topic You can share interfaces in Network Security

ASA and Asa context mode

satya mothukuri — Tue, 12 Mar 2019 05:45:14 GMT

Hello,

we are planning to upgrade our firewalls in DC. We have planned to remove few of them aswell.

so totally 6 firewalls are getting migrated to 2 firewalls.our Design team planned to have asa's multi context mode, so that we can divide the traffic and use 1 context for VPN(remote and site2site) alone. But i told them in context mode Remote access will not work. Now they are planning to change the design. My suggestion is to design in single mode.I have few questions related to that new design.

1. I want to know what are the uses and limitations of multi context in a single origination/network. I know its much usefull for service providers. Here we are one company and we manage all networks.

2. As i said we have 6 firewalls, 2 of them are used only for web traffic. they will not talk to any other network, only web traffic. So can we create security levels,ACL's and make web traffic alone to get separate from my normal traffic in single mode.

Please suggest, I will come out with more questions.

Regards,

Satya.M

Yes multiple context mode

Jon Marshall — Thu, 09 Apr 2015 21:09:40 GMT

You're right, multiple context mode does not support remote access VPNs although it does support L2L VPNs.

1) I have used contexts in a DC environment (not service provider) for different business units.

So for example we had a large Oracle platform that was critical to the business and they had their own context which isolated them from any configuration errors made in other contexts.

And you can control access per context which meant less experienced people didn't get full access to some of the more important contexts.

Other uses may be if you want to delegate control of certain contexts to different administrative people which can be useful in a large organisation.

Really depends on what you need to do.

2) Yes you can use specific interfaces for your web traffic and control who or what can access the servers.

You don't need contexts to control traffic in that way, you simply configure the appropriate security levels and acls to only allow the traffic you want.

Jon

Tnx Jon,many cases i saw

satya mothukuri — Fri, 10 Apr 2015 09:43:04 GMT

Tnx Jon,

many cases i saw which leads to easy administration and split FW to diff diff companies.

But for traffic separation, i didnt get any. I also want to know

if we need to use interface sharing bw context, is there any limitations.
If we plan active active on two hardware, i mean Context A is active on Firewall 1 and Context A active in firewall 2.
Any paln that Cisco come up with remote access VPN in next release.

Regards,

Satya.M

Any Info much appreciated :

satya mothukuri — Tue, 14 Apr 2015 10:22:17 GMT

Any Info much appreciated 🙂

You can share interfaces

Andre Neethling — Tue, 14 Apr 2015 19:54:50 GMT

You can share interfaces between contexts. You will probably have to hard code the mac addresses for shared interfaces in each context.

Also with active/active failover you can only have a context (A) active on 1 firewall......... not both