Transparent mode/firewall mode in a multiple context asa5520
Hello,
Is it possible to have a transparent mode on CONTEXT_A and firewall/route mode in CONTEXT_B in a single ASA
5520?
thanks.
Is there any document to support this? I would be getting my hands on a ASA pretty soon hope to test this feature out.
-Hoogen
Similar Messages
-
Transparent firewall with failover with multiple contexts
I am running 8.4(2) on ASA5585s. They are in mulitble context mode and set to transparent firewall with active/active failover. When I do a sh failover in a context I see 2 of my interfaces are (waiting). I have a BVI and these are the ip addresses on the interfaces in he "sh failover" below.
Failover On
Last Failover at: 11:54:39 GMT/IST Feb 23 2012
This context: Standby Ready
Active time: 175394 (sec)
Interface ctxb-inside (x.x.x.165): Normal (Waiting)
Interface ctxb-outside (x.x.x.165): Normal (Monitored)
Peer context: Active
Active time: 11390663 (sec)
Interface ctxb-inside (x.x.x.164): Normal (Monitored)
Interface ctxb-outside (x.x.x.164): Normal (Waiting)
Why are the interfaces in (waiting)?Are you able to ping between the interfaces? ie: can you ping x.x.x.165 from x.x.x.164 and visa versa? If you are not able to ping it, that means there is no connectivity between the 2, hence the status is in Normal (Waiting) because it has not received the hello packet on that corresponding interface.
Here is the reference guide FYI:
http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/s3.html#wp1505709 -
Remote Access VPN Support in Multiple Context Mode (9.1(2))?
Hi Guys,
I am currently running two Cisco ASA5520 (ASA Version: 9.1(2)) firewalls in Active/Standby failover and was contemplating the option of migrating my remote access VPN to these firewalls. However seeing that the new IOS now support mixed multiple context mode and dynamic routing. Is it safe to ask whether or not Remote Access VPN is now support in this IOS upgrade?
Multiple Context Mode New Features:
Site-to-Site VPN in multiple context mode | Site-to-site VPN tunnels are now supported in multiple context mode.
New resource type for site-to-site VPN tunnels | New resource types, vpn other and vpn burst other, were created to set the maximum number of site-to-site VPN tunnels in each context.
Dynamic routing in Security Contexts | EIGRP and OSPFv2 dynamic routing protocols are now supported in multiple context mode. OSPFv3, RIP, and multicast routing are not supported.
New resource type for routing table entries | A new resource class, routes, was created to set the maximum number of routing table entries in each context. We modified the following commands: limit-resource, show resource types, show resource usage, show resource allocation. We modified the following screen: Configuration > Context Management > Resource Class > Add Resource Class.
Mixed firewall mode support in multiple context mode | You can set the firewall mode independently for each security context in multiple context mode, so some can run in transparent mode while others run in routed mode. We modified the following command: firewall transparent. You cannot set the firewall mode in ASDM; you must use the command-line interface. Also available in Version 8.5(1).
Regards,
LeonHey Leon,
According to the ASA 9.1 Configuration Guide, Remote Access VPN is not yet supported with version 9.1(2). Only Site-to-Site VPN support in multiple context was introduced with release ASA 9.0(x). This was mentioned in the 9.0(x) release notes.
Regards,
Dennis -
Explain about transparent mode, single mode, multiple context mode
You can explain about the differents of transparent mode, single mode, multiple context mode in ASA 5500? Thank you very much.
Great question. Hope the below helps:
Transparent Mode: In this mode, the ASA will filter traffic without requiring L3 on the ASA. This means that in your config you will not put IPs on the interfaces to be used for traffic filtering. Thus, filtering is transparent to the traffic as the traffic isn't directly routed to the firewall. Think of it like you have a server plugged into a switch. In transparent mode, you place the ASA between the server and the switch and no configuration change is required to the server. In routed mode, you place the ASA in the same physical location between the server and switch, but have to change the server to use the ASA as a default gateway.
Single Mode: Default mode of an ASA. The ASA acts as a single firewall and all interfaces are provisioned to be managed through a single firewall configuration.
Multiple Context Mode: The ASA is split into multiple virtual configurations. With the ASA now virtualized, you provision the physical interfaces on the ASA to the virtual firewall configured. Each context has it's own configuration seperate from the rest of the firewall. Multi-context is meant for enterprises to invest in a single piece of hardware and scale it for use as multiple security devices.
Hope this helps. Let me know if you have anymore questions!
-Mike
http://cs-mars.blogspot.com -
Failure when FWSM in transparent mode with multiple contexts
hi experts,
We have two FWSMs working in active/standby state, configured with multiple contexts in transparent mode. and the "outside" and "inside" interfaces for each context are in same subnet.
Now we have one FWSM broken and the RMA part can't arrived in short time, so we have the risk that the sencond FWSM could be failed as well. In the worst case if the two was broken or powered off simultaneously, i wonder that if the communications between multiple contexts could be ok???
thanks in advance.The software requirements for Cisco Secure ACS are dependent on the type of Extensible Authentication Protocol (EAP) desired. For full support of all the EAP types including EAP-Flexible Authentication via Secure Tunneling (FAST), use release 3.2.3 or higher.
http://www.cisco.com/en/US/netsol/ns340/ns394/ns431/ns434/networking_solutions_implementation_guide09186a008038906c.html -
ASA Transparent Mode For Multiple Subnets
I am looking to replace a FortiGate firewall which is currently working in transparent mode handling mutiple subnets with ASA 5515. Currently, I am testing transparent mode configuration on ASA 5505, and it will not forward any traffic that is not in the same subnet as IP address assigned to BV interface.
For example, the following configuration works.
10.0.0.3/24 (computer) ---> 10.0.0.2/24 (firewall) ---> 10.0.0.1/24 (computer)
However, the following does not work
10.0.0.3/24 (computer) ---> 10.10.0.2/24 (firewall) ---> 10.0.0.1/24 (computer)
I thought that transparent mode is just a bump in the wire, so why does the IP address/subnet assigned to BV interface affects the traffic? Is the ASA capable of handling other/multiple subnets in transparent mode other than the subnet assigned to BