Configure subinterfaces on a multiple context ASA.
hello,
i was just confuse. When do we need to configure subinterfaces on a multiple context ASA.
thanks
whenever you need to trunk to a switch and be able to have more than the limit of physical interfaces. For instance an ASA 5510 allows you to have 100 VLAN interfaces.
Whenever you need to setup more than on DMZ.
Similar Messages
-
Support IPSec VPN Client in ASA Multiple Context Mode
I've looked at under "Cisco ASA Series CLI Configuration Guide, 9.0" on "Configuring Multiple Context Mode", it says
"IPsec sessions—5 sessions. (The maximum per context.) ". Does it mean in ASA Multiple Contest Mode support IPSec VPN Client? I just want to confirm it because I can't seem find any doc that clearly spell it out. I'll appreciate anyone who can clarify it.
Thank Jason.
( Please direct me to the right group if I'm not for the first time I post it in the Cisco support forum)This is from the v9.3 config-guide:
Unsupported Features
Multiple context mode does not support the following features:
Remote access VPN. (Site-to-site VPN is supported.) -
ASA 5512-X version 9.1 multiple contextes supported?
Hi All,
could soumeone please let me know if on the ASA 5512-X virtual contexts are supported with version 9.1 ?
I found different information on the Cisco web, the ASA datasheet says it is supported but in the configuration guide I found exactly the opposite information.
Cisco ASA Series General Operations CLI Configuration Guide 9.1 and 8.6
http://www.cisco.com/en/US/docs/security/asa/asa91/configuration/general/ha_contexts.html#wp1188797
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/interface_start.html#wp1329030
Cisco ASA 5500 and ASA 5500-X Series Next- Generation Firewalls for Small Offices and Branch Locations Data Sheet (Updated)
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/data_sheet_c78-701253.html
thanks in advance
Best Regards
FrankHi,
you find the information in the ASA Configuration Guide section "Licensing Requirements for Multiple Context Mode"
http://www.cisco.com/en/US/docs/security/asa/asa91/configuration/general/ha_contexts.html#wp1188797
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/interface_start.html#wp1329030
Licensing Requirements for Multiple Context Mode
ASA 5512-X No support.
Best Regards
Frank -
Dynamic Routing Protocol Support in Cisco ASA Multiple Context Mode
Dear Experts,
Wold like to know whether dynamic Routing Protocol Support in Cisco ASA Firewall Multiple Context Mode. If yes then please provide OS version and Hardware Model of Cisco ASA Firewall. Appreciate the quick response. Thanks.Hi,
Check out this document for the information
http://www.cisco.com/en/US/docs/security/asa/roadmap/asa_new_features.html#wp93116
Its lists the following for software level 9.0(1)
Multiple Context Mode Features
Dynamic routing in Security Contexts
EIGRP and OSPFv2 dynamic routing protocols are now supported in multiple context mode. OSPFv3, RIP, and multicast routing are not supported.
Seems to me you would need some 9.x version to support the above mentioned Dynamic Routing Protocols.
I don't think its related to the hardware model of the ASA other than that it requires a model that supports Multiple Context Mode. To my understanding the only model that doesnt support that is ASA5505 of the whole ASA5500 and ASA5500-X series.
Hope this helps
- Jouni -
Hello All
I have a customer that has several sites all over the world and they want to use 3G and possibly 4G (where available) as a backup vpn solution.
I need some assistance/ guidance in configuring the cellular radio and configuring the vpn (dynamic ip)to work over the wwan.
Countries involved are France, Spain, Australia, Thailand and Malaysia.
I understand that I will need the APN credentials from the service provider. Is this normally the same for 3g and 4g?
Do I get chat scripts from them too?
My vpn gateway in the HQ is a Cisco multi-context asa so I can't configure remote access as its not supported yet. Can I possibly use the 1921 router(4lte hwic installed) at the sites as a hardware client?
I have seen the following urls. One has the 3g router as a "remote access" vpn but I guess this won't work in my scenario.
The other is between ios router and asa which I think will work. I don't need nat on the 3g/4g router as all traffic will be using the vpn.
http://www.networking-forum.com/blog/?p=708 . Will I need this for all the sub-interfaces I configure on the router
interface Vlan1
description LAN
ip address 10.0.0.14 255.255.255.240
no ip redirects
no ip proxy-arp
ip tcp adjust-mss 1452
crypto ipsec client ezvpn ASA inside <--is this needed per interface????
Remote access reference in config:
group-policy 3GPolicy attributes
vpn-tunnel-protocol IPSec
password-storage enable
nem enable
tunnel-group 3GRAGroup type remote-access <---Remote access config
tunnel-group 3GRAGroup general-attributes
authorization-server-group LOCAL
default-group-policy 3GPolicy
tunnel-group 3GRAGroup ipsec-attributes
pre-shared-key **Same key as the ASA profile on the 881**
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/112075-dynamic-ipsec-asa-router-ccp.html
Anyone got a helpful configuration and guide?
Thanks
Feisal -
ASA5540 in multiple-context SNMP/icmp doesn´t work
Hi there,
I need some help in order to understante what´s going on with an asa540 configure in multiple-context mode.
I Have a cacti server on my lan and now I´m try to monitoring the interface with snmp. When I try to get this information returns the error message:
CISCOASA/CONTEXTA#
JUN 11 2013 01:52:00: %ASA-1-1-6021: Deny UDP reverse path check from 10.6.6.6 to IP_SRV_CACTI on interface inside
JUN 11 2013 01:52:01: %ASA-1-1-6021: Deny UDP reverve path check from 10.6.6.6 to IP_SRV_CACTI on interface inside
If I try to ping returns the same error:
CISCOASA/CONTEXTA#
JUN 11 2013 01:56:09: %ASA-1-1-6021: Deny icmp reverse path check from 10.6.6.6 to IP_SRV_CACTI on interface inside
Following attached the conf of my asa
My question is Why I can´t ping or even use snmp ???
If anyone could me help with a tip or a document about it ...
My best regards
AdrianoCISCOASA/CONTEXT# packet-tracer input inside icmp 10.132.0.25 8 0 10.6.72.2
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.6.72.2 255.255.255.255 identity
Phase: 4
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in IP_SRV_HSLCACTIP01 255.255.255.255 inside
Phase: 5
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 453866627, packet dispatched to next module
Phase: 10
Type: ROUTE-LOOKUP
Subtype: output and adjacency
Result: ALLOW
Config:
Additional Information:
found next-hop 0.0.0.0 using egress ifc identity
adjacency Active
next-hop mac address 0000.0000.0000 hits 22196
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow
Route information:
route inside 10.132.0.0 255.255.252.0 10.6.72.1 1
route inside IP_SRV_HSLCACTIP01 255.255.255.255 10.6.72.1 1
CISCOASA/CONTEXT# sh route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 200.206.50.233 to network 0.0.0.0
C 200.206.50.232 255.255.255.248 is directly connected, outside
S 10.132.0.0 255.255.252.0 [1/0] via 10.6.72.1, inside
S IP_SRV_HSLCACTIP01 255.255.255.255 [1/0] via 10.6.72.1, inside
S* 0.0.0.0 0.0.0.0 [1/0] via 200.206.50.233, outside
Regards, -
Remote Access VPN Support in Multiple Context Mode (9.1(2))?
Hi Guys,
I am currently running two Cisco ASA5520 (ASA Version: 9.1(2)) firewalls in Active/Standby failover and was contemplating the option of migrating my remote access VPN to these firewalls. However seeing that the new IOS now support mixed multiple context mode and dynamic routing. Is it safe to ask whether or not Remote Access VPN is now support in this IOS upgrade?
Multiple Context Mode New Features:
Site-to-Site VPN in multiple context mode | Site-to-site VPN tunnels are now supported in multiple context mode.
New resource type for site-to-site VPN tunnels | New resource types, vpn other and vpn burst other, were created to set the maximum number of site-to-site VPN tunnels in each context.
Dynamic routing in Security Contexts | EIGRP and OSPFv2 dynamic routing protocols are now supported in multiple context mode. OSPFv3, RIP, and multicast routing are not supported.
New resource type for routing table entries | A new resource class, routes, was created to set the maximum number of routing table entries in each context. We modified the following commands: limit-resource, show resource types, show resource usage, show resource allocation. We modified the following screen: Configuration > Context Management > Resource Class > Add Resource Class.
Mixed firewall mode support in multiple context mode | You can set the firewall mode independently for each security context in multiple context mode, so some can run in transparent mode while others run in routed mode. We modified the following command: firewall transparent. You cannot set the firewall mode in ASDM; you must use the command-line interface. Also available in Version 8.5(1).
Regards,
LeonHey Leon,
According to the ASA 9.1 Configuration Guide, Remote Access VPN is not yet supported with version 9.1(2). Only Site-to-Site VPN support in multiple context was introduced with release ASA 9.0(x). This was mentioned in the 9.0(x) release notes.
Regards,
Dennis -
Explain about transparent mode, single mode, multiple context mode
You can explain about the differents of transparent mode, single mode, multiple context mode in ASA 5500? Thank you very much.
Great question. Hope the below helps:
Transparent Mode: In this mode, the ASA will filter traffic without requiring L3 on the ASA. This means that in your config you will not put IPs on the interfaces to be used for traffic filtering. Thus, filtering is transparent to the traffic as the traffic isn't directly routed to the firewall. Think of it like you have a server plugged into a switch. In transparent mode, you place the ASA between the server and the switch and no configuration change is required to the server. In routed mode, you place the ASA in the same physical location between the server and switch, but have to change the server to use the ASA as a default gateway.
Single Mode: Default mode of an ASA. The ASA acts as a single firewall and all interfaces are provisioned to be managed through a single firewall configuration.
Multiple Context Mode: The ASA is split into multiple virtual configurations. With the ASA now virtualized, you provision the physical interfaces on the ASA to the virtual firewall configured. Each context has it's own configuration seperate from the rest of the firewall. Multi-context is meant for enterprises to invest in a single piece of hardware and scale it for use as multiple security devices.
Hope this helps. Let me know if you have anymore questions!
-Mike
http://cs-mars.blogspot.com -
SSLVPN/webvpn in multiple context mode?
We already know that ASA 9.0 supports site-to-site VPN in multiple context mode. But remote access VPN isn't supported. Obviously, SSL-VPN is a very important feature for most multi-tenant deployment scenarios where each context acts as a border firewall towards the Internet for each tenant. The alternative to terminate all tenant remote-access VPNs in one context means that each tenant would have to be routable from the ASA, which of course isn't a reasonable requirement in most cases.
So, what I'd like to do is to deploy an ASA cluster, and provide remote access VPNs for each tenant, where the connectivity for each remote access group can be addressed with whatever IP address space, and that goes into it's own VRF in the back-end.
As far as I can tell, this isn't doable with the ASA, since multiple context mode prohibits the use of remote access VPN, and I can't think of any other work-around than either having individual firewalls running in single context mode for each tenant, or demand that all tenants are interoperable routing-wise and configure a separate ip address pool in a single context mode for each tenant.
Essentially, there's no good way to implement this with multiple virtual firewalls, using cisco firewalls? Or am I missing something?If you set up a pair of single-context ASAs for VPN termination, configure a group policy per customer and use the 'Restrict access to VLAN' feature, you could separate customers' traffic and still just use one FW pair for all customers. This pair would connect to the same switch infrastructure as your multi-context edge firewall and thus allow a consolidated solution.
Sent from Cisco Technical Support iPad App -
Are VPN Clients supported in multiple context mode?
Hi,
Recently our company has bought two Cisco ASA 5515-X firewalls for at our datacenter. I am new on configuring a Cisco ASA but sofar things are looking good. I have configured them both with HA (active/active) in multiple context mode. Currently they host two security contexts.
I want to configure VPN Client functionallity for Remote Access. As far as I know they come with two user licenses. But there is no VPN Client wizard available and I can't find a way to enable it.
- Is VPN Client supported in Multiple Context mode?
- What is AnyWhere Essentials vs Premium Peers?
Boudewijn
Here is some additional output fromt he current configuration:
Cisco Adaptive Security Appliance Software Version 9.1(2) <context>
Device Manager Version 7.1(3)
Encryption hardware device : Cisco ASA-55xx on-board accelerator (revision 0x1)
Boot microcode : CNPx-MC-BOOT-2.00
SSL/IKE microcode : CNPx-MC-SSL-PLUS-T020
IPSec microcode : CNPx-MC-IPSEC-MAIN-0024
Number of accelerators: 1
Baseboard Management Controller (revision 0x1) Firmware Version: 2.4
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 100 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
Security Contexts : 2 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 250 perpetual
Total VPN Peers : 250 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
IPS Module : Disabled perpetual
Cluster : Disabled perpetual
This platform has an ASA 5515 Security Plus license.Hi,
No form of VPN Client is supported when you are using an ASA in Multiple Context mode.
The only type of VPN supported in the newer 9.x softwares is L2L VPN / Site to Site VPN
This might answer the VPN Licensing related question
http://packetpushers.net/cisco-asa-licensing-explained/
I never seem to remember it exactly myself even.
- Jouni -
Active/standby in multiple context mode
is active/standby configuration possible in multilple context mode? i cannot find an article regarding this matter.
Hello John,
It is available
Actually the ones you need are the regular ones (documents) as the ASA will trigger failover if one of the context fail
Important Notes
For multiple context mode, the ASA can fail over the entire unit (including all contexts) but cannot fail over individual contexts separately.
