cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2309
Views
5
Helpful
3
Replies

ASA single mode move to multi context mode advice

yong khang NG
Level 5
Level 5

Hi all, Greetings,

I got an ASA 5510 system currently in single context mode, with CSC SSM installed. Single ISP uplink to internet, no VPN. And now customer would like add another ISP uplink, without invest another box for HA ...

What come across my mind is make the current box into multi context. There's some area i need to concern and also need yours perspective on it.

Question 1

For making the firewall into multi context, am i need to do it from scratch, issue mode multiple command. Then rebuilt the current production config into one of the context, then another context meant for the new IPS uplink, and one admin context?

Question 2

For CSC -SSM licensing requirement, model ASA 5510 with security plus license is able to support 2 context. So if i split my firewall like what i mention in question, what exactly number of context do i own (admin, context A, context B)?

Question 3

For CSC-SSM module in multi context mode, so the management port of CSC SSM must attach at admin context?

Question 4

After configured all the policy and traffic to scan, how exactly i should do in order apply this policy to the interface?  Should i only enable at admin context, then firewall \ service-policy rules, and apply it global, OR should i also do the same action on context A and Context B?

FACT:

A. ASA Code running on ASA 8.3(1)

B.this box have base license and plus license.

C. CSC SSM version 6.3, with base and plus license.

Thanks

Noel

1 Accepted Solution

Accepted Solutions

Julio Carvajal
VIP Alumni
VIP Alumni

Hello Yong,

1) As soon as you set the ASA in multiple-context all the configuration will be erased and yes you will need to start from scratch

2) Correct, you will be able to use 2 context with the security plus:

Security Plus License: 2 contexts.

Optional license: 5 contexts.

3)You will need to configure only 1 security policy which applies to all contexts ( not on the admin context)

4) For further information read the following discussions:

https://supportforums.cisco.com/message/3004042

https://supportforums.cisco.com/thread/2087677

Any other question.. Sure,, Just remember to rate all of my posts

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

3 Replies 3

Julio Carvajal
VIP Alumni
VIP Alumni

Hello Yong,

1) As soon as you set the ASA in multiple-context all the configuration will be erased and yes you will need to start from scratch

2) Correct, you will be able to use 2 context with the security plus:

Security Plus License: 2 contexts.

Optional license: 5 contexts.

3)You will need to configure only 1 security policy which applies to all contexts ( not on the admin context)

4) For further information read the following discussions:

https://supportforums.cisco.com/message/3004042

https://supportforums.cisco.com/thread/2087677

Any other question.. Sure,, Just remember to rate all of my posts

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hi Julio,

thanks for reply and yes, it's very imformative.

One more follow up question?

How ASA can achieve dual uplink "load balancing"? provided at firewall back with a L3 switch that can do routing, PBR etc..

Thanks

Noel

Hello Yong,

You will need to use the layer 3 for the PBR as The ASA does not support PBR but let me ask. What is the PBR scenario you are trying to do? What are you trying to accomplish?

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: