Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4987
Views
0
Helpful
7
Replies

ASA Multiple Contexts with Dual ISP's

bjames
Level 5
Level 5

‎04-11-2011 09:49 AM - edited ‎03-11-2019 01:19 PM

Hi,

I was wondering with a single ASA is there a way to have multiple contexts use a dual ISP? For example context A has an inside and an outside(A) with another outside(B) for failover. Context B has and inside, and outside (B) and another outside (A) for failover.

If this is possible with one firewall could someone point me to the design guides for it.

Thanks in advance,

Bob James

Labels:
0 Helpful
7 Replies 7

brquinn
Level 1
Level 1

‎04-12-2011 12:57 PM

Bob,

Unfortunately, routing protocols and SLA Monitoring are all not supported in multiple context mode. Your best option is putting a router outside the ASA.

Thanks,

Brendan

0 Helpful

bjames
Level 5
Level 5
In response to brquinn

‎04-12-2011 05:28 PM

I don't need routing other than statics, but are you saying you cannot share an outside interface across contexts?

If so, if I had two IP's from each ISP could I assign three interfaces per contexts two outside (one to each ISP) and one inside for each network; does it matter that the outside IP's in each context will be on the same subnet?

If not then the only thing I would have to watch for is proxy arp.

Thanks

Bob James

0 Helpful

jubetz
Level 1
Level 1
In response to bjames

‎04-12-2011 07:43 PM

You should be able to do what you are describing. No design guide specifically for that. It's just two outside interfaces on the same subnet. Things get slightly more complicated if you want to use the same physical(or sub) interface across multiple contexts.

Sent from Cisco Technical Support iPhone App

0 Helpful

brquinn
Level 1
Level 1
In response to jubetz

‎04-13-2011 07:06 AM

Bob,

Just to clarify a bit here... Yes, you can share an interface across multiple contexts. Yes, the interfaces in each context can be on the same subnet. But to what end? If you only have static routes, there is no failure mechanism to switch your traffic from ISP1 to ISP2. You would have to manually change the default route in the event of a failure.

The only exception would be if the physical interface went down and you had a backup route in place. Only then would the traffic automatically be sent through the backup ISP.

I hope this helps.

Thanks,

Brendan

0 Helpful

bjames
Level 5
Level 5
In response to brquinn

‎04-13-2011 07:19 AM

Brendan,

I must be missing something here; if I can have multiple interfaces in contexts with Dual ISP's unless the IOS prohibits it why can I not setup the tracking (IP SLA) feature with the dual ISP's and have the default route fail-over to the other ISP in the event that the path to a destination on the Internet that I set goes away?

I've built this many many times, just none using multiple contexts....

Confused...

Bob James

0 Helpful

brquinn
Level 1
Level 1
In response to bjames

‎04-13-2011 07:25 AM

Bob,

According to the command reference, the feature is just not supported in multiple context mode. I don't know exactly why this limitation exists, but it does. :-(

http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/s8.html#wp1557524

Thanks,

Brendan

0 Helpful

Bratin Saha
Level 1
Level 1

‎12-01-2015 08:47 PM

ENH CSCug56848 has been filed on the same - SLA Monitoring support in Multi-Context Mode.

regards,

Bratin Saha

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card