02-18-2013 05:10 AM - edited 02-21-2020 06:42 PM
Hi,
I have at the moment an ASA5510 pair in Multiple Context configured. Everything is ok, but we use til now only ACL features.
Now I would be interested in configuring 2 contexts, with IPSec VPNs. One VPN per context. But I cannot find any information if it would be possible to use a shared interface for both contexts. My wish would only be to spare public IPs...
If I have to configure 100 VPNs in 100 contexts, do I need 100 public IPs ???
Thanks to everybody who can provide me any tip,
Regards,
Olivier
Solved! Go to Solution.
02-18-2013 07:13 AM
Hi,
If you have separate IP addresses from the same subnet you can attach those interfaces to different contexts
You will only configure one sub interface with a certain Vlan ID that is connected to the ISP gateway. You can attach that subinterface to as many Contexts as you want but the IP address on the interface naturally has to be different in every Context. To my knowledge ASA will actually prevent you from configuring the IP address if it sees it in another context in the same subinterface.
- Jouni
02-18-2013 05:34 AM
No, it won't be possible to share public IP between context) How do you think asa's gonna classify wich packet send to wich context in that case? You can use shared interface, but not shared ip on that interface. You can use same ip on different subinterfaces (each of them assigned to different context) but i don't think it'll help you.
Technically, i think you could use this public IP on some router, assign private IPs on each context and write PAT rules on router to direct traffic to one context or another. You'll have to use ipsec-over-udp or ipsec-over-tcp to accomplish this.
02-18-2013 07:09 AM
Ok Thanks, I thought maybe it could classify IPSec packets regarding the peer IP...
Well, I think that I have to use a separte subinterface and a separate public IP for each context. But then comes the question...
If I wanna configure something like:
ISP Router: 1.1.1.10
eth0/0.11 . ip = 1.1.1.1 /24, assigned to context 1 (vlan id ?)
eth0/0.22 . ip = 1.1.1.2 /24, assigned to context 2 (vlan id ?)
i cannot put them in the same vlan than my ISP router, or ???
02-18-2013 07:13 AM
Hi,
If you have separate IP addresses from the same subnet you can attach those interfaces to different contexts
You will only configure one sub interface with a certain Vlan ID that is connected to the ISP gateway. You can attach that subinterface to as many Contexts as you want but the IP address on the interface naturally has to be different in every Context. To my knowledge ASA will actually prevent you from configuring the IP address if it sees it in another context in the same subinterface.
- Jouni
02-18-2013 07:21 AM
OK I think I see now the point you mean. I attach the same subinterface to each context, but I give for each context a different IP address. Well, if it works it would be great. OK it means I cannot spare public IPs but at least I can spare cables and devices
Many thanks to you Jouni and to Andrew.
Regards,
Olivier
02-18-2013 05:36 AM
Hi,
You can't atleast use the same Public IP address in 2 Security Contexts
Notice though that the only IPsec VPN that you can configure in Multiple Security Context mode at the moment is a LAN to LAN VPN.
IPsec Client VPN isnt supported in Multiple Context mode.
Depending on how your setup is in general you could use a totally separate device to provide VPN connections of any type for the different Security Contexts
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide