Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
885
Views
5
Helpful
4
Replies

ASA and Asa context mode

satya mothukuri
Level 1
Level 1

‎04-09-2015 06:56 AM - edited ‎03-11-2019 10:45 PM

Hello,

we are planning to upgrade our firewalls in DC. We have planned to remove few of them aswell.

so totally 6 firewalls are getting migrated to  2 firewalls.our Design team planned to have asa's multi context mode, so that we can divide the traffic and use 1 context for VPN(remote and site2site) alone. But i told them in context mode Remote access will not work. Now they are planning to change the design. My suggestion is to design in single mode.I have few questions related to that new design.

1. I want to know what are the uses and limitations of multi context in a single origination/network. I know its much usefull for service providers. Here we are one company and we manage all networks.

2. As i said we have 6 firewalls, 2 of them are used only for web traffic. they will not talk to any other network, only web traffic. So can we create security levels,ACL's and  make web traffic alone to get separate from my normal traffic in single mode.

 

Please suggest, I will come out with more questions.

 

Regards,

Satya.M

Labels:
0 Helpful
4 Replies 4

Jon Marshall
Hall of Fame
Hall of Fame

‎04-09-2015 02:09 PM

You're right,  multiple context mode does not support remote access VPNs although it does support L2L VPNs.

1) I have used contexts in a DC environment (not service provider) for different business units.

So for example we had a large Oracle platform that was critical to the business and they had their own context which isolated them from any configuration errors made in other contexts.

And you can control access per context which meant less experienced people didn't get full access to some of the more important contexts.

Other uses may be if you want to delegate control of certain contexts to different administrative people which can be useful in a large organisation.

Really depends on what you need to do.

2) Yes you can use specific interfaces for your web traffic and control who or what can access the servers.

You don't need contexts to control traffic in that way, you simply configure the appropriate security levels and acls to only allow the traffic you want.

Jon

satya mothukuri
Level 1
Level 1
In response to Jon Marshall

‎04-10-2015 02:43 AM

Tnx Jon,

many cases i saw which leads to easy administration and split FW to diff diff companies. 

But for traffic separation, i didnt get any. I also want to know

  1. if we need to use interface sharing bw context, is there any limitations.
  2. If we plan active active on two hardware, i mean Context A is active on Firewall 1 and Context A active in firewall 2. 
  3. Any paln that Cisco come up with remote access VPN in next release.

Regards,

Satya.M

0 Helpful

satya mothukuri
Level 1
Level 1
In response to satya mothukuri

‎04-14-2015 03:22 AM

Any Info much appreciated   :)

 

0 Helpful

Andre Neethling
Level 4
Level 4
In response to satya mothukuri

‎04-14-2015 12:54 PM

You can share interfaces between contexts. You will probably have to hard code the mac addresses for shared interfaces in each context.

 

Also with active/active  failover you can only have a context (A) active on 1 firewall......... not both

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card