Marvin,

ar · ‎05-01-2016

Hi.

I am new to implementing ASA for remote-access vpn.

I am planning to create two contexts.

One context for Remote access VPN Termination

One context for Firewalling other services in the network.

I came across the documentation that Multiple-context mode does not support some features including VPN.

Can somebody confirm this?

thanks

Unsupported Features

Multiple context mode does not support the following features:

RIP
OSPFv3. (OSPFv2 is supported.)
Multicast routing
Threat Detection
Unified Communications
QoS
Remote access VPN. (Site-to-site VPN is supported.)

http://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/ha_contexts.html

Marvin Rhoads · ‎05-01-2016

For ASA software version 9.0 that is correct. It cannot be done.

However, remote access VPN support for multiple context ASA was added in ASA software version 9.5(2) ca. November 2015.

See the release notes:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa95/release/notes/asarn95.html#pgfId-155850

...and configuration guide section:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa95/configuration/vpn/asa-95-vpn-config/vpn-anyconnect.html

There are a few caveats at this time:

1. AnyConnect Apex licensing is required.

2. Only client-based AnyConnect is supported. (no clientless SSL VPN)

3. The ASA-based web portal for initial login and AnyConnect detection / installation is not supported. So you have to distribute the AnyConnect client software initially outside of the ASA-based method. You can push updates to AnyConnect clients from the ASA if they already have an earlier version.

Generally it would not make sense to make a separate context just for remote access VPN given these constraints. Separate contexts are normally created for administrative separation of multiple tenants or other such situations where you have significantly different security and routing policies.and only a single ASA (or HA pair) to work with.

A more common solution where it is desired to separate the VPN functions is to put in a separate (and generally much smaller given the anticipated workload) ASA just for VPN. That way VPN policies are completely implemented there and you have no restrictions on feature support.

ron.hehemann1 · ‎01-02-2017

Marvin,

What are possible options if a customer wants to be able to use VPN's to the datacenter?

An ASA 5585-x?

an ASAv ?

or the FP 4100 or FP 9300

I am not sure if all these products are either a good fit or support the VPN.

tnx

Ron

Marvin Rhoads · ‎01-03-2017

What type of VPN are you looking at?

For remote access I usually recommend putting a smaller ASA (5516-X or 5525-X) in for just that purpose.

For site-site, it depends on the bandwidth required. If you need something on the order of multiple gigabits per second of site-site VPN then the best fit would usually be a FirePOWER 4100 series (with the ASA image).

ASAv would be for lower end bandwidth requirements and would be predicated upon having a virtualization environment at the right place architecturally.

ron.hehemann1 · ‎01-03-2017

well, I understand it makes sense to use a separate VPN box. but in this case as we want to be able to invest as little as possible. I just wondered if either the ASAv would be an option for the Anyconnect clients or the datacenter NGFW.

although the ASAv would be used mainly for east/west traffic within the ESX environment.

ASA 5585-X for Remote Access VPN in Multiple Context Mode