https://community.cisco.com/t5/network-security/natting-with-multiple-context/m-p/1471036#M613514 <HTML><HEAD></HEAD><BODY><P></P><P></P><!--[if gte mso 10]> <style> /* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;} </style> <![endif]--><P>Hi NT,</P><P>&nbsp;&nbsp;&nbsp;&nbsp; Best practices would have you limiting the amount of resources each context is able to consume. Let's take a scenario where one context is under a DOS attack. If you allow this context unlimited access to all resources it will starve other contexts from being able to access these resources. By limiting each context to a pre determined limit of resources you can prevent this from occurring. Best practices would also be to monitor the contexts from some time before implementing such limitations so that you will not block legitimate traffic.</P><BR /><SPAN>--Phil</SPAN><BR /></BODY></HTML> Mon, 30 Aug 2010 20:32:52 GMT Phillip Strelau 2010-08-30T20:32:52Z https://community.cisco.com/t5/network-security/natting-with-multiple-context/m-p/1471031#M613509 <P>Hi All,</P><P></P><P>Can natting be done on a multiple context ASA? So basically if all 10 different contexts on the ASA wants to nat their internal IPs can they do that? How about static NAT?</P><P></P><P>Thanks</P> Mon, 11 Mar 2019 18:30:16 GMT https://community.cisco.com/t5/network-security/natting-with-multiple-context/m-p/1471031#M613509 sidcracker 2019-03-11T18:30:16Z https://community.cisco.com/t5/network-security/natting-with-multiple-context/m-p/1471032#M613510 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>Each context is treated as a separate firewall. So, under the firewall</P><P>context, you can do all the configurations that you can do on a regular</P><P>firewall (with certain restrictions as applied to multiple context). </P><P></P><P>http://cisco.biz/en/US/products/hw/vpndevc/ps2030/products_configuration_exa</P><P>mple09186a00808d2b63.shtml</P><P></P><P>Hope this helps.</P><P></P><P>Regards,</P><P></P><P>NT</P></BODY></HTML> Wed, 25 Aug 2010 04:24:17 GMT https://community.cisco.com/t5/network-security/natting-with-multiple-context/m-p/1471032#M613510 Nagaraja Thanthry 2010-08-25T04:24:17Z https://community.cisco.com/t5/network-security/natting-with-multiple-context/m-p/1471033#M613511 <HTML><HEAD></HEAD><BODY><P>Thanks Nagaraja for the url. Are there any limitations for natting that you are aware of? Or can Multi Context do excatly what a single context do?</P><P></P><P>My other question is I know that threat detection is not supported on the multicontext? But how about the IPS SSM module?</P><P></P><P>Thanks</P></BODY></HTML> Wed, 25 Aug 2010 04:30:37 GMT https://community.cisco.com/t5/network-security/natting-with-multiple-context/m-p/1471033#M613511 sidcracker 2010-08-25T04:30:37Z https://community.cisco.com/t5/network-security/natting-with-multiple-context/m-p/1471034#M613512 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>All NAT features are supported in multiple context mode just like single</P><P>context mode. As long as you are not re-using addresses on the outside</P><P>interfaces of different contexts, you should be fine. </P><P></P><P>It seems like you can use the IPS module also in the multiple context mode.</P><P>Here is a link that outlines the configuration requirements:</P><P></P><P>http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ips.h</P><P>tml#wp1091984</P><P></P><P>Hope this helps.</P><P></P><P>Regards,</P><P></P><P>NT</P></BODY></HTML> Wed, 25 Aug 2010 04:38:19 GMT https://community.cisco.com/t5/network-security/natting-with-multiple-context/m-p/1471034#M613512 Nagaraja Thanthry 2010-08-25T04:38:19Z https://community.cisco.com/t5/network-security/natting-with-multiple-context/m-p/1471035#M613513 <HTML><HEAD></HEAD><BODY><P>Hi Nagaraja,</P><P></P><P>Thanks for you help in this matter. If I were to allocate resources for contexts, what would be the best configuration to input when I have about 10 customers in ASA. Is it best to allow unlimited connections from all customers or is it advisable to llimit the configurations. I have read the Cisco guide for resources but just wanted to understand what is the best practise implemented by other organizations.</P><P></P><P>Thanks</P></BODY></HTML> Thu, 26 Aug 2010 01:12:04 GMT https://community.cisco.com/t5/network-security/natting-with-multiple-context/m-p/1471035#M613513 sidcracker 2010-08-26T01:12:04Z https://community.cisco.com/t5/network-security/natting-with-multiple-context/m-p/1471036#M613514 <HTML><HEAD></HEAD><BODY><P></P><P></P><!--[if gte mso 10]> <style> /* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;} </style> <![endif]--><P>Hi NT,</P><P>&nbsp;&nbsp;&nbsp;&nbsp; Best practices would have you limiting the amount of resources each context is able to consume. Let's take a scenario where one context is under a DOS attack. If you allow this context unlimited access to all resources it will starve other contexts from being able to access these resources. By limiting each context to a pre determined limit of resources you can prevent this from occurring. Best practices would also be to monitor the contexts from some time before implementing such limitations so that you will not block legitimate traffic.</P><BR /><SPAN>--Phil</SPAN><BR /></BODY></HTML> Mon, 30 Aug 2010 20:32:52 GMT https://community.cisco.com/t5/network-security/natting-with-multiple-context/m-p/1471036#M613514 Phillip Strelau 2010-08-30T20:32:52Z