Introduction:
This document describes an issue faced by an user and a training ".ppt" for multiple context
Problem:
User is trying to understand all options for routing to two different ASA's in active/active mode, which requires multiple context mode.User have an existing 4500E switch behind a single ASA 5520 right now, and the default gateway that the 4500E advertises to his internal networks is the ip address of the 5520. He would like to replace the existing 5520 with two 5525-x ASA's and have them setup in active/active mode.
Currently his 12 locations are terminated with fiber to the 4500E and from there its default gateway is the existing single ASA that user have. From what he understand, with the new design he has to make the ASA's into multiple context mode in order to do active/active fail-over , and load balance between the two ASA's.
What user doesn't want to have is to put a policy route on each incoming fiber port and policy route traffic based on source IP. He think this would be a huge waste of resources and complicate the setup on the 4500E. Is there any other way to accomplish this besides policy routing or a separate switch between the ASA's and the 4500E?
Solution:
Multiple context most often is used where user have distinct security policies, often in multi-tenant (or distinct business unit) use of a given firewall. In such a case, Active-Active allows us to spread the load across the units while having redundancy.
Most installations I have seen use bigger firewalls to get more throughput. A few use VPN clustering or round robin DNS for remote access VPN gateways on the ASA platform. The few Active-Active setups seen across have all had one of the use cases. User is right that clustering does have a number of features that don't work in distributed mode.
Useful training to understand the multiple contexts feature on the ASA and all its related topics.
Source Discussion:
https://supportforums.cisco.com/discussion/12166261/asa-multiple-context-pre-routing