Support IPSec VPN Client in ASA Multiple Context Mode
I've looked at under "Cisco ASA Series CLI Configuration Guide, 9.0" on "Configuring Multiple Context Mode", it says
"IPsec sessions—5 sessions. (The maximum per context.) ". Does it mean in ASA Multiple Contest Mode support IPSec VPN Client? I just want to confirm it because I can't seem find any doc that clearly spell it out. I'll appreciate anyone who can clarify it.
Thank Jason.
( Please direct me to the right group if I'm not for the first time I post it in the Cisco support forum)
This is from the v9.3 config-guide:
Unsupported Features
Multiple context mode does not support the following features:
Remote access VPN. (Site-to-site VPN is supported.)
Similar Messages
-
Configurate cisco ipsec vpn client at asa 5505 version 8.4
Hi dear. I want to configurate cisco ipsec vpn client at asa 5505. At my asa the software version is 8.4.
please provide me a link or some material to config ipsec vpn client at asa 5505 version 8.4
thank you.are you looking for vpn client .pcf file or the configuration on ASA (ASDM) ?
what version of vpn client ? -
Dynamic Routing Protocol Support in Cisco ASA Multiple Context Mode
Dear Experts,
Wold like to know whether dynamic Routing Protocol Support in Cisco ASA Firewall Multiple Context Mode. If yes then please provide OS version and Hardware Model of Cisco ASA Firewall. Appreciate the quick response. Thanks.Hi,
Check out this document for the information
http://www.cisco.com/en/US/docs/security/asa/roadmap/asa_new_features.html#wp93116
Its lists the following for software level 9.0(1)
Multiple Context Mode Features
Dynamic routing in Security Contexts
EIGRP and OSPFv2 dynamic routing protocols are now supported in multiple context mode. OSPFv3, RIP, and multicast routing are not supported.
Seems to me you would need some 9.x version to support the above mentioned Dynamic Routing Protocols.
I don't think its related to the hardware model of the ASA other than that it requires a model that supports Multiple Context Mode. To my understanding the only model that doesnt support that is ASA5505 of the whole ASA5500 and ASA5500-X series.
Hope this helps
- Jouni -
Certificates for IPSEC vpn clients in ASA 8.0
Hello!
I have configured MS CA and i setup vpn client and ASA 7.0 to make tunnel with certificates.
Same configuration does not work with ASA 8.0 I get error
CRYPTO_PKI: Checking to see if an identical cert is
already in the database...
CRYPTO_PKI: looking for cert in handle=d4bb2888, digest=
b8 e5 74 97 f3 bf 25 1c 2e e5 21 3e d1 93 d6 15 | ..t...%...!>....
CRYPTO_PKI: Cert record not found, returning E_NOT_FOUND
CRYPTO_PKI: Cert not found in database.
CRYPTO_PKI: Looking for suitable trustpoints...
CRYPTO_PKI: Found a suitable authenticated trustpoint CA1.
CRYPTO_PKI(make trustedCerts list)CRYPTO_PKI:check_key_usage: Incorrect KeyUsage
(40)
CRYPTO_PKI: Certificate validation: Failed, status: 1873. Attempting to retrieve
revocation status if necessary
ERROR: Certificate validation failed. Peer certificate key usage is invalid, ser
ial number: 250F3ECE0000000009AF, subject name: cn=xxxxx,ou=xxxx,o=xxxxx,c=
xx
CRYPTO_PKI: Certificate not validated
Why the key usage is invalid? What certificate template must be used in MS CA in order to get a regular key usage?
The CA enrollement is terminal.
THANKS!The cert needs to have the Digital Signature key usage set.
Not sure what templates are available on MS CA, but it should be something like "Ipsec user" I suppose.
To make ASA 8 behave the same as ASA 7 (i.e. disable th check on the cert's key usage), configure:
crypto ca trustpoint
ignore-ipsec-keyusage -
Remote Access VPN Support in Multiple Context Mode (9.1(2))?
Hi Guys,
I am currently running two Cisco ASA5520 (ASA Version: 9.1(2)) firewalls in Active/Standby failover and was contemplating the option of migrating my remote access VPN to these firewalls. However seeing that the new IOS now support mixed multiple context mode and dynamic routing. Is it safe to ask whether or not Remote Access VPN is now support in this IOS upgrade?
Multiple Context Mode New Features:
Site-to-Site VPN in multiple context mode | Site-to-site VPN tunnels are now supported in multiple context mode.
New resource type for site-to-site VPN tunnels | New resource types, vpn other and vpn burst other, were created to set the maximum number of site-to-site VPN tunnels in each context.
Dynamic routing in Security Contexts | EIGRP and OSPFv2 dynamic routing protocols are now supported in multiple context mode. OSPFv3, RIP, and multicast routing are not supported.
New resource type for routing table entries | A new resource class, routes, was created to set the maximum number of routing table entries in each context. We modified the following commands: limit-resource, show resource types, show resource usage, show resource allocation. We modified the following screen: Configuration > Context Management > Resource Class > Add Resource Class.
Mixed firewall mode support in multiple context mode | You can set the firewall mode independently for each security context in multiple context mode, so some can run in transparent mode while others run in routed mode. We modified the following command: firewall transparent. You cannot set the firewall mode in ASDM; you must use the command-line interface. Also available in Version 8.5(1).
Regards,
LeonHey Leon,
According to the ASA 9.1 Configuration Guide, Remote Access VPN is not yet supported with version 9.1(2). Only Site-to-Site VPN support in multiple context was introduced with release ASA 9.0(x). This was mentioned in the 9.0(x) release notes.
Regards,
Dennis -
Active/standby in multiple context mode
is active/standby configuration possible in multilple context mode? i cannot find an article regarding this matter.
Hello John,
It is available
Actually the ones you need are the regular ones (documents) as the ASA will trigger failover if one of the context fail
Important Notes
For multiple context mode, the ASA can fail over the entire unit (including all contexts) but cannot fail over individual contexts separately.
. Active/Standby Failover is available on units that run in either single or multiple context mode. Both failover configurations support stateful or stateless (regular) failover.
VPN failover is not supported on units that run in multiple context mode as VPN is not supported in multiple context. VPN failover is available only for
Active/Standby Failover configurations in single context configurations.
With this I think you are ready to start configuring it:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml
Julio -
Are VPN Clients supported in multiple context mode?
Hi,
Recently our company has bought two Cisco ASA 5515-X firewalls for at our datacenter. I am new on configuring a Cisco ASA but sofar things are looking good. I have configured them both with HA (active/active) in multiple context mode. Currently they host two security contexts.
I want to configure VPN Client functionallity for Remote Access. As far as I know they come with two user licenses. But there is no VPN Client wizard available and I can't find a way to enable it.
- Is VPN Client supported in Multiple Context mode?
- What is AnyWhere Essentials vs Premium Peers?
Boudewijn
Here is some additional output fromt he current configuration:
Cisco Adaptive Security Appliance Software Version 9.1(2) <context>
Device Manager Version 7.1(3)
Encryption hardware device : Cisco ASA-55xx on-board accelerator (revision 0x1)
Boot microcode : CNPx-MC-BOOT-2.00
SSL/IKE microcode : CNPx-MC-SSL-PLUS-T020
IPSec microcode : CNPx-MC-IPSEC-MAIN-0024
Number of accelerators: 1
Baseboard Management Controller (revision 0x1) Firmware Version: 2.4
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 100 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
Security Contexts : 2 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 250 perpetual
Total VPN Peers : 250 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
IPS Module : Disabled perpetual
Cluster : Disabled perpetual
This platform has an ASA 5515 Security Plus license.Hi,
No form of VPN Client is supported when you are using an ASA in Multiple Context mode.
The only type of VPN supported in the newer 9.x softwares is L2L VPN / Site to Site VPN
This might answer the VPN Licensing related question
http://packetpushers.net/cisco-asa-licensing-explained/
I never seem to remember it exactly myself even.
- Jouni -
Environment:
2 x ASA 5540s (at two different data centers) configured as a VPN Load Balancing Cluster
Both ASAs are at version 8.4(5)6
IPSec VPN Client version: 5.0.07.440 (64-bit)
Jabber for Windows v9.7.0 build 18474
Issue:
If I am an IPSec VPN user…
I can use Jabber to another IPSec VPN user that is connected to the same ASA appliance.
I can’t use Jabber to another IPSec VPN user that is connected to the different ASA appliance that I am connected to.
In the hub-and-spoke design, where the VPN ASA is a hub, and the VPN client is a spoke; if you have two hubs clustered together, how does one spoke communicate with another spoke on the other hub in the cluster? (How to allow hairpinning to the other ASA)Portu,
Thanks for your quick reply.
Unfortunately, I do not have access to the ASA logs nor would I be permitted to turn on the debug settings asked for above. I might be able to get the logs but it will take awhile and I suspect they wouldn't be helpful as this ASA supports thousands of clients, therefore, separating out my connection attempts from other clients would be difficult.
I can, though, do whatever you want on the Linux router. Looking over the firewall logs at the time of this problem, I don't see anything that looks suspicious such as dropped packets destined for the Windows client.
As I said in my original post, I'm not a networking expert - by any means - but I am willing to try anything to resolve this. (But I might need a bit of handholding if I need to set up a wireshark andor tcpdump.)
Thanks again. -
Cisco Jabber Client for Windows 9.7 Can't Connect IPSec VPN Clients over two ASAs
Environment:
2 x ASA 5540s (at two different data centers) configured as a VPN Load Balancing Cluster
Both ASAs are at version 8.4(5)6
IPSec VPN Client version: 5.0.07.440 (64-bit)
Jabber for Windows v9.7.0 build 18474
Issue:
If I am an IPSec VPN user…
I can use Jabber to another IPSec VPN user that is connected to the same ASA appliance.
I can’t use Jabber to another IPSec VPN user that is connected to the different ASA appliance that I am connected to.
In the hub-and-spoke design, where the VPN ASA is a hub, and the VPN client is a spoke; if you have two hubs clustered together, how does one spoke communicate with another spoke on the other hub in the cluster? (How to allow hairpinning to the other ASA)Portu,
Thanks for your quick reply.
Unfortunately, I do not have access to the ASA logs nor would I be permitted to turn on the debug settings asked for above. I might be able to get the logs but it will take awhile and I suspect they wouldn't be helpful as this ASA supports thousands of clients, therefore, separating out my connection attempts from other clients would be difficult.
I can, though, do whatever you want on the Linux router. Looking over the firewall logs at the time of this problem, I don't see anything that looks suspicious such as dropped packets destined for the Windows client.
As I said in my original post, I'm not a networking expert - by any means - but I am willing to try anything to resolve this. (But I might need a bit of handholding if I need to set up a wireshark andor tcpdump.)
Thanks again. -
IPSEC VPN clients can't reach internal nor external resources
Hi!
At the moment running ASA 8.3, with fairly much experience of ASA 8.0-8.2, I can't get the NAT right for the VPN clients.
Im pretty sure it's not ACL's, although I might be wrong.
The problem is both VPN users can reach internal resources, and vpn users cant reach external resources.
# Issue 1.
IPSEC VPN client cannot reach any local (inside) resources. All interfaces are pretty much allow any any, I suspect it has to do with NAT.
When trying to access an external resource, the "translate_hits" below are changed:
Auto NAT Policies (Section 2)
1 (outside) to (outside) source dynamic vpn_nat interface
translate_hits = 37, untranslate_hits = 11
When trying to reach a local resource (10.0.0.0/24), the translate hits below are changed:
5 (inside) to (outside) source static any any destination static NETWORK_OBJ_172.16.32.0_24 NETWORK_OBJ_172.16.32.0_24
translate_hits = 31, untranslate_hits = 32
Most NAT, some sensitive data cut:
Manual NAT Policies (Section 1)
<snip>
3 (inside) to (server) source static NETWORK_OBJ_1.2.3.0_29 NETWORK_OBJ_1.2.3.0_29
translate_hits = 0, untranslate_hits = 0
4 (inside) to (server) source static any any destination static NETWORK_OBJ_10.0.0.240_28 NETWORK_OBJ_10.0.0.240_28
translate_hits = 0, untranslate_hits = 0
5 (inside) to (outside) source static any any destination static NETWORK_OBJ_172.16.32.0_24 NETWORK_OBJ_172.16.32.0_24
translate_hits = 22, untranslate_hits = 23
Auto NAT Policies (Section 2)
1 (outside) to (outside) source dynamic vpn_nat interface
translate_hits = 37, untranslate_hits = 6
Manual NAT Policies (Section 3)
1 (something_free) to (something_outside) source dynamic any interface
translate_hits = 0, untranslate_hits = 0
2 (something_something) to (something_outside) source dynamic any interface
translate_hits = 0, untranslate_hits = 0
3 (inside) to (outside) source dynamic any interface
translate_hits = 5402387, untranslate_hits = 1519419
## Issue 2, vpn user cannot access anything on internet
asa# packet-tracer input outside tcp 172.16.32.1 12345 1.2.3.4 443
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Relevant configuration snippet:
interface Vlan2
nameif outside
security-level 0
ip address 1.2.3.2 255.255.255.248
interface Vlan3
nameif inside
security-level 100
ip address 10.0.0.5 255.255.255.0
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network anywhere
subnet 0.0.0.0 0.0.0.0
object network something_free
subnet 10.0.100.0 255.255.255.0
object network something_member
subnet 10.0.101.0 255.255.255.0
object network obj-ipsecvpn
subnet 172.16.31.0 255.255.255.0
object network allvpnnet
subnet 172.16.32.0 255.255.255.0
object network OFFICE-NET
subnet 10.0.0.0 255.255.255.0
object network vpn_nat
subnet 172.16.32.0 255.255.255.0
object-group network the_office
network-object 10.0.0.0 255.255.255.0
access-list VPN-TO-OFFICE-NET standard permit 10.0.0.0 255.255.255.0
ip local pool ipsecvpnpool 172.16.32.0-172.16.32.255 mask 255.255.255.0
ip local pool vpnpool 172.16.31.1-172.16.31.255 mask 255.255.255.0
nat (inside,server) source static NETWORK_OBJ_1.2.3.0_29 NETWORK_OBJ_1.2.3.0_29
nat (inside,server) source static any any destination static NETWORK_OBJ_10.0.0.240_28 NETWORK_OBJ_10.0.0.240_28
nat (inside,outside) source static any any destination static NETWORK_OBJ_172.16.32.0_24 NETWORK_OBJ_172.16.32.0_24
object network vpn_nat
nat (outside,outside) dynamic interface
nat (some_free,some_outside) after-auto source dynamic any interface
nat (some_member,some_outside) after-auto source dynamic any interface
nat (inside,outside) after-auto source dynamic any interface
group-policy companyusers attributes
dns-server value 8.8.8.8 8.8.4.4
vpn-tunnel-protocol IPSec
default-domain value company.net
tunnel-group companyusers type remote-access
tunnel-group companyusers general-attributes
address-pool ipsecvpnpool
default-group-policy companyusers
tunnel-group companyusers ipsec-attributes
pre-shared-key *****Hi,
I don't seem to get a reply from 8.8.8.8 no, kind of hard to tell as it's an iphone. To me, all these logs simply says it works like a charm, but still I can get no reply on the phone.
asa# ICMP echo request from outside:172.16.32.1 to outside:4.2.2.2 ID=6912 seq=0 len=28
ICMP echo request translating outside:172.16.32.1/6912 to outside:x.x.37.149/46012
ICMP echo reply from outside:4.2.2.2 to outside:x.x.37.149 ID=46012 seq=0 len=28
ICMP echo reply untranslating outside:x.x.37.149/46012 to outside:172.16.32.1/6912
ICMP echo request from outside:172.16.32.1 to outside:4.2.2.2 ID=6912 seq=256 len=28
ICMP echo request translating outside:172.16.32.1/6912 to outside:x.x.37.149/46012
ICMP echo reply from outside:4.2.2.2 to outside:x.x.37.149 ID=46012 seq=256 len=28
ICMP echo reply untranslating outside:x.x.37.149/46012 to outside:172.16.32.1/6912
ICMP echo request from outside:172.16.32.1 to outside:4.2.2.2 ID=6912 seq=512 len=28
ICMP echo request translating outside:172.16.32.1/6912 to outside:x.x.37.149/46012
ICMP echo reply from outside:4.2.2.2 to outside:x.x.37.149 ID=46012 seq=512 len=28
ICMP echo reply untranslating outside:x.x.37.149/46012 to outside:172.16.32.1/6912
asa# show capture capo
12 packets captured
1: 08:11:59.097590 802.1Q vlan#2 P0 x.x.37.149 > 4.2.2.2: icmp: echo request
2: 08:11:59.127129 802.1Q vlan#2 P0 4.2.2.2 > x.x.37.149: icmp: echo reply
3: 08:12:00.103876 802.1Q vlan#2 P0 x.x.37.149 > 4.2.2.2: icmp: echo request
4: 08:12:00.133293 802.1Q vlan#2 P0 4.2.2.2 > x.x.37.149: icmp: echo reply
5: 08:12:01.099253 802.1Q vlan#2 P0 x.x.37.149 > 4.2.2.2: icmp: echo request
6: 08:12:01.127572 802.1Q vlan#2 P0 4.2.2.2 > x.x.37.149: icmp: echo reply
7: 08:12:52.954464 802.1Q vlan#2 P0 x.x.37.149 > 4.2.2.2: icmp: echo request
8: 08:12:52.983866 802.1Q vlan#2 P0 4.2.2.2 > x.x.37.149: icmp: echo reply
9: 08:12:56.072811 802.1Q vlan#2 P0 x.x.37.149 > 4.2.2.2: icmp: echo request
10: 08:12:56.101007 802.1Q vlan#2 P0 4.2.2.2 > x.x.37.149: icmp: echo reply
11: 08:12:59.132897 802.1Q vlan#2 P0 x.x.37.149 > 4.2.2.2: icmp: echo request
12: 08:12:59.160941 802.1Q vlan#2 P0 4.2.2.2 > x.x.37.149: icmp: echo reply
asa# ICMP echo request from outside:172.16.32.1 to inside:10.0.0.72 ID=6912 seq=0 len=28
ICMP echo reply from inside:10.0.0.72 to outside:172.16.32.1 ID=6912 seq=0 len=28
ICMP echo request from outside:172.16.32.1 to inside:10.0.0.72 ID=6912 seq=256 len=28
ICMP echo reply from inside:10.0.0.72 to outside:172.16.32.1 ID=6912 seq=256 len=28
ICMP echo request from outside:172.16.32.1 to inside:10.0.0.72 ID=6912 seq=512 len=28
ICMP echo reply from inside:10.0.0.72 to outside:172.16.32.1 ID=6912 seq=512 len=28
ICMP echo request from outside:172.16.32.1 to inside:10.0.0.72 ID=6912 seq=768 len=28
ICMP echo reply from inside:10.0.0.72 to outside:172.16.32.1 ID=6912 seq=768 len=28
asa# show capture capi
8 packets captured
1: 08:15:44.868653 802.1Q vlan#3 P0 172.16.32.1 > 10.0.0.72: icmp: echo request
2: 08:15:44.966456 802.1Q vlan#3 P0 10.0.0.72 > 172.16.32.1: icmp: echo reply
3: 08:15:47.930066 802.1Q vlan#3 P0 172.16.32.1 > 10.0.0.72: icmp: echo request
4: 08:15:48.040082 802.1Q vlan#3 P0 10.0.0.72 > 172.16.32.1: icmp: echo reply
5: 08:15:51.028654 802.1Q vlan#3 P0 172.16.32.1 > 10.0.0.72: icmp: echo request
6: 08:15:51.110086 802.1Q vlan#3 P0 10.0.0.72 > 172.16.32.1: icmp: echo reply
7: 08:15:54.076534 802.1Q vlan#3 P0 172.16.32.1 > 10.0.0.72: icmp: echo request
8: 08:15:54.231250 802.1Q vlan#3 P0 10.0.0.72 > 172.16.32.1: icmp: echo reply
Packet-capture.
Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 172.16.32.1 255.255.255.255 outside
Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit ip any any log
Additional Information:
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: DEBUG-ICMP
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static any any destination static NETWORK_OBJ_172.16.32.0_24 NETWORK_OBJ_172.16.32.0_24
Additional Information:
Static translate 10.0.0.72/0 to 10.0.0.72/0
Phase: 9
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 10
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Phase: 11
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_out out interface outside
access-list outside_access_out extended permit ip any any log
Additional Information:
Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 5725528, packet dispatched to next module
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow -
Cisco IPSec VPN Client and sending a specific Radius A-V value to ACS 5.2
This setup is to try routing Cisco VPN to either RSA or Entrust from Cisco ACS 5.2, depending on some parameter in incoming AUTH request from Cisco IPSec VPN Client 5.x. Tried playing with pcf files and user names/identity stores, none seems working
Hi Tony,
to the best of my knowledge this is currently not possible, but will be once this enhancement is implemented:
CSCsw31922 Radius upstream VSAs (Tunnel Group,Client type) for VPN policy decisions
You may want to try and ask in the AAA forum if there is anything you can do on ACS...
hth
Herbert -
Does 1841 router support IPsec vpn?
Hi,
how can i check if my router supports IPsec VPN?
Cisco 1841 Software (C18410IPBASEK9-M), 12.4(11)T
regards
kimhoeHi,
Yes, it does support IPSEC VPN. You can check it from software adviser tool at Cisco site,
http://www.cisco.com/en/US/partner/support/tsd_most_requested_tools.html
Regards,
~JG
Please rate helpful posts -
Does mountain lion support CISCO VPN client ?
Does OS X 10.8 mountain lion support CISCO VPN client? if yes which version ?, Does OS X 10.8 mountain lion support CISCO VPN client? if yes which version ?
If you have issues, try this link
http://erbmicha.com/2009/09/07/how-to-cisco-vpn-with-snow-leopard-via-pcf-file/
works for Mountain Lion as well -
SSLVPN/webvpn in multiple context mode?
We already know that ASA 9.0 supports site-to-site VPN in multiple context mode. But remote access VPN isn't supported. Obviously, SSL-VPN is a very important feature for most multi-tenant deployment scenarios where each context acts as a border firewall towards the Internet for each tenant. The alternative to terminate all tenant remote-access VPNs in one context means that each tenant would have to be routable from the ASA, which of course isn't a reasonable requirement in most cases.
So, what I'd like to do is to deploy an ASA cluster, and provide remote access VPNs for each tenant, where the connectivity for each remote access group can be addressed with whatever IP address space, and that goes into it's own VRF in the back-end.
As far as I can tell, this isn't doable with the ASA, since multiple context mode prohibits the use of remote access VPN, and I can't think of any other work-around than either having individual firewalls running in single context mode for each tenant, or demand that all tenants are interoperable routing-wise and configure a separate ip address pool in a single context mode for each tenant.
Essentially, there's no good way to implement this with multiple virtual firewalls, using cisco firewalls? Or am I missing something?If you set up a pair of single-context ASAs for VPN termination, configure a group policy per customer and use the 'Restrict access to VLAN' feature, you could separate customers' traffic and still just use one FW pair for all customers. This pair would connect to the same switch infrastructure as your multi-context edge firewall and thus allow a consolidated solution.
Sent from Cisco Technical Support iPad App -
Botnet Filter with multiple Context Mode
We used the Botnet Filter in Single Context Mode for a long Time. Now we converted to multiple Context Mode and the Database is no longer updated. In the system Context I can See the update settings but when I try to update the result is always "no DNS server". Since the system context has no interfaces there are no DNS settings etc.
How should be the Botnet Filter configured in Multiple Context Mode?
Thanks for any response in advance.sh run | grep dns
dns domain-lookup T-COM
dns domain-lookup COLT
dns server-group DefaultDNS
policy-map type inspect dns preset_dns_map
inspect dns preset_dns_map
ping update-manifests.ironport.com
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 204.15.82.17, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 160/162/170 ms
ping updates.ironport.com
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 80.239.221.64, timeout is 2 seconds:
ASA Version 8.4(2)
hostname DE-VM-TER-FW-02
enable password 8Ry2Yj8765U24 encrypted
passwd 2KFQnb6IdI.2KY75 encrypted
names
interface GigabitEthernet0/0.3207
nameif TR_v207
security-level 50
ip address 10.28.6.60 255.255.255.248
interface GigabitEthernet0/0.3208
nameif TR_v208
security-level 70
ip address 10.28.6.68 255.255.255.248
interface GigabitEthernet0/0.3209
nameif TR_v209
security-level 80
ip address 10.28.6.76 255.255.255.248
interface GigabitEthernet0/0.3210
nameif TR_v210
security-level 90
ip address 10.28.6.84 255.255.255.248
interface GigabitEthernet0/1
nameif COLT
security-level 0
ip address 217.111.58.46 255.255.255.240
interface GigabitEthernet0/3
nameif T-COM
security-level 0
ip address 194.25.250.94 255.255.255.240
dns domain-lookup T-COM
dns domain-lookup COLT
dns server-group DefaultDNS
name-server 8.8.8.8
object network COLT_dynamic_NAT
subnet 0.0.0.0 0.0.0.0
object network T-COM_dynamiy_NAT
subnet 0.0.0.0 0.0.0.0
object-group network DM_INLINE_NETWORK_1
network-object 10.0.0.0 255.0.0.0
network-object 172.16.0.0 255.240.0.0
network-object 192.168.0.0 255.255.0.0
access-list COLT_access_in extended deny ip any any
access-list T-COM_access_in extended permit tcp any object DEUAG01-actsync eq https
access-list T-COM_access_in extended permit tcp any object DEUAG01-portal eq https
access-list T-COM_access_in extended deny ip any any
access-list TR_3208_access_in extended deny ip any object-group DM_INLINE_NETWORK_1
access-list TR_3208_access_in extended permit ip any any
access-list TR_3208_access_in extended permit icmp any any
access-list TR_v207_access_in extended deny ip any any
access-list TR_v210_access_in extended deny ip any any
access-list TR_v209_access_in extended deny ip any any
pager lines 24
logging enable
logging asdm informational
mtu TR_v208 1500
mtu T-COM 1500
mtu COLT 1500
mtu TR_v207 1500
mtu TR_v210 1500
mtu TR_v209 1500
ip verify reverse-path interface T-COM
ip verify reverse-path interface COLT
ipv6 access-list TR_v207_access_ipv6_in deny ip any any
ipv6 access-list TR_v208_access_ipv6_in deny ip any any
ipv6 access-list TR_v209_access_ipv6_in deny ip any any
ipv6 access-list TR_v210_access_ipv6_in deny ip any any
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
object network COLT_dynamic_NAT
nat (any,COLT) dynamic interface
object network T-COM_dynamiy_NAT
nat (any,T-COM) dynamic interface
access-group TR_3208_access_in in interface TR_v208
access-group TR_v208_access_ipv6_in in interface TR_v208
access-group T-COM_access_in in interface T-COM
access-group COLT_access_in in interface COLT
access-group TR_v207_access_in in interface TR_v207
access-group TR_v207_access_ipv6_in in interface TR_v207
access-group TR_v210_access_in in interface TR_v210
access-group TR_v210_access_ipv6_in in interface TR_v210
access-group TR_v209_access_in in interface TR_v209
access-group TR_v209_access_ipv6_in in interface TR_v209
route T-COM 0.0.0.0 0.0.0.0 194.25.250.81 1
route COLT 0.0.0.0 0.0.0.0 217.111.58.33 20
route TR_v208 10.28.24.0 255.255.255.0 10.28.6.65 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
telnet timeout 5
ssh timeout 5
no threat-detection statistics tcp-intercept
dynamic-filter use-database
dynamic-filter enable interface T-COM
dynamic-filter enable interface COLT
dynamic-filter drop blacklist interface T-COM
dynamic-filter drop blacklist interface COLT
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect dns preset_dns_map dynamic-filter-snoop
service-policy global_policy global
Cryptochecksum:7bbe975fb39e189e99d8878787a0037
: end
System Context
dynamic-filter updater-client enable
Can't resolve update-manifests.ironport.com, make sure dns nameserver is configured
Maybe you are looking for
-
Firefox will not open old tabs
My computer crashed last evening and on restarting firefox, it goes to a new page without any of the old tabs available. Going under history has all of the options regarding restoring recently closed windows greyed out. I did confirm that under prefe
-
I can't install aperture from a previous app store purchase. I originally purchased ver 3.4.5 and the store shows that I purchased ver 3.5. I want to install 3.4.5 in my laptop with os lion. ver 3.5 is not compatible with lion.
-
Hi All..!! I am trying to export some table data from test instance to prod instance.Given below is the command i am using, exp apps/mwpr0dg0ld parfile=params.par, The contents of the parameter file params.par is given below, file=test1.dmp,test2.dmp
-
Good morning, I implanted validity control in the material and to monitor the expirations. I use the transaction MB5M for you monitor the expirations. Does the possibility exist to personalize the traffic light in the transaction SPRO? Example:
-
Appraisal template - need to check fields
Hi all, In my appraisal templates I need to check that the some of three different fields in three different VB have a sum of 100%. Do you knwo which BAdI I need to implement, and how it works? In an other field, I need to"hide" the difference betwee