Transparent mode/firewall mode in a multiple context asa5520

Hello,
Is it possible to have a transparent mode on CONTEXT_A and firewall/route mode in CONTEXT_B in a single ASA
5520?
thanks.

Is there any document to support this? I would be getting my hands on a ASA pretty soon hope to test this feature out.
-Hoogen

Similar Messages

  • Transparent firewall with failover with multiple contexts

                       I am running 8.4(2) on ASA5585s. They are in mulitble context mode and set to transparent firewall with active/active failover. When I do a sh failover in a context I see 2 of my interfaces are (waiting). I have a BVI and these are the ip addresses on the interfaces in he "sh failover" below.
    Failover On
    Last Failover at: 11:54:39 GMT/IST Feb 23 2012
            This context: Standby Ready
                    Active time: 175394 (sec)
                      Interface ctxb-inside (x.x.x.165): Normal (Waiting)
                      Interface ctxb-outside (x.x.x.165): Normal (Monitored)
            Peer context: Active
                    Active time: 11390663 (sec)
                      Interface ctxb-inside (x.x.x.164): Normal (Monitored)
                      Interface ctxb-outside (x.x.x.164): Normal (Waiting)
    Why are the interfaces in (waiting)?

    Are you able to ping between the interfaces? ie: can you ping x.x.x.165 from x.x.x.164 and visa versa? If you are not able to ping it, that means there is no connectivity between the 2, hence the status is in Normal (Waiting) because it has not received the hello packet on that corresponding interface.
    Here is the reference guide FYI:
    http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/s3.html#wp1505709

  • Remote Access VPN Support in Multiple Context Mode (9.1(2))?

    Hi Guys,
    I am currently running two Cisco ASA5520 (ASA Version: 9.1(2)) firewalls in Active/Standby failover and was contemplating the option of migrating my remote access VPN to these firewalls. However seeing that the new IOS now support mixed multiple context mode and dynamic routing. Is it safe to ask whether or not Remote Access VPN is now support in this IOS upgrade?
    Multiple Context Mode New Features:
    Site-to-Site VPN in multiple context mode | Site-to-site VPN tunnels are now supported in multiple context mode.
    New resource type for site-to-site VPN tunnels | New resource types, vpn other and vpn burst other, were created to set the maximum number of site-to-site VPN tunnels in each context.
    Dynamic routing in Security Contexts | EIGRP and OSPFv2 dynamic routing protocols are now supported in multiple context mode. OSPFv3, RIP, and multicast routing are not supported.
    New resource type for routing table entries | A new resource class, routes, was created to set the maximum number of routing table entries in each context. We modified the following commands: limit-resource, show resource types, show resource usage, show resource allocation. We modified the following screen: Configuration > Context Management > Resource Class > Add Resource Class.
    Mixed firewall mode support in multiple context mode | You can set the firewall mode independently for each security context in multiple context mode, so some can run in transparent mode while others run in routed mode. We modified the following command: firewall transparent. You cannot set the firewall mode in ASDM; you must use the command-line interface. Also available in Version 8.5(1).
    Regards,
    Leon

    Hey Leon,
    According to the ASA 9.1 Configuration Guide, Remote Access VPN is not yet supported with version 9.1(2). Only Site-to-Site VPN support in multiple context was introduced with release ASA 9.0(x). This was mentioned in the 9.0(x) release notes.
    Regards,
    Dennis

  • Explain about transparent mode, single mode, multiple context mode

    You can explain about the differents of transparent mode, single mode, multiple context mode in ASA 5500? Thank you very much.

    Great question. Hope the below helps:
    Transparent Mode: In this mode, the ASA will filter traffic without requiring L3 on the ASA. This means that in your config you will not put IPs on the interfaces to be used for traffic filtering. Thus, filtering is transparent to the traffic as the traffic isn't directly routed to the firewall. Think of it like you have a server plugged into a switch. In transparent mode, you place the ASA between the server and the switch and no configuration change is required to the server. In routed mode, you place the ASA in the same physical location between the server and switch, but have to change the server to use the ASA as a default gateway.
    Single Mode: Default mode of an ASA. The ASA acts as a single firewall and all interfaces are provisioned to be managed through a single firewall configuration.
    Multiple Context Mode: The ASA is split into multiple virtual configurations. With the ASA now virtualized, you provision the physical interfaces on the ASA to the virtual firewall configured. Each context has it's own configuration seperate from the rest of the firewall. Multi-context is meant for enterprises to invest in a single piece of hardware and scale it for use as multiple security devices.
    Hope this helps. Let me know if you have anymore questions!
    -Mike
    http://cs-mars.blogspot.com

  • Failure when FWSM in transparent mode with multiple contexts

    hi experts,
                We have two FWSMs working in active/standby state,  configured with multiple contexts in transparent mode. and the "outside" and "inside" interfaces for each context are in same subnet. 
                Now we have one FWSM broken and the RMA part can't arrived in short time, so  we have the risk that the sencond FWSM could be failed as well.   In the worst case if the two was broken or powered off simultaneously,   i wonder that if the communications between multiple contexts could be ok???
    thanks in advance.

    The software requirements for Cisco Secure ACS are dependent on the type of Extensible Authentication Protocol (EAP) desired. For full support of all the EAP types including EAP-Flexible Authentication via Secure Tunneling (FAST), use release 3.2.3 or higher.
    http://www.cisco.com/en/US/netsol/ns340/ns394/ns431/ns434/networking_solutions_implementation_guide09186a008038906c.html

  • ASA Transparent Mode For Multiple Subnets

    I am looking to replace a FortiGate firewall which is currently working in transparent mode handling mutiple subnets with ASA 5515.  Currently, I am testing transparent mode configuration on ASA 5505, and it will not forward any traffic that is not in the same subnet as IP address assigned to BV interface.
    For example, the following configuration works.
    10.0.0.3/24 (computer) ---> 10.0.0.2/24 (firewall) ---> 10.0.0.1/24 (computer)
    However, the following does not work
    10.0.0.3/24 (computer) ---> 10.10.0.2/24 (firewall) ---> 10.0.0.1/24 (computer)
    I thought that transparent mode is just a bump in the wire, so why does the IP address/subnet assigned to BV interface affects the traffic?  Is the ASA capable of handling other/multiple subnets in transparent mode other than the subnet assigned to BV interface?
    By the way, I used to run PIX 515E 7.2(2) transparent mode filtering multiple subnets.  The current ASA 5505 is on 9.0(1).  Is it the limitation on the ASA 5505 model but not on the more powerful ASA model?
    Thank you

    Thank you @ttemirgaliyev, I tried but multiple context is not supported by ASA 5505.
    I have an example of PIX configuration in transparent mode filtering multiple subnets.  I was using this configuration in production environment in the past.  I am wondering if ASA 5510 or higher can handle this setup.
    : Saved
    : Written by enable_15 at 10:57:25.766 UTC Wed Jul 16 xxxx
    PIX Version 7.2(2)
    firewall transparent
    hostname pixfirewall
    enable password xxxxxxxxxx encrypted
    names
    interface Ethernet0
    nameif outside
    security-level 0
    interface Ethernet0.1
    vlan 1
    no nameif
    no security-level
    interface Ethernet1
    nameif inside
    security-level 100
    interface Ethernet1.1
    no vlan
    no nameif
    no security-level
    passwd xxxxxxxxxx encrypted
    ftp mode passive
    access-list outside extended permit udp any host 10.0.0.210
    access-list outside extended permit udp any host 10.0.0.3
    access-list outside extended permit tcp any host 10.0.0.110 eq smtp
    access-list outside extended permit tcp any host 10.0.0.110 eq www
    access-list outside extended permit tcp any host 10.0.0.57 eq smtp
    access-list outside extended permit tcp any host 10.0.0.57 eq www
    access-list outside extended permit tcp any host 10.0.0.75 eq www
    access-list outside extended permit tcp any host 10.0.0.75 eq ftp
    access-list outside extended permit tcp any host 10.0.0.75 eq 5003
    access-list outside extended permit tcp any host 10.0.0.75 eq 403
    access-list outside extended permit tcp any host 10.0.0.75 eq 407
    access-list outside extended permit tcp any host 10.0.0.76 eq ftp
    access-list outside extended permit tcp any host 10.0.0.2 eq pcanywhere-data
    access-list outside extended permit udp any host 10.0.0.2 eq pcanywhere-status
    access-list outside extended permit tcp any host 10.0.10.61
    access-list outside extended permit tcp any host 10.0.10.62
    access-list outside extended permit tcp any host 10.0.10.63
    access-list outside extended permit tcp any host 10.0.10.64
    access-list outside extended permit tcp any host 10.0.13.225 eq ftp
    access-list outside extended permit tcp host 192.168.4.30 host 10.0.17.254 eq telnet
    access-list outside extended permit tcp any host 10.0.13.225 eq telnet
    access-list outside extended permit tcp any host 10.0.10.61 eq 50
    access-list outside extended permit udp any host 10.0.10.61 eq isakmp
    access-list outside extended permit tcp any host 10.0.10.62 eq 50
    access-list outside extended permit udp any host 10.0.10.62 eq isakmp
    access-list outside extended permit tcp any host 10.0.10.63 eq 50
    access-list outside extended permit udp any host 10.0.10.63 eq isakmp
    access-list outside extended permit tcp any host 10.0.10.64 eq 50
    access-list outside extended permit udp any host 10.0.10.64 eq isakmp
    access-list outside extended permit tcp any host 10.0.0.219
    access-list outside extended permit udp any host 10.0.0.219
    access-list outside extended permit udp any host 10.0.10.61
    access-list outside extended permit udp any host 10.0.10.62
    access-list outside extended permit udp any host 10.0.10.63
    access-list outside extended permit udp any host 10.0.10.64
    access-list outside extended permit icmp any host 10.0.10.29
    access-list outside extended permit tcp any host 10.0.10.29 eq ftp
    access-list outside extended permit tcp any gt 1023 host 10.0.10.29 eq ftp-data
    access-list outside extended permit tcp any host 10.0.0.110 eq pop3
    access-list outside extended permit tcp any host 10.0.0.57 eq pop3
    access-list outside extended permit tcp any host 10.0.10.27 eq pcanywhere-data
    access-list outside extended permit udp any host 10.0.10.27 eq pcanywhere-status
    access-list outside extended permit tcp any host 10.0.10.31 eq pcanywhere-data
    access-list outside extended permit udp any host 10.0.10.31 eq pcanywhere-status
    access-list outside extended permit tcp any host 10.0.0.222 eq pcanywhere-data
    access-list outside extended permit udp any host 10.0.0.222 eq pcanywhere-status
    access-list outside extended permit icmp any host 10.0.10.28
    access-list outside extended permit tcp any host 10.0.10.28 eq pptp
    access-list outside extended permit gre any host 10.0.10.28
    access-list outside extended permit ip any host 10.0.10.28
    access-list outside extended permit ip any host 10.0.10.29
    access-list outside extended permit tcp any host 10.0.10.25 eq 8234
    access-list outside extended permit tcp any host 10.0.17.217 eq 8234
    access-list outside extended permit tcp any host 10.0.17.217 eq 8235
    access-list outside extended permit tcp any host 10.0.17.217 eq www
    access-list outside extended permit ip any host 10.0.10.36
    access-list outside extended permit ip any host 10.0.10.37
    access-list outside extended permit ip any host 10.0.10.38
    access-list outside extended permit ip any host 10.0.10.39
    access-list outside extended permit ip any host 10.0.10.40
    access-list outside extended permit ip any host 10.0.10.41
    access-list outside extended permit tcp any host 10.0.0.235 eq www
    access-list outside extended permit tcp any host 10.0.10.2 eq www
    access-list outside extended permit tcp any host 10.0.10.2 eq 3389
    access-list outside extended permit tcp host 192.168.1.234 host 10.0.0.211 eq 4899
    access-list outside extended permit tcp any host 10.0.0.211 eq www
    access-list outside extended permit tcp any host 10.0.10.35 eq www
    access-list outside extended permit tcp any host 10.0.10.36 eq www
    access-list outside extended permit tcp any host 10.0.10.37 eq www
    access-list outside extended permit tcp any host 10.0.10.38 eq www
    access-list outside extended permit tcp any host 10.0.10.39 eq www
    access-list outside extended permit tcp any host 10.0.10.40 eq www
    access-list outside extended permit tcp any host 10.0.10.41 eq www
    access-list outside extended permit tcp any host 10.0.0.110 eq https
    access-list outside extended permit tcp any host 10.0.0.57 eq https
    access-list outside extended permit tcp any host 10.0.0.75 eq https
    access-list outside extended permit tcp any host 10.0.17.217 eq https
    access-list outside extended permit tcp any host 10.0.0.234 eq 220
    access-list outside extended permit tcp any host 10.0.0.235 eq https
    access-list outside extended permit tcp any host 10.0.10.2 eq https
    access-list outside extended permit tcp any host 10.0.0.211 eq https
    access-list outside extended permit tcp any host 10.0.10.35 eq https
    access-list outside extended permit tcp any host 10.0.10.36 eq https
    access-list outside extended permit tcp any host 10.0.10.37 eq https
    access-list outside extended permit tcp any host 10.0.10.38 eq https
    access-list outside extended permit tcp any host 10.0.10.39 eq https
    access-list outside extended permit tcp any host 10.0.10.40 eq https
    access-list outside extended permit tcp any host 10.0.10.41 eq https
    access-list outside extended permit tcp any host 10.0.10.35 eq 8234
    access-list outside extended permit tcp any host 10.0.10.36 eq 8234
    access-list outside extended permit tcp any host 10.0.10.37 eq 8234
    access-list outside extended permit tcp any host 10.0.10.38 eq 8234
    access-list outside extended permit tcp any host 10.0.10.39 eq 8234
    access-list outside extended permit tcp any host 10.0.10.40 eq 8234
    access-list outside extended permit tcp any host 10.0.10.41 eq 8234
    access-list outside extended permit tcp any host 10.0.10.35 eq 8235
    access-list outside extended permit tcp any host 10.0.10.36 eq 8235
    access-list outside extended permit tcp any host 10.0.10.37 eq 8235
    access-list outside extended permit tcp any host 10.0.10.38 eq 8235
    access-list outside extended permit tcp any host 10.0.10.39 eq 8235
    access-list outside extended permit tcp any host 10.0.10.40 eq 8235
    access-list outside extended permit tcp any host 10.0.10.41 eq 8235
    access-list outside extended permit udp any host 10.0.0.222
    access-list outside extended permit gre any any
    access-list outside extended permit ip host 10.0.10.28 any
    access-list outside extended permit ip host 10.0.0.211 any
    access-list outside extended permit ip host 10.0.10.35 any
    access-list outside extended permit ip host 10.0.10.36 any
    access-list outside extended permit ip host 10.0.10.37 any
    access-list outside extended permit ip host 10.0.10.38 any
    access-list outside extended permit ip host 10.0.10.39 any
    access-list outside extended permit ip host 10.0.10.40 any
    access-list outside extended permit ip host 10.0.10.41 any
    access-list outside extended permit ip host 10.0.0.222 any
    access-list outside extended permit ip host 10.0.0.234 any
    access-list outside extended permit icmp host 10.0.0.234 any
    access-list outside extended permit tcp any host 10.0.0.235 eq 3389
    access-list outside extended permit ip host 10.0.0.254 any
    access-list outside extended permit tcp any host 10.0.0.2 eq 3389
    access-list outside extended permit tcp any host 10.0.13.240 eq 5900
    access-list outside extended permit udp any host 10.0.13.240 eq 5900
    access-list outside extended permit tcp any host 10.0.13.240 eq 3283
    access-list outside extended permit udp any host 10.0.13.240 eq 3283
    access-list outside extended permit tcp any host 10.0.13.240 eq ssh
    access-list outside extended permit tcp any host 10.0.10.12 eq www
    access-list outside extended permit tcp any host 10.0.0.212 eq www
    pager lines 24
    mtu outside 1500
    mtu inside 1500
    ip address 10.0.0.230 255.255.255.0
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    access-group outside in interface outside
    route outside 0.0.0.0 0.0.0.0 10.0.0.254 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout uauth 0:05:00 absolute
    snmp-server host inside 10.0.0.234 community xxxx
    no snmp-server location
    no snmp-server contact
    snmp-server community xxxx
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    snmp-server enable traps syslog
    telnet timeout 5
    ssh 0.0.0.0 0.0.0.0 outside
    ssh 0.0.0.0 0.0.0.0 inside
    ssh timeout 60
    console timeout 0
    prompt hostname context
    Cryptochecksum:c887f562a196123a335c5ebeba0ad482
    : end

  • SSLVPN/webvpn in multiple context mode?

    We already know that ASA 9.0 supports site-to-site VPN in multiple context mode. But remote access VPN isn't supported. Obviously, SSL-VPN is a very important feature for most multi-tenant deployment scenarios where each context acts as a border firewall towards the Internet for each tenant. The alternative to terminate all tenant remote-access VPNs in one context means that each tenant would have to be routable from the ASA, which of course isn't a reasonable requirement in most cases.
    So, what I'd like to do is to deploy an ASA cluster, and provide remote access VPNs for each tenant, where the connectivity for each remote access group can be addressed with whatever IP address space, and that goes into it's own VRF in the back-end.
    As far as I can tell, this isn't doable with the ASA, since multiple context mode prohibits the use of remote access VPN, and I can't think of any other work-around than either having individual firewalls running in single context mode for each tenant, or demand that all tenants are interoperable routing-wise and configure a separate ip address pool in a single context mode for each tenant.
    Essentially, there's no good way to implement this with multiple virtual firewalls, using cisco firewalls? Or am I missing something?

    If you set up a pair of single-context ASAs for VPN termination, configure a group policy per customer and use the 'Restrict access to VLAN' feature, you could separate customers' traffic and still just use one FW pair for all customers. This pair would connect to the same switch infrastructure as your multi-context edge firewall and thus allow a consolidated solution.
    Sent from Cisco Technical Support iPad App

  • Dynamic Routing Protocol Support in Cisco ASA Multiple Context Mode

                       Dear Experts,
    Wold like to know whether dynamic Routing Protocol Support in Cisco ASA Firewall Multiple Context Mode. If yes then please provide OS version and Hardware Model of Cisco ASA Firewall. Appreciate the quick response.  Thanks.

    Hi,
    Check out this document for the information
    http://www.cisco.com/en/US/docs/security/asa/roadmap/asa_new_features.html#wp93116
    Its lists the following for software level 9.0(1)
    Multiple   Context Mode Features
    Dynamic routing in Security   Contexts
    EIGRP and OSPFv2 dynamic   routing protocols are now supported in multiple context mode. OSPFv3, RIP, and multicast routing   are not supported.
    Seems to me you would need some 9.x version to support the above mentioned Dynamic Routing Protocols.
    I don't think its related to the hardware model of the ASA other than that it requires a model that supports Multiple Context Mode. To my understanding the only model that doesnt support that is ASA5505 of the whole ASA5500 and ASA5500-X series.
    Hope this helps
    - Jouni

  • Multiple context mode, how to download the packet capture file

    Hi guys,
    Is there a way to download the packet capture file from a specific context? I know that I used to use https://<ASA_IP>/admin/capture/<capture> to download it if it is just one context. 
    The ASA uses mgmt 0/0 for management and it is connected in a separate OOB network. Only this network has TFTP servers for uploading the capture file. The context in question is in transparent mode. Its IP doesn't have access to any TFTP server.
    Thanks!
    Difan

    Hello Difan,
                         Please refer the following document.
    https://supportforums.cisco.com/document/69281/asa-using-packet-capture-troubleshoot-asa-firewall-configuration-and-scenarios
    Also what version of the ASA code are you using?
    Regards,
    Jai Ganesh K

  • ASDM_HANDLER problem on multiple context mode

    Hello,
    Has any anybody seen this error?
    On the firewall multiple context I used to jump from one context to another, but now when I log in to the admin context and I try to jump to another context I receive this error. Could no find any bug on release notes for that.

    Hi,
    I have not personally seen this error before. Though I don't use ASDM that much anyway. We used to have FWSMs in multiple context mode and now have ASAs running multiple context mode and I have never seen this.
    Have you checked the situation (as the error message suggests) from the CLI of the ASA to see if there is a lot of ASDM sessions in the "admin" context of the unit?
    show asdm sessions
    - Jouni

  • VRF issue with Firewall in transparent Mode.

    Hi Guys,
    I have 7609 Router and 6513 L3 Switch connected Through ASA 5545.
    I am running Multiple VRF between router and Switch and BGP routing Protocol. When they are connected directly to each other everything is normal, however, when I have connected them via ASA 5545 then everything fails. I am using ASA in transparent Mode.
    My question is: Do ASA require different setting in case of VRF? If yes, then please give me sample config.

    I have taken following output from Firewall will this be any help?
    sh interface ouTSIDE
    Interface GigabitEthernet0/1 "OUTSIDE", is up, line protocol is up
      Hardware is i82574L rev00, BW 1000 Mbps, DLY 10 usec
            Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)
            Input flow control is unsupported, output flow control is off
            MAC address 7c69.f68f.df78, MTU 1500
            IP address 175.4.8.35, subnet mask 255.255.255.248
            8435 packets input, 680680 bytes, 0 no buffer
            Received 8135 broadcasts, 0 runts, 0 giants
            0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
            0 pause input, 0 resume input
            8138 L2 decode drops
            0 packets output, 0 bytes, 0 underruns
            0 pause output, 0 resume output
            0 output errors, 0 collisions, 1 interface resets
            0 late collisions, 0 deferred
            0 input reset drops, 0 output reset drops
            input queue (blocks free curr/low): hardware (476/461)
            output queue (blocks free curr/low): hardware (511/511)
      Traffic Statistics for "OUTSIDE":
            297 packets input, 118503 bytes
            0 packets output, 0 bytes
            297 packets dropped
          1 minute input rate 0 pkts/sec,  13 bytes/sec
          1 minute output rate 0 pkts/sec,  0 bytes/sec
          1 minute drop rate, 0 pkts/sec
          5 minute input rate 0 pkts/sec,  6 bytes/sec
          5 minute output rate 0 pkts/sec,  0 bytes/sec
          5 minute drop rate, 0 pkts/sec
    ciscoasa# show asp drop
    Frame drop:
      FP L2 rule drop (l2_acl)                                                   297
    ASA Version 9.0(1)
    firewall transparent
    ciscoasa# show module all
    Mod Card Type                                    Model              Serial No.
      0 ASA 5545-X with SW, 8 GE Data, 1 GE Mgmt     ASA5545           
    ips ASA 5545-X IPS Security Services Processor   ASA5545-IPS       
    Mod MAC Address Range                 Hw Version   Fw Version   Sw Version
      0 7c69.f68f.df77 to 7c69.f68f.df80  1.0          2.1(9)8      9.0(1)
    ips 7c69.f68f.df75 to 7c69.f68f.df75  N/A          N/A          7.1(4)E4
    Mod SSM Application Name           Status           SSM Application Version
    ips IPS                            Up               7.1(4)E4
    Mod Status             Data Plane Status     Compatibility
      0 Up Sys             Not Applicable
    ips Up                 Up
    Mod License Name   License Status  Time Remaining
    ips IPS Module     Enabled         perpetual
    ciscoasa#
    I have create Ehtertype ACL and permit any traffic.
    cdp traffic has passed through but I am still not able to ping :(

  • Support IPSec VPN Client in ASA Multiple Context Mode

    I've looked at under "Cisco ASA Series CLI Configuration Guide, 9.0" on "Configuring Multiple Context Mode", it says
    "IPsec sessions—5 sessions. (The maximum per context.) ".  Does it mean in ASA Multiple Contest Mode support IPSec VPN Client? I just want to confirm it because I can't seem find any doc that clearly spell it out.  I'll appreciate anyone who can clarify it.
    Thank Jason.
    ( Please direct me to the right group if I'm not for the first time I post it in the Cisco support forum)

    This is from the v9.3 config-guide:
    Unsupported Features
    Multiple context mode does not support the following features:
    Remote access VPN. (Site-to-site VPN is supported.)

  • Are VPN Clients supported in multiple context mode?

    Hi,
    Recently our company has bought two Cisco ASA 5515-X firewalls for at our datacenter. I am new on configuring a Cisco ASA but sofar things are looking good. I have configured them both with HA (active/active) in multiple context mode. Currently they host two security contexts.
    I want to configure VPN Client functionallity for Remote Access. As far as I know they come with two user licenses. But there is no VPN Client wizard available and I can't find a way to enable it.
    - Is VPN Client supported in Multiple Context mode?
    - What is AnyWhere Essentials vs Premium Peers?
    Boudewijn
    Here is some additional output fromt he current configuration:
    Cisco Adaptive Security Appliance Software Version 9.1(2) <context>
    Device Manager Version 7.1(3)
    Encryption hardware device : Cisco ASA-55xx on-board accelerator (revision 0x1)
                                 Boot microcode        : CNPx-MC-BOOT-2.00
                                 SSL/IKE microcode     : CNPx-MC-SSL-PLUS-T020
                                 IPSec microcode       : CNPx-MC-IPSEC-MAIN-0024
                                 Number of accelerators: 1
    Baseboard Management Controller (revision 0x1) Firmware Version: 2.4
    Licensed features for this platform:
    Maximum Physical Interfaces       : Unlimited      perpetual
    Maximum VLANs                     : 100            perpetual
    Inside Hosts                      : Unlimited      perpetual
    Failover                          : Active/Active  perpetual
    Encryption-DES                    : Enabled        perpetual
    Encryption-3DES-AES               : Enabled        perpetual
    Security Contexts                 : 2              perpetual
    GTP/GPRS                          : Disabled       perpetual
    AnyConnect Premium Peers          : 2              perpetual
    AnyConnect Essentials             : Disabled       perpetual
    Other VPN Peers                   : 250            perpetual
    Total VPN Peers                   : 250            perpetual
    Shared License                    : Disabled       perpetual
    AnyConnect for Mobile             : Disabled       perpetual
    AnyConnect for Cisco VPN Phone    : Disabled       perpetual
    Advanced Endpoint Assessment      : Disabled       perpetual
    UC Phone Proxy Sessions           : 2              perpetual
    Total UC Proxy Sessions           : 2              perpetual
    Botnet Traffic Filter             : Disabled       perpetual
    Intercompany Media Engine         : Disabled       perpetual
    IPS Module                        : Disabled       perpetual
    Cluster                           : Disabled       perpetual
    This platform has an ASA 5515 Security Plus license.

