Solved: Re: ASA5510 with multiple context mode.does it support remoteAcc

mubarak.mammadov · ‎07-18-2012

Hi,

I have 2xASA5510 with securityPlus licence.i have confugured 3 context and Active/Active Failover.Everything works fine. But also want to use rometeAccessVPN but couldn't fine anything for VPN. does it support VPN in multiple mode?Could you offer something?

Jennifer Halim · ‎07-18-2012

No, VPN is not supported in multi context mode.

Here is the documentation for your reference:

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/mode_contexts.html#wp1188973

View solution in original post

Jouni Forss · ‎07-19-2012

I've heard that L2L VPN might become possible for multiple context mode ASAs in the future.

But VPN Client isnt either coming at all or is coming much later.

Its shame that this possiblity doesnt exist on the ASAs running multiple firewalls. It basically means you need a totally different equipment for VPN capabilites. And even then it means you have no way of virtualizing routing which again means you cant have overlapping networks on your ASA that you have dedicated only for VPN purposes.

This is especially bad when youre trying to move away from IOS VPN setups with old 6500 modules where you could use VRF:s for each VPN connection which totally eliminated the problem of overlapping networks. Configuring those VPNs to a single ASA becomes harder if you happen to have overlapping networks. (vpn pools, customer networks, L2L VPN remote networks)

- Jouni

View solution in original post

gaurav bhardwaj · ‎07-19-2012

When should you not use multiple security contexts?

If you need to provide VPN services such as remote access or site-to-site VPN tunnels.
If you need to use dynamic routing protocols. With multiple context mode, you can use only static routes.
If you need to use QoS.
If you need to support multicast routing.
If you need to provide Threat Detection.

View solution in original post

Jennifer Halim · ‎07-18-2012

No, VPN is not supported in multi context mode.

Here is the documentation for your reference:

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/mode_contexts.html#wp1188973

Jouni Forss · ‎07-19-2012

I've heard that L2L VPN might become possible for multiple context mode ASAs in the future.

But VPN Client isnt either coming at all or is coming much later.

Its shame that this possiblity doesnt exist on the ASAs running multiple firewalls. It basically means you need a totally different equipment for VPN capabilites. And even then it means you have no way of virtualizing routing which again means you cant have overlapping networks on your ASA that you have dedicated only for VPN purposes.

This is especially bad when youre trying to move away from IOS VPN setups with old 6500 modules where you could use VRF:s for each VPN connection which totally eliminated the problem of overlapping networks. Configuring those VPNs to a single ASA becomes harder if you happen to have overlapping networks. (vpn pools, customer networks, L2L VPN remote networks)

- Jouni

gaurav bhardwaj · ‎07-19-2012

When should you not use multiple security contexts?

If you need to provide VPN services such as remote access or site-to-site VPN tunnels.
If you need to use dynamic routing protocols. With multiple context mode, you can use only static routes.
If you need to use QoS.
If you need to support multicast routing.
If you need to provide Threat Detection.

John Gracey · ‎01-21-2014

For future reference..

Multi-context and dynamic routing are supported on v9 of ASA code and above (with the exception of the ASA 5505 and the Cisco Catalyst 6500 Series ASA Services Module).

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5709/ps12726/data_sheet_c78-714849.html

ASA5510 with multiple context mode.does it support remoteAccessVPN?

When should you not use multiple security contexts?

When should you not use multiple security contexts?