topic Re: Security Context in Network Security

Security Context

estelamathew — Mon, 11 Mar 2019 18:32:35 GMT

Hello Dears,

Question-1:Can we have a 2 ASA Active Active in single mode.

Answer:

What I know about context is:

Question-2: If we have 2 ASA with Context-A and Context-B,then ASA-1 will be active for Context-A and standby for Context-B, For ASA-2 Context-B wil be Active and ASA-1 will be standby. Please correct me if i m wrong???????????

Answer:

Thanks,

Re: Security Context

Jennifer Halim — Tue, 31 Aug 2010 05:51:42 GMT

Question-1: No, ASA needs to be in multiple context mode to support more than one context.

Question-2: Yes, you can configure that both context A and B to be active on ASA-1, or alternatively you can configure context A to be active on ASA-1 and context B to be active on ASA-2.

Hope that answers your questions.

Re: Security Context

Nagaraja Thanthry — Tue, 31 Aug 2010 05:51:53 GMT

Hello,

You can certainly have multiple contexts being active on a single firewall.

The failover pair is just for redundancy.

Here is a useful link on configuring multiple context firewall.

http://cisco.biz/en/US/products/hw/vpndevc/ps2030/products_configuration_exa

mple09186a00808d2b63.shtml

Hope this helps.

Regards,

Re: Security Context

estelamathew — Tue, 31 Aug 2010 06:08:01 GMT

Hello Dears,

In single customer do we need to create Multiple context????? . As i m sure we don't need but if so i want, then can i communicate between context's.suppose If i m creating context in single customer that means i m seperating subnets vlan's of the customer??? please correct me if i m wrong???

Thanks.

Re: Security Context

Jennifer Halim — Tue, 31 Aug 2010 08:53:20 GMT

Definitely need to be in multi context mode before you can configure any context within an ASA.

It requires a reboot when you change the ASA from single to multi context mode, and to run Active-Active failover, the ASA needs to be in multi context mode.

Re: Security Context

estelamathew — Tue, 31 Aug 2010 11:48:07 GMT

Hello Halijenn,

I m planning to configure ASA for 1 customer,and he is insisting to configure in multiple context mode so that he can achieve Active Active session from the firewall. ASA dedicated to 1 customer do we really need to create multiple context within that customer????

USER GUIDE SAYS:

Multiple security contexts in the following situations: Please answer the question below.

• You are a service provider and want to sell security services to many customers. By enabling
multiple security contexts on the security appliance, you can implement a cost-effective,
space-saving solution that keeps all customer traffic separate and secure, and also eases
configuration.

OK,

• You are a large enterprise or a college campus and want to keep departments completely separate.

Answer: when Department don't want to speak to each other,,please correct me if i m wrong.????? If the department want to coummnicate then we would have created?????

• You are an enterprise that wants to provide distinct security policies to different departments.

Answer: ??????

• You have any network that requires more than one security appliance

Answer: what can be this situation.?????????

Thanks

Re: Security Context

Jennifer Halim — Tue, 31 Aug 2010 12:53:30 GMT

The answer is no, and please educate the customer that Active/Active does not mean traffic is load balanced between 2 ASAs automatically.

Supported: Active/Active means that the customer can direct their traffic into 2 for example: subnet 10.1.1.0/24 to be routed through ASA-1 (which hosts context-1), and subnet 10.1.2.0/24 to be routed through ASA-2 (which hosts context-2).

Not Supported: What Active/Active can't do is route both 10.1.1.0/24 and 10.1.2.0/24 through something like VRRP address and ASA dynamically load balance the traffic between the 2 firewalls.

Re: Security Context

estelamathew — Tue, 31 Aug 2010 22:16:58 GMT

halijenn wrote:

The answer is no, and please educate the customer that Active/Active does not mean traffic is load balanced between 2 ASAs automatically.

Not Supported: What Active/Active can't do is route both 10.1.1.0/24 and 10.1.2.0/24 through something like VRRP address and ASA dynamically load balance the traffic between the 2 firewalls.

Thanks for ur precious help,

Please find the attached,

We have to manually load balance the traffic to ASA-1 OR ASA-2 if we are creating a context's as per the attached diagram. correct me if i m wrong????

Can't understood perfectly the below lines can u explore more???????

Not Supported: What Active/Active can't do is route both 10.1.1.0/24 and 10.1.2.0/24 through something like VRRP address and ASA dynamically load balance the traffic between the 2 firewalls.

ANSWER:

Re: Security Context

Kureli Sankar — Wed, 01 Sep 2010 00:04:06 GMT

Estela,

Thanks for the .png attachment. What halijenn said as not supportes is this

Context 1 can only process traffic from and to 10.1.1.0/24

Context 2 can only process traffic from and to 10.1.2.0/24

or they can switch roles and

Context 1 can process traffic from and to 10.1.2.0/24

Context 2 can process traffic from and to 10.1.1.0/24

at no time can both contexts process traffic for both 10.1.1.0/24 and 10.1.2.0/24

act/act failover can only load balance PER CONTEXT basis and not load balance over all traffic. Is this clear? If not pls. post your question.

-KS

Re: Security Context

estelamathew — Wed, 01 Sep 2010 04:43:36 GMT

Hello Halijenn/Kusankar,

Thanks for Exploring the Answer:2 NOT SUPPORTED,it is very much clear to me now.

For Answer 1 SUPPORTED :Is the below statement correct ???

We have to manually direct the traffic to ASA-1 OR ASA-2 if we are creating a context's as per the attached diagram in my previous mail. Correct me if i m wrong????.

Re: Security Context

Jennifer Halim — Wed, 01 Sep 2010 04:46:56 GMT

Yes, you are absolutely correct.