cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3471
Views
0
Helpful
5
Replies

Are the ASA5500-X Series Firewalls VRF-Aware

Hi Community

 

I need to find out whether the ASA 5500-X Series Next-Generation Firewalls are VRF-Aware using the latest IOS Version (9.1.x / 9.2.x). I have searched the Release Notes for the IOS Versions but not finding anything. I do believe that this is not a supported feature yet.

 

I look forward to any responses.

 

Regards

Steven

5 Replies 5

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

 

Not to my knowledge. Seems the ASA just got BGP support in 9.2 which I was suprised about since people had been asking for it a long time.

 

The usual answer from one Cisco contact when asking for different capabilities on Cisco ASA that are present in Cisco Routers the answer usually was: "ASA is not a router" :)

 

I guess the question at this point would be what you are trying to achieve with the ASA? Maybe there is something that could be done despite lacking the support?

 

- Jouni

Hi Jouni

 

I am also not aware of them being VRF-Aware as yet and I do know that it has been a long time question - some dating back as far as 4 years back.

 

I already have a distinct solution in mind I was just wondering whether with the new release of 9.2.x they were VRF-Aware or not. If not it is not a major issue as I do have a workaround solution.

 

Thanks for your reply

 

Cheers

Steven

Hi Steven,

I also have this requirement for an ASA to be "VRF aware" as you put it.  My take on this though is to map an ASA security context to each VRF.  However, one thing I can't find out is whether I can run separate instances of OSPF in an ASA context ?  According to the Cisco support docs OSPF is only supported in single context mode on the 5500 series but I'm not sure whether this has changed with the next generation 5500X series - can anyone help with this ?

Thanks

Ian

This is supported after 9.0

You can run separate dynamic routing protocols in each ASA Context, as well as use L2L VPN out of each context.  Qos is one of the the only caveats left between single and multiple context mode.

 

Just have a transit vlan to each context in a seperate VRF, run vrf aware routing protocols on that vrf, and treat each context on the other end of the transit vlan / sub interface seperately, and form a neigborship with the Core switch/ router.  

If what you are asking is MULTIPLE processes in the same context, the answer is - Here is it working in single context mode:

 

TESTERRRR# sh ospf interface       

tomado is up, line protocol is up  
  Internet Address 10.1.1.1 mask 255.255.255.0, Area 0 
  Process ID 3, Router ID 195.162.122.130, Network Type BROADCAST, Cost: 10
  Transmit Delay is 1 sec, State WAITING, Priority 1
  No designated router on this network
  No backup designated router on this network
  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
    Hello due in 0:00:04
    Wait time before Designated router selection 0:00:34
  Index 1/1, flood queue length 0
  Next 0x0(0)/0x0(0)
  Last flood scan length is 0, maximum is 0
  Last flood scan time is 0 msec, maximum is 0 msec
  Neighbor Count is 0, Adjacent neighbor count is 0 
  Suppress hello for 0 neighbor(s)
lettuce is up, line protocol is up  
  Internet Address 10.2.1.1 mask 255.255.255.0, Area 0 
  Process ID 4, Router ID 10.230.28.254, Network Type BROADCAST, Cost: 10
  Transmit Delay is 1 sec, State DR, Priority 1
  Designated Router (ID) 10.230.28.254, Interface address 10.2.1.1
  No backup designated router on this network
  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
    Hello due in 0:00:02
  Index 1/1, flood queue length 0
  Next 0x0(0)/0x0(0)
  Last flood scan length is 0, maximum is 0
  Last flood scan time is 0 msec, maximum is 0 msec
  Neighbor Count is 0, Adjacent neighbor count is 0 
  Suppress hello for 0 neighbor(s)

 

But I have not tried it in multiple context mode.

 

Better to have ONE process, and multiple Contexts, connected upstream to different VRFs

Review Cisco Networking for a $25 gift card