Thanks Nagaraja for the url. Are there any limitations for natting that you are aware of? Or can Multi Context do excatly what a single context do?

My other question is I know that threat detection is not supported on the multicontext? But how about the IPS SSM module?

Thanks

Hello,

All NAT features are supported in multiple context mode just like single

context mode. As long as you are not re-using addresses on the outside

interfaces of different contexts, you should be fine.

It seems like you can use the IPS module also in the multiple context mode.

Here is a link that outlines the configuration requirements:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ips.h

tml#wp1091984

Hope this helps.

Regards,

NT

Hi Nagaraja,

Thanks for you help in this matter. If I were to allocate resources for contexts, what would be the best configuration to input when I have about 10 customers in ASA. Is it best to allow unlimited connections from all customers or is it advisable to llimit the configurations. I have read the Cisco guide for resources but just wanted to understand what is the best practise implemented by other organizations.

Thanks

Hi NT,

     Best practices would have you limiting the amount of resources each context is able to consume. Let's take a scenario where one context is under a DOS attack. If you allow this context unlimited access to all resources it will starve other contexts from being able to access these resources. By limiting each context to a pre determined limit of resources you can prevent this from occurring. Best practices would also be to monitor the contexts from some time before implementing such limitations so that you will not block legitimate traffic.