Re: Enable Context Mode on Cisco ASA with direct Internet Circuit

johnlloyd_13 · ‎12-03-2017

hi,

i have an internet circuit directly terminated on ASA 5525-X that is running in single mode.

site-to-site ipsec VPNs tunnels and NAT services are running on this FW.

recently there are a number of customer sub-interfaces being added and i'm considering running multiple/context mode on this FW.

my question, is it ok to run multiple/context mode on a FW that is connected directly to the internet circuit? any caveats or design considerations?

i usually have context FW connected to an upstream internet router then to ISP: ASA FW <> ROUTER <> ISP

Marvin Rhoads · ‎12-03-2017

It would technically work. But...

Unless you need to accommodate overlapping IP address space, I'd not advise multiple context on an ASA 5525-X. You are better off just using security zones.

Multiple context will introduce complexity and limitations without significant benefit. Also, when you change to multiple context mode you will have to rebuild your entire configuration under the new mode.

johnlloyd_13 · ‎12-03-2017

hi marvin,

could you elaborate more on the overlapping IPs? i thought multiple mode and enabling mac-address auto fixes this limitation?

i have multiple 'inside' interfaces that are on 172.16.0.0/12

Unless you need to accommodate overlapping IP address space, I'd not advise multiple context on an ASA 5525-X. You are better off just using security zones.

Marvin Rhoads · ‎12-03-2017

Correct - you can support overlapping IP address space with multiple context mode.

That is one of the few compelling reasons for using multiple context mode. Most other requirements are met more simply via configuration of single context mode.

johnlloyd_13 · ‎12-03-2017

marvin,

do you have a personal 'rule of thumb' on when to run multiple mode on a a single mode FW when config becomes more complex, i.e. more sub-interfaces/security zones, ACL, etc are being added.

say, when sub-interfaces/security zones reaches more than 5?

Marvin Rhoads · ‎12-03-2017

Personally I don't advocate them for scaling purposes.

The only two use cases that I advocate them for is overlapping IP address space and true separation of administrative scope (i.e. delegating context administration to a tenant).