cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1645
Views
4
Helpful
5
Replies

IPSec VPN in security Context... Shared interface or not ?

Olivier Jessel
Level 1
Level 1

Hi,

I have at the moment an ASA5510 pair in Multiple Context configured. Everything is ok, but we use til now only ACL features.

Now I would be interested in configuring 2 contexts, with IPSec VPNs. One VPN per context. But I cannot find any information if it would be possible to use a shared interface for both contexts. My wish would only be to spare public IPs...

If I have to configure 100 VPNs in 100 contexts, do I need 100 public IPs ???

Thanks to everybody who can provide me any tip,

Regards,

Olivier

CCIE #44658
1 Accepted Solution

Accepted Solutions

Hi,

If you have separate IP addresses from the same subnet you can attach those interfaces to different contexts

You will only configure one sub interface with a certain Vlan ID that is connected to the ISP gateway. You can attach that subinterface to as many Contexts as you want but the IP address on the interface naturally has to be different in every Context. To my knowledge ASA will actually prevent you from configuring the IP address if it sees it in another context in the same subinterface.

- Jouni

View solution in original post

5 Replies 5

Andrew Phirsov
Level 7
Level 7

No, it won't be possible to share public IP between context) How do you think asa's gonna classify wich packet send to wich context in that case? You can use shared interface, but not shared ip on that interface. You can use same ip on different subinterfaces (each of them assigned to different context) but i don't think it'll help you.

Technically, i think you could use this public IP on some router, assign private IPs on each context and write PAT rules on router to direct traffic to one context or another. You'll have to use ipsec-over-udp or ipsec-over-tcp to accomplish this.

Ok Thanks, I thought maybe it could classify IPSec packets regarding the peer IP...

Well, I think that I have to use a separte subinterface and a separate public IP for each context. But then comes the question...

If I wanna configure something like:

ISP Router: 1.1.1.10

eth0/0.11 . ip = 1.1.1.1 /24, assigned to context 1 (vlan id ?)

eth0/0.22 . ip = 1.1.1.2 /24, assigned to context 2 (vlan id ?)

i cannot put them in the same vlan than my ISP router, or ???

CCIE #44658

Hi,

If you have separate IP addresses from the same subnet you can attach those interfaces to different contexts

You will only configure one sub interface with a certain Vlan ID that is connected to the ISP gateway. You can attach that subinterface to as many Contexts as you want but the IP address on the interface naturally has to be different in every Context. To my knowledge ASA will actually prevent you from configuring the IP address if it sees it in another context in the same subinterface.

- Jouni

OK I think I see now the point you mean. I attach the same subinterface to each context, but I give for each context a different IP address. Well, if it works it would be great. OK it means I cannot spare public IPs but at least I can spare cables and devices

Many thanks to you Jouni and to Andrew.

Regards,

Olivier

CCIE #44658

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

You can't atleast use the same Public IP address in 2 Security Contexts

Notice though that the only IPsec VPN that you can configure in Multiple Security Context mode at the moment is a LAN to LAN VPN.

IPsec Client VPN isnt supported in Multiple Context mode.

Depending on how your setup is in general you could use a totally separate device to provide VPN connections of any type for the different Security Contexts

- Jouni