cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

VPN on Cisco 5520

TGF_Cisco
Beginner
Beginner

hello

What are the possibilities that exist for running a site to site vpn in our environment with the following infrastructure

Cisco ASA 5520 - running on a multiple context mode

Cisco 3750 switches

Microsoft TMG

I beleive these options are limited in terms of providing end point for VPN.                 

Is there a VPN module that we can buy for 5520 to run IPSEC VPN?

2 ACCEPTED SOLUTIONS

Accepted Solutions

Jouni Forss
Mentor
Mentor

Hi,

Well if you are willing to update the ASA to 9.x software level (which might easily be a deal breaker in some cases) then you are able to use L2L VPN even in Multiple Context Mode

VPN Client, however, is still NOT possible in Multiple Context Mode

Multiple   Context Mode Features

Site-to-Site VPN in multiple   context mode

Site-to-site VPN tunnels are   now supported in multiple context mode.

Source:

http://www.cisco.com/en/US/docs/security/asa/asa90/release/notes/asarn90.html

Found in the New Feature section

There ASA naturally doesnt need any module to be able to do IPsec VPN. The limitation in your case comes from the fact that you are running the ASA model in Multiple Context mode and probably with an older software. As I mention above, with the newer software levels, Cisco added support for L2L VPN even in Multiple Context mode.

For many people doing software jump from older to the very new will become troublesome since when updating from 8.2 to 8.3 or anything newer the NAT configuration will change completely and along with it the ACL format also a bit.

In some cases the software upgrade might also require RAM memory update to the device since the new softwares of 8.3 and above require more memory from the ASA unit.

- Jouni

View solution in original post

Karsten Iwen
VIP Mentor VIP Mentor
VIP Mentor

All ASAs have an onboard VPN-module, so there is nothing you need to buy. But you need at minimum the software version 9.0 where site-to-site VPNs were introduced to multiple context mode:

http://www.cisco.com/en/US/docs/security/asa/asa90/release/notes/asarn90.html#wp586890

Remote-Access VPNs are still not supported in multiple context.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

View solution in original post

2 REPLIES 2

Jouni Forss
Mentor
Mentor

Hi,

Well if you are willing to update the ASA to 9.x software level (which might easily be a deal breaker in some cases) then you are able to use L2L VPN even in Multiple Context Mode

VPN Client, however, is still NOT possible in Multiple Context Mode

Multiple   Context Mode Features

Site-to-Site VPN in multiple   context mode

Site-to-site VPN tunnels are   now supported in multiple context mode.

Source:

http://www.cisco.com/en/US/docs/security/asa/asa90/release/notes/asarn90.html

Found in the New Feature section

There ASA naturally doesnt need any module to be able to do IPsec VPN. The limitation in your case comes from the fact that you are running the ASA model in Multiple Context mode and probably with an older software. As I mention above, with the newer software levels, Cisco added support for L2L VPN even in Multiple Context mode.

For many people doing software jump from older to the very new will become troublesome since when updating from 8.2 to 8.3 or anything newer the NAT configuration will change completely and along with it the ACL format also a bit.

In some cases the software upgrade might also require RAM memory update to the device since the new softwares of 8.3 and above require more memory from the ASA unit.

- Jouni

Karsten Iwen
VIP Mentor VIP Mentor
VIP Mentor

All ASAs have an onboard VPN-module, so there is nothing you need to buy. But you need at minimum the software version 9.0 where site-to-site VPNs were introduced to multiple context mode:

http://www.cisco.com/en/US/docs/security/asa/asa90/release/notes/asarn90.html#wp586890

Remote-Access VPNs are still not supported in multiple context.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: