04-11-2011 09:49 AM - edited 03-11-2019 01:19 PM
Hi,
I was wondering with a single ASA is there a way to have multiple contexts use a dual ISP? For example context A has an inside and an outside(A) with another outside(B) for failover. Context B has and inside, and outside (B) and another outside (A) for failover.
If this is possible with one firewall could someone point me to the design guides for it.
Thanks in advance,
Bob James
04-12-2011 12:57 PM
Bob,
Unfortunately, routing protocols and SLA Monitoring are all not supported in multiple context mode. Your best option is putting a router outside the ASA.
Thanks,
Brendan
04-12-2011 05:28 PM
I don't need routing other than statics, but are you saying you cannot share an outside interface across contexts?
If so, if I had two IP's from each ISP could I assign three interfaces per contexts two outside (one to each ISP) and one inside for each network; does it matter that the outside IP's in each context will be on the same subnet?
If not then the only thing I would have to watch for is proxy arp.
Thanks
Bob James
04-12-2011 07:43 PM
You should be able to do what you are describing. No design guide specifically for that. It's just two outside interfaces on the same subnet. Things get slightly more complicated if you want to use the same physical(or sub) interface across multiple contexts.
Sent from Cisco Technical Support iPhone App
04-13-2011 07:06 AM
Bob,
Just to clarify a bit here... Yes, you can share an interface across multiple contexts. Yes, the interfaces in each context can be on the same subnet. But to what end? If you only have static routes, there is no failure mechanism to switch your traffic from ISP1 to ISP2. You would have to manually change the default route in the event of a failure.
The only exception would be if the physical interface went down and you had a backup route in place. Only then would the traffic automatically be sent through the backup ISP.
I hope this helps.
Thanks,
Brendan
04-13-2011 07:19 AM
Brendan,
I must be missing something here; if I can have multiple interfaces in contexts with Dual ISP's unless the IOS prohibits it why can I not setup the tracking (IP SLA) feature with the dual ISP's and have the default route fail-over to the other ISP in the event that the path to a destination on the Internet that I set goes away?
I've built this many many times, just none using multiple contexts....
Confused...
Bob James
04-13-2011 07:25 AM
Bob,
According to the command reference, the feature is just not supported in multiple context mode. I don't know exactly why this limitation exists, but it does. :-(
http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/s8.html#wp1557524
Thanks,
Brendan
12-01-2015 08:47 PM
ENH CSCug56848 has been filed on the same - SLA Monitoring support in Multi-Context Mode.
regards,
Bratin Saha
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide