmz/m-p/2910336#M171411 <P>You need to extend the LAN at layer 2. &nbsp;You could buy a layer 2 circuit (preferably QinQ) form your service provider and let them do it.</P> <P></P> <P>If you have routers you could also built an L2TPv3 tunnel between the sites and do it yourself.</P> Tue, 28 Jun 2016 19:43:26 GMT https://community.cisco.com/t5/network-security/cisco-asa-multi-context-mode-stretched-dmz/m-p/2910336#M171411 Philip D'Ath 2016-06-28T19:43:26Z