. Active/Standby Failover is available on units that run in either single or multiple context mode. Both failover configurations support stateful or stateless (regular) failover.
VPN failover is not supported on units that run in multiple context mode as VPN is not supported in multiple context. VPN failover is available only for
Active/Standby Failover configurations in single context configurations.
With this I think you are ready to start configuring it:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml
Julio -
Cisco ASA5520 multiple context revert back to single context
Hi all,
We have a redudant set of Cisco ASA5520's. This firewalls runs in multiple context mode.
No we want to make both "virtual" firewalls physical.
We already migrated on of the two firewalls to another physical set.
Now we would like to revert back the multiple context into single context mode, with keeping on of the two firewalls as the new running config.
We would like to do this with a minimum downtime.
Is this possible, can someone advise?
Kind regards,
Danny van der AaThe config will be saved as config.old when you change the mode of the firewall (this goes both ways I believe). As Luis has mentioned it is a major change but if you have ASA's in a failover pair then doing this with little or no down time should be possible.
I would first go about this by taking the current Standby ASA and take a backup of the running configuration on it, and make any required changes to the configuration to suite your needs. Most likely you will not have much need of what is in the system context, but take a backup of it anyway just be on the safe side. Then change it to single mode with the command "mode single". Now copy the configuration into the ASA.
Now, assuming that both ASAs have the same IP addresses assigned to its interfaces, remove the currently active ASA and then connect the ASA that is now in single mode back into the network. You may have to clear the MAC address table on some servers depending on how old they are and how touchy they are.
Do the same for the second ASA and connect it back to the network. Now, if you have kept the failover configuration, the ASAs will setup an Active/Standby failover in single mode and replicate the configuration.
Your down time should only be dependent on how fast you can remove the second ASA and add the first ASA back to the network.
Please remember to rate and select a correct answer -
Multiple Context - Changing http server port
Hi,
Is it possible to change the firewall https port to different port? Normally in single context mode you can change it with this command.
http server enable 4434
In multiple context mode there is no option for the port...
http server enable ?hi marius,
i just tried this on our live ASA 5520 and you're right, it can't be done on admin context.
it also can't assign a diffrent port under a different context. only default 443 is accepted.
ciscoasa/admin(config)# ip http serve enable ?
ERROR: % Unrecognized command
ciscoasa/CONTEXT(config)# sh ve
Cisco Adaptive Security Appliance Software Version 8.3(2)
Device Manager Version 6.3(5)
ciscoasa/CONTEXT(config)# http server enable ?
configure mode commands/options: -
I am trying to setup the WebVPN in an ASA5520 with 2 contexts. The config options just don't seem to be there, am I missing something.
Unfortunately multiple context does not support the following features.
Unsupported Features
Multiple context mode does not support the following features:
â¢Dynamic routing protocols
Security contexts support only static routes. You cannot enable OSPF, RIP, or EIGRP in multiple context mode.
â¢VPN
â¢Multicast routing. Multicast bridging is supported.
â¢Threat Detection
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/contexts.html#wp1036557
HTH
-Jorge -
About config VPN in FWSM multiple context
hi
i have 6509+FWSM(4.0.4) now i wanna use stite to stite and ez vpn in the fwsm (multiple context)
mulitiple context mode in fwsm support ipsec vpn???Hi,
To my understanding no current Cisco firewall product supports VPN capabilities while running in multiple context mode.
Unless the newest ASA service modules running 8.5 dont.
Though I guess in the future they might add support for IPsec VPN while running in multiple context mode.
You will probably have to use another device to configure VPN and build connections from that device to the contexts in question.
Either a small Cisco ASA product or maybe some older VPN module for the 6509. Dont know if they are supported by Cisco anymore.
- Jouni
Maybe you are looking for
-
Hi, What are the ways of loading sales order data into SNP planning book? To my knowledge, it is: 1. R/3 to BW cube to APO( using TSOPY) 2. Active integration model and assign the category BM to sales orders keyfigure in SNP planning area. so t
-
Why is the blocked plug in showing up as I am trying to view videos?
Why is the blocked plug in showing as I am trying to view videos?
-
Can I change mono sound into sterio sound
I have been working for weeks on 3 hour long DVDs about using PhotoShop Elements and have completed about 2 1/2 hours of shooting. I switched external mikes on my DV camera and when transfering to iMovie 6 I discovered that the first 2 1/4 hours were
-
If I purchase SwiftPublisher for mac, but then buy a new computer will I be able to use it on my new computer?
-
I would like to create more than one listener on a WebLogic server. Is it possible in WebLogic 4.0.3 ? If not, is it possible in 4.5 or 5.0 ? Thanks in advance