07-03-2014 09:08 PM - edited 03-11-2019 09:25 PM
We have ASA 5555X with two contexts and AVC, WSE, IPS licensed activated. All upgraded with latest software ASA9.2 and CX 9.3
Plan to create two contexts, one for Internet and one for partners, each context has active context in one physical box and standby context in another physical box for load balancing and HA, AVX,WSE & IPS CX filter is only enabled in Internet context, Is this design fully supported ?
(Not able to run clustering due to physcial and switch limitation).
Solved! Go to Solution.
07-04-2014 08:20 AM
The current CX releases support multiple context ASA configurations. The only caution is that a given CX only supports a single set of policies but in your use case that shouldn't be an issue.
Whether one, the other or both contexts direct traffic to the CX module for inspection via a service-policy it will work OK and is a supported configuration. You cannot differentiate policies inside the CX based on which context the traffic comes from but as long as you're OK with that restriction, there should be no issue.
If you're running in an HA pair (or have more CX modules elsewhere), it's recommended to use the separately licensed multiple device mode PRSM in a separate VM to keep the policies synchronized between the CX instances. Otherwise you need to make every change exactly the same in both CX units of an HA pair - there's no synchronization like there is in the base ASA when using single device mode (on-box) PRSM.
07-04-2014 08:20 AM
The current CX releases support multiple context ASA configurations. The only caution is that a given CX only supports a single set of policies but in your use case that shouldn't be an issue.
Whether one, the other or both contexts direct traffic to the CX module for inspection via a service-policy it will work OK and is a supported configuration. You cannot differentiate policies inside the CX based on which context the traffic comes from but as long as you're OK with that restriction, there should be no issue.
If you're running in an HA pair (or have more CX modules elsewhere), it's recommended to use the separately licensed multiple device mode PRSM in a separate VM to keep the policies synchronized between the CX instances. Otherwise you need to make every change exactly the same in both CX units of an HA pair - there's no synchronization like there is in the base ASA when using single device mode (on-box) PRSM.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide