https://community.cisco.com/t5/network-security/asa-ng-5515-x-multicontext-support-for-wse-avc-and-ips/m-p/2456357#M238653 <P>Yes, that's the high level approach.</P><P>As long as you create your policies based on addresses and keep in mind that you don't have explicit context awareness in PRSM, then you should be fine.</P> Thu, 08 May 2014 15:44:39 GMT Marvin Rhoads 2014-05-08T15:44:39Z https://community.cisco.com/t5/network-security/asa-ng-5515-x-multicontext-support-for-wse-avc-and-ips/m-p/2456354#M238648 <P>Hello,</P><P>I am designing network security with Cisco ASAs. I have a redundant core / distribution switching in VSS and 2 ASAs (Active / Standby) and trying to evaluate whether I could run multiple security services on one pair of ASA in virtual contexts rather then deploying more ASAs. I need to run DMZ so that it could go in one virtual context, then I need to run WSE, AVC and possibly IPS to protect internal users LANs and also deploy web and application security, here not sure if that is supported in a virtual context and with active/standby setup, apart from that I need to protect the servers with FW rules and IPS, here also a dilemma whether this will work in a virtual context and active / standby setup.</P><P>What would you recommend, having separate pair of ASAs for each security service or I could do all that with one pair of ASAs and multi context setup?</P><P>Thanks in advance for quick and informative responses.</P><P>Remi</P> Tue, 12 Mar 2019 04:10:29 GMT https://community.cisco.com/t5/network-security/asa-ng-5515-x-multicontext-support-for-wse-avc-and-ips/m-p/2456354#M238648 remi-reszka 2019-03-12T04:10:29Z https://community.cisco.com/t5/network-security/asa-ng-5515-x-multicontext-support-for-wse-avc-and-ips/m-p/2456355#M238651 <P>Remi,</P><P>NGFW services (WSE, AVC and IPS, depending on your license) are supported on ASAs operating in multi-context mode. The catch is that the NGFW services aren't aware of the contexts per se (as of this time). So you have a single policy set configured in PRSM for a given ASA (or ASA HA pair) that will apply to all your traffic.</P><P>Of course, each context has its own service-policy that is used to direct the appropriate traffic to the CX module for inspection and policy enforcement.</P><P>Hope this helps.</P> Thu, 08 May 2014 14:48:11 GMT https://community.cisco.com/t5/network-security/asa-ng-5515-x-multicontext-support-for-wse-avc-and-ips/m-p/2456355#M238651 Marvin Rhoads 2014-05-08T14:48:11Z https://community.cisco.com/t5/network-security/asa-ng-5515-x-multicontext-support-for-wse-avc-and-ips/m-p/2456356#M238652 <P>Thanks Marvin. So the scenario I am describing would work correct? All I need to do is in PRSM configure various policy-sets and match the traffic globally based on certain rules that would be relevant to certain contexts?</P><P>Thanks,</P> Thu, 08 May 2014 15:18:36 GMT https://community.cisco.com/t5/network-security/asa-ng-5515-x-multicontext-support-for-wse-avc-and-ips/m-p/2456356#M238652 remi-reszka 2014-05-08T15:18:36Z https://community.cisco.com/t5/network-security/asa-ng-5515-x-multicontext-support-for-wse-avc-and-ips/m-p/2456357#M238653 <P>Yes, that's the high level approach.</P><P>As long as you create your policies based on addresses and keep in mind that you don't have explicit context awareness in PRSM, then you should be fine.</P> Thu, 08 May 2014 15:44:39 GMT https://community.cisco.com/t5/network-security/asa-ng-5515-x-multicontext-support-for-wse-avc-and-ips/m-p/2456357#M238653 Marvin Rhoads 2014-05-08T15:44:39Z https://community.cisco.com/t5/network-security/asa-ng-5515-x-multicontext-support-for-wse-avc-and-ips/m-p/2456358#M238654 <P>OK cool. What is the purpose of the explicit context awareness in PRSM? Is it there but still not supported?</P><P>The only concern I have is about DMZ on same ASA pair. I guess it should be fine because I would not sent any DMZ traffic to CX module (where it would get mixed up with users or servers traffic) and since DMZ would be on a separate virtual context the security would be maintained. Also the DMZ will be kept on a separate VRF and will need to do VRF leaking from DMZ inside VLAN into servers VLAN in the services VRF.</P><P>How about sending both users (for WSE and AVC) and servers (for IPS) traffic into the same CX module? That would work fine?</P><P>&nbsp;</P><P>Thanks in advance,</P><P>Remi</P><P>&nbsp;</P> Thu, 08 May 2014 15:52:35 GMT https://community.cisco.com/t5/network-security/asa-ng-5515-x-multicontext-support-for-wse-avc-and-ips/m-p/2456358#M238654 remi-reszka 2014-05-08T15:52:35Z https://community.cisco.com/t5/network-security/asa-ng-5515-x-multicontext-support-for-wse-avc-and-ips/m-p/2456359#M238655 <P>The CX doesn't allow you to use context as an operator for policies. I am not informed on the internals but it obviously knows which context a given flow came from or else it would't know where to put the traffic "back into" the host ASA.</P><P>There should be no possibility of traffic co-mingling within the CX. It only acts as a tool to inspect and enforce policy on a given flow and then put it back to the ASA (when appropriate) for egress processing.</P><P>FYI you may want to review BRKSEC-2699 from Cisco Live! Milan earlier this year (available from <A href="http://www.ciscolive365.com)" target="_blank">http://www.ciscolive365.com)</A>. It has some good explanations about CX policies etc.</P> Thu, 08 May 2014 17:24:57 GMT https://community.cisco.com/t5/network-security/asa-ng-5515-x-multicontext-support-for-wse-avc-and-ips/m-p/2456359#M238655 Marvin Rhoads 2014-05-08T17:24:57Z https://community.cisco.com/t5/network-security/asa-ng-5515-x-multicontext-support-for-wse-avc-and-ips/m-p/2456360#M238656 <P>Sounds good, many thanks Marvin.</P><P>Best regards,</P><P>Remi</P> Thu, 08 May 2014 22:19:26 GMT https://community.cisco.com/t5/network-security/asa-ng-5515-x-multicontext-support-for-wse-avc-and-ips/m-p/2456360#M238656 remi-reszka 2014-05-08T22:19:26Z https://community.cisco.com/t5/network-security/asa-ng-5515-x-multicontext-support-for-wse-avc-and-ips/m-p/2456361#M238657 <P>Hello Marvin,</P><P>I know we already closed this post but could I just ask you something real quick? Whether my ASAs are in active/active or active/standby configuration how about the licensing for WSE/AVC and IPS? Do I but the licensing only for one box or need to purches for each box separately. Can't seem to find much information on that.</P><P>Thanks very much in advance.</P><P>Remi</P> Tue, 27 May 2014 21:40:20 GMT https://community.cisco.com/t5/network-security/asa-ng-5515-x-multicontext-support-for-wse-avc-and-ips/m-p/2456361#M238657 remi-reszka 2014-05-27T21:40:20Z https://community.cisco.com/t5/network-security/asa-ng-5515-x-multicontext-support-for-wse-avc-and-ips/m-p/2456362#M238658 <P>No problem.</P><P>Unfortunately you need licenses on both ASAs for the services to work (for either A/A or A/S mode). The CX modules don't share feature licenses like the base ASA does.</P> Tue, 27 May 2014 22:02:09 GMT https://community.cisco.com/t5/network-security/asa-ng-5515-x-multicontext-support-for-wse-avc-and-ips/m-p/2456362#M238658 Marvin Rhoads 2014-05-27T22:02:09Z https://community.cisco.com/t5/network-security/asa-ng-5515-x-multicontext-support-for-wse-avc-and-ips/m-p/2456363#M238659 <P>I will take it into consideration, thanks a lot Marvin!</P><P>Best regards,</P><P>Remi</P> Tue, 27 May 2014 22:47:27 GMT https://community.cisco.com/t5/network-security/asa-ng-5515-x-multicontext-support-for-wse-avc-and-ips/m-p/2456363#M238659 remi-reszka 2014-05-27T22:47:27Z