Asa multi-context logging
If I want logging for the "internet" facing context on an ASA, do I have to configure logging on that context, or will the logging on the admin or system context also send logs for the other context?
Logging must be configured separately in each "customer" (non-system or -admin) context that you want to receive syslog messages from regarding its activity.
The admin context can send syslog messages related to its own and the system context status.
These items and more are covered in this Configuration Guide section.
Similar Messages
-
BVI doesn't show up in multi context ASA
I have an ASA 5585 in transparent mode, multi-context. It seems that the option to configure a BVI in one of the traffic contexts isn't there. In other words, while I see the option to configure a bridge group interface in the admin context, no such option comes up in the traffic context.
ciscoasa/admin(config)# interface ?
configure mode commands/options:
BVI Bridge-Group Virtual Interface
Management Prefix of interface Management0/0
ciscoasa/admin(config)#
ciscoasa/admin(config)# changeto context dmz
ciscoasa/dmz(config)#
ciscoasa/dmz(config)# interface ?
configure mode commands/options:
Port-channel Prefix of interface Port-channel30.411, 30.412, 30.413, 30.414
ciscoasa/dmz(config)#
I thought that maybe I need to first allocate BVI interface(s) in the system context (in order to seem them in the traffic context) but that doesn't seem to be an option either.
ciscoasa/dmz(config)# ch system
ciscoasa(config)# interface ?
configure mode commands/options:
GigabitEthernet GigabitEthernet IEEE 802.3z
Management Management interface
Port-channel Ethernet Channel of interfaces
Redundant Redundant Interface
TenGigabitEthernet Ten GigabitEthernet
<cr>
ciscoasa(config)#
Has anyone seen this or know what the issue is? Thanks.I think I figured it out. It seems that when you create a context, it is created in routed mode by default. So you have to explicitly go in and change it to transparent mode. Then the BVI interface shows up of course.
-
when I try to add a multi context asa to MARS, I get error
Error occured during PIX multicontext discovery. More detailed info may be available under View Error button of individual context devices.
If you can not find detailed error info, please make sure 'hostname.domain-name' for each context device is unique"
So this mean I should change host name of each context in the ASA differrent to add to MARS ?
thank you,
DuyenHi duyendaica,
I try to answer, maybe you just need to add domain-name configuration in every context, not to change the hostname.
Thanks -
Hello All
I have a customer that has several sites all over the world and they want to use 3G and possibly 4G (where available) as a backup vpn solution.
I need some assistance/ guidance in configuring the cellular radio and configuring the vpn (dynamic ip)to work over the wwan.
Countries involved are France, Spain, Australia, Thailand and Malaysia.
I understand that I will need the APN credentials from the service provider. Is this normally the same for 3g and 4g?
Do I get chat scripts from them too?
My vpn gateway in the HQ is a Cisco multi-context asa so I can't configure remote access as its not supported yet. Can I possibly use the 1921 router(4lte hwic installed) at the sites as a hardware client?
I have seen the following urls. One has the 3g router as a "remote access" vpn but I guess this won't work in my scenario.
The other is between ios router and asa which I think will work. I don't need nat on the 3g/4g router as all traffic will be using the vpn.
http://www.networking-forum.com/blog/?p=708 . Will I need this for all the sub-interfaces I configure on the router
interface Vlan1
description LAN
ip address 10.0.0.14 255.255.255.240
no ip redirects
no ip proxy-arp
ip tcp adjust-mss 1452
crypto ipsec client ezvpn ASA inside <--is this needed per interface????
Remote access reference in config:
group-policy 3GPolicy attributes
vpn-tunnel-protocol IPSec
password-storage enable
nem enable
tunnel-group 3GRAGroup type remote-access <---Remote access config
tunnel-group 3GRAGroup general-attributes
authorization-server-group LOCAL
default-group-policy 3GPolicy
tunnel-group 3GRAGroup ipsec-attributes
pre-shared-key **Same key as the ASA profile on the 881**
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/112075-dynamic-ipsec-asa-router-ccp.html
Anyone got a helpful configuration and guide?
Thanks
Feisal -
ASA X-series firewalls difference & multi context features
Does anyone have a quick guide to show the feature differences between the X and regular ASA series firewalls?
And does this still hold true WRT multi-context ASA in the X-series?
No multi-context.....
- If you need to provide VPN services such as remote access or site-to-site VPN tunnels.
- If you need to use dynamic routing protocols. With multiple context mode, you can use only static routes.
- If you need to use QoS.
- If you need to support multicast routing.
- If you need to provide Threat Detection.
tia,
WillA few changes in the new ASA version 9.0 (supported on both ASA and ASA-X series):
http://www.cisco.com/en/US/docs/security/asa/asa90/release/notes/asarn90.html#wp586890
In multiple context mode, it does support the following:
- Site to site VPN tunnels only.
- Dynamic routing protocols: EIGRP and OSPFv2 only.
- QoS is not supported.
- Multicast routing is not supported.
- Thread Detection is not supported
Here is the unsupported feature on multiple context as off Version 9.0:
http://www.cisco.com/en/US/docs/security/asa/asa90/configuration/guide/ha_contexts.html#wp1382237 -
Multi Context IPSec VPN limitations
Hello,
We are looking to deploy mult-context IPSec lan to lan VPNs on ASA 9.x now that the functionality is available and I'm trying to understand if there are limitations to the number of tunnels that can be deployed per context? The below link may seem to indicate that there is a limit of 5 "IPSec sessions" per context but I can't see any reference to such limitations anywhere else.
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/contexts.html#wp1147166
Does anybody know if there is a hard limit of number of IPSec connections per context or is it down to the general capabilities of the hardware (i.e. we're looking initially to deploy on 5520 so we'd get a throughput capability of 225Mb based on the datasheet -obviously depending on crypto parameters)?
ThanksHey found the updated document
http://www.cisco.com/en/US/docs/security/asa/command-reference/l1.html#wp1697181
Ok, this is the real document:
By default, all security contexts have unlimited access to the resources of the ASA, except where maximum limits per context are enforced; the only exception is VPN resources, which are disabled by default. If you find that one or more contexts use too many resources, and they cause other contexts to be denied connections, for example, then you can configure resource management to limit the use of resources per context. For VPN resources, you must configure resource management to allow any VPN tunnels.
vpn burst other
Concurrent
N/A
The Other VPN session amount for your model minus the sum of the sessions assigned to all contexts for vpn other.
The number of site-to-site VPN sessions allowed beyond the amount assigned to a context withvpn other. For example, if your model supports 5000 sessions, and you assign 4000 sessions across all contexts with vpn other, then the remaining 1000 sessions are available for vpn burst other. Unlike vpn other, which guarantees the sessions to the context, vpn burst othercan be oversubscribed; the burst pool is available to all contexts on a first-come, first-served basis.
vpn other
Concurrent
N/A
See the "Supported Feature Licenses Per Model" section in the CLI configuration guide for the Other VPN sessions available for your model.
Site-to-site VPN sessions. You cannot oversubscribe this resource; all context assignments combined cannot exceed the model limit. The sessions you assign for this resource are guaranteed to the context.
Value our effort and rate the assistance! -
IfSpeed and ASA security context config
If the "system" context of a multi-context ASA has per-interface config set to a specific speed, say 10Mbit on a 1Gbit interface, I see the interface is reported as 10Mbit in ifSpeed. But does the config only impact the management aspect, or does it throttle the interface down to 10Mbit as well?
What if you do the calculation manually using the delta values polled from SNMP, and the value of ifSpeed? What is the port speed of the upstr
eam switch? Perhaps the port is really negotiated at a higher speed than what the context is reporting. -
Multi-context active-active etherchannel failover
Hi All,
Is there a way to monitor individual interfaces on a box doing multicontext etherchannel failover?
I can understand on an individual box you can add monitor-interface to the physical interface, but in multi context mode, there is only one interface (the logical etherchannel subinterface) pushed through from the system context to each of the other contexts. I've been looking around and can't work out how to get a context failover to fail if only one of the etherchannel fails.
If the other box has more active etherchannels then that's the one I want active, but can't see it at the moment.
Possibly missed something somewhere. Any ideas?
Thanks,
Gazmonitor-interface will only work on "named" interfaces. So, what you are looking to do is not possible.
The member interfaces on a port-channel will not have "nameif" associated with them.
-Kureli -
Logging of FWSM context logs to two diffrent zone SYSLOG SERVER
Hello Sat Shri Akal,
Can any one help me about logging of FWSM context logs to two diffrent zone SYSLOG SERVER and SYSLOG Collector
in CSM 3.2.2. I am able to have logs from Admin context but not from my other context of FWSM. Otherwise that context is sending syslogs to ONE syslog server in similsr vlan,but why that perticular context is not able to log ay syslog collector of CSM which is having logs from admin context. Please help me in this case.
regardsPradeep,
All contexts should be able to reach the CSM server's IP address just like the admin context.
The individual contexts should be configured to send logs to the CSM server's IP address.
From CSM go under each context and add management IP address for the particular context.
Once the above is done you will see logs from all the contexts under CSM.
-Kureli -
Adding FWSM multi context in CSM
Hi friends,
Just wanted to know that when adding FWSM multi-context in CSM 3.1, do i need to add all contexts separately in CSM or just adding the admin context will do the needful?
It seems to me that all security policies (ACL's) appear in CSM only after i import each context individually. But i have 22.
Just wanted to know if it is possible to add it in an easier way.
Thanks and Regards
GautamHi, i have a similar problem: I have two context and system context, the CSM uses ACS to authenticate the devices, when I try to add the CSM tells me that the isn't authorized, but if configure in the ACS as a client, the CSM tells me that the device isn't authorized, I think that i need to add the system context as aaa client also, but this context haven't ip address by definition, how can I solve the problem?
Regards
Sergio -
Will up coming 9.0 release support multicast in multi-context mode?
I understand that in 8.4 multicast is not support in multi-context mode. How about the up-and-coming release of 9.0?
No, multicast is still not supported on multi context mode in the upcoming 9.0 release.
However, IPSec LAN-to-LAN VPN is supported on multi context mode. -
ASA in multi context mode and AAA based on context
Hello, running ASA5520 in multicontext mode, and would like to apply AAA in separate contexts; eg. context A and B should have AAA authentication and context C not.
I am familliar how to setup AAA in single firewall mode but not sure about correct procedure when setting up AAA in multicontext mode.
Is it possibe to configure individual contexts for AAA?
ThanksHi,
Yes, it is possible to setup AAA in individual contexts. The procedure is going to be exaclty the same as when the firewall is in single context mode.
Just be careful while configuring command authorization on a firewall in multiple context.
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/mgaccess.html#wp1060011
Hope it helps.
Thanks,
Amitashwa -
Smart call-home setup in ASA with contexts
Hello,
I have a problem configuring Smart call home service in an ASA 5500 having contexts.
The DNS config is available on contexts, however the service is enabled to system.
At the moment, following all the cisco's documentations, seems it doesn't work.
Any suggestion?
Thanks.
NotisLet separate what the Cisco back-end can process and what the end device can do. What your document above indicates is, "What call home messages can the Cisco backend evaluate, and what processed call home messages will raise a TAC case automatically?" The Call Home process on the end device sends in Call Home messages to the Cisco backend (aka Smart Call Home) from many sources or triggers. When it says "Alarm type" in the document, it means the source or trigger for the Call Home message.
But the ASA supports adding syslog matching patterns to the alert group syslog. But it still triggers the same call home message containing "show log" and "show inventory". You can also rate limit the call home messages triggered via syslog with the rate-limit command.
subscribe-to-alert-group syslog [severity {catastrophic | disaster | fatal | critical | major | minor | warning | notification | normal | debugging} [pattern string]]
Remember that a profile specifies the transport method and alert group selection. And that multiple profiles can be configured on the device at the same time.
When you want human readable call home messages, you use the long text message format in the profile. On the other hand, the Cisco backend requires Call Home messages in a certain format (XML), hence the CiscoTAC-1 restrictive profile.Typically people will copy the CiscoTAC-1 profile into a new unrestrictive profile and then add an additional email address besides [email protected] so they, too, can see the "unprocessed" call home messages.
Of course, after the Cisco backend processes one of these Call Home messages, depending on the Call Home message, it sends a notification email to the admin for the device telling them it processed a message. -
Support IPSec VPN Client in ASA Multiple Context Mode
I've looked at under "Cisco ASA Series CLI Configuration Guide, 9.0" on "Configuring Multiple Context Mode", it says
"IPsec sessions—5 sessions. (The maximum per context.) ". Does it mean in ASA Multiple Contest Mode support IPSec VPN Client? I just want to confirm it because I can't seem find any doc that clearly spell it out. I'll appreciate anyone who can clarify it.
Thank Jason.
( Please direct me to the right group if I'm not for the first time I post it in the Cisco support forum)This is from the v9.3 config-guide:
Unsupported Features
Multiple context mode does not support the following features:
Remote access VPN. (Site-to-site VPN is supported.) -
Dynamic Routing Protocol Support in Cisco ASA Multiple Context Mode
Dear Experts,
Wold like to know whether dynamic Routing Protocol Support in Cisco ASA Firewall Multiple Context Mode. If yes then please provide OS version and Hardware Model of Cisco ASA Firewall. Appreciate the quick response. Thanks.Hi,
Check out this document for the information
http://www.cisco.com/en/US/docs/security/asa/roadmap/asa_new_features.html#wp93116
Its lists the following for software level 9.0(1)
Multiple Context Mode Features
Dynamic routing in Security Contexts
EIGRP and OSPFv2 dynamic routing protocols are now supported in multiple context mode. OSPFv3, RIP, and multicast routing are not supported.
Seems to me you would need some 9.x version to support the above mentioned Dynamic Routing Protocols.
I don't think its related to the hardware model of the ASA other than that it requires a model that supports Multiple Context Mode. To my understanding the only model that doesnt support that is ASA5505 of the whole ASA5500 and ASA5500-X series.
Hope this helps
- Jouni
Maybe you are looking for
-
How can I delete an existing Apple ID on my MacBook Pro?
Hello me and my Dad bought today an Mac Mini and a MacbookPro. My father setup the Mac mini and has created an AppleID and so he also did the same on my MacBook pro but the problems now is, if I wanted to update my Programms in the store i need to si
-
Satellite P100: Can I connect two external monitor to VGA & DVI port at the same time?
The Satellite P100 comes with two external monitor port. A VGA and a DVI. Can you have have two external monitor working at the same time? Can you have two external monitor as well as your internal display working at the same time (for a total of 3 d
-
CS6 Sprite Sheet animation alignment puzzle
Hey all, I greatly enjoy using Flash CS6's Generate Sprite Sheet tool since it's much much quicker than exporting all the sprites and using TexturePacker (though I wager TP would provide far better optimization). One problem I seem to have is alignin
-
CP5 Project with inserted SWF animations
We have a CP5 project with SWF Animations inserted on the slide. The narration for the slide is on the CP5 project. Is there a way to tell the SWF animation to pause is a student pauses the CP5 project? I'm thinking some advanced action. Also if
-
How to export all distribution group display names and group notes
We would like to create a list of distribution groups that includes the "Notes" information and email address. I have found several option, but none of them reveal the Notes. Where is the "Notes" information for groups and how can we report on it?