cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1455
Views
5
Helpful
5
Replies

Natting with multiple context

sidcracker
Level 1
Level 1

Hi All,

Can natting be done on a multiple context ASA? So basically if all 10 different contexts on the ASA wants to nat their internal IPs can they do that? How about static NAT?

Thanks

5 Replies 5

Nagaraja Thanthry
Cisco Employee
Cisco Employee

Hello,

Each context is treated as a separate firewall. So, under the firewall

context, you can do all the configurations that you can do on a regular

firewall (with certain restrictions as applied to multiple context).

http://cisco.biz/en/US/products/hw/vpndevc/ps2030/products_configuration_exa

mple09186a00808d2b63.shtml

Hope this helps.

Regards,

NT

Thanks Nagaraja for the url. Are there any limitations for natting that you are aware of? Or can Multi Context do excatly what a single context do?

My other question is I know that threat detection is not supported on the multicontext? But how about the IPS SSM module?

Thanks

Hello,

All NAT features are supported in multiple context mode just like single

context mode. As long as you are not re-using addresses on the outside

interfaces of different contexts, you should be fine.

It seems like you can use the IPS module also in the multiple context mode.

Here is a link that outlines the configuration requirements:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ips.h

tml#wp1091984

Hope this helps.

Regards,

NT

Hi Nagaraja,

Thanks for you help in this matter. If I were to allocate resources for contexts, what would be the best configuration to input when I have about 10 customers in ASA. Is it best to allow unlimited connections from all customers or is it advisable to llimit the configurations. I have read the Cisco guide for resources but just wanted to understand what is the best practise implemented by other organizations.

Thanks

Hi NT,

     Best practices would have you limiting the amount of resources each context is able to consume. Let's take a scenario where one context is under a DOS attack. If you allow this context unlimited access to all resources it will starve other contexts from being able to access these resources. By limiting each context to a pre determined limit of resources you can prevent this from occurring. Best practices would also be to monitor the contexts from some time before implementing such limitations so that you will not block legitimate traffic.


--Phil
Review Cisco Networking for a $25 gift card