    Hi,
    No form of VPN Client is supported when you are using an ASA in Multiple Context mode.
    The only type of VPN supported in the newer 9.x softwares is L2L VPN / Site to Site VPN
    This might answer the VPN Licensing related question
    http://packetpushers.net/cisco-asa-licensing-explained/
    I never seem to remember it exactly myself even.
    - Jouni

  • Active/standby in multiple context mode

    is active/standby configuration possible in multilple context mode? i cannot find an article regarding this matter.

    Hello John,
    It is available
    Actually the ones you need are the regular  ones (documents) as the ASA will trigger failover if one of the context fail
    Important Notes
    For multiple context mode, the ASA can fail over the entire unit (including all contexts) but cannot fail over individual contexts separately.
    . Active/Standby Failover is available on units that run in either single or multiple context mode. Both failover configurations support stateful or stateless (regular) failover.
    VPN failover is not supported on units that run in multiple context mode as VPN is not supported in multiple context. VPN failover is available only for
    Active/Standby Failover configurations in single context configurations.
    With this I think you are ready to start configuring it:
    http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml
    Julio

  • Multiple context mode and Active Active

    Hi Everyone,
    ASA in multiple context  mode works as active active mode.
    ASA has 2 contexts admin and  x.
    We have 2  physical ASA say ASA1 and ASA2 .
    Under system context we have hostname ASA
    When i ssh to ASA1 it brings the ASA/admin mode.
    sh failover shows
    sh failover shows
    This host:    Primary
    This host:    Primary
    When i try to login to ASA 2 it brings me to ASA/x prompt.
    sh failover shows
      This context: Active
    Peer context: Standby Ready
    Need to  know is there any way that i can login to other physical ASA?
    i hope my question makes sense.
    Message was edited by: mahesh parmar

    Hi Mahesh,
    To it seems that you are logging to different contexts in these 2 cases.
    Normally an admin always logs to the "admin" context IP address owned either by the primary IP address for the Active unit or the secondary IP address for the Standby unit.
    So what I would suggest you do first is that you go to the context "admin" and issue the command "show run interface"
    Then go to the context "x" and issue the command "show run interface"
    Now check the IP addresses on the interfaces.
    Especially the interface on the "admin" context should contain an IP address for both of the ASA units. Check the interface IP address which originally lead you to the "admin" context.
    For example
    ip address 10.10.10.1 255.255.255.0 standby 10.10.10.2
    If the above were true you would connecto the IP address 10.10.10.1 when you wanted to connect to the Active unit and use the IP address 10.10.10.2 when you wanted to connect to the current Standby unit
    - Jouni

Maybe you are looking for

  • Reg DYNP_VALUES_UPDATE.

    Hi all,       Does the FM DYNP_VALUES_UPDATE work only with the same screen?My requirement is to update the field values of a main screen according to the value selected from a drop-down in a subscreen.I am able to update values of the same subscreen

  • Getting garbage characters at the begining of xml

    Hi Experts, I am using file adapter to pick XML file. Using TEXT mode & encoding "ISO-8859-1" as it has some special characters. But when file is picked by PI in moni XML payload contain some garbage characters at the begining of the XML declaration.

  • Setting the font style and color for FileChooser labels

    Hi Friends, I have a certain standard Font style and color set for my application GUI. Now, I want to set the style and color for Swing components like FileChooser. Is it possible ? Also is it possible to localize JOptionPane ? Please advise. Best re

  • Preserving aspect ratio 16:9

    I've placed several Flash videos on a Web site, all 4:3 standard definition. All look fine. I have one video that's 16:9 widescreen high-definition. When I try to place it on the same site (using the same HTML snippet code as the others), much of the

  • After updating my IPad I have lost the icon for the App Store how do I get it back?

    Can't find my App Store icon after new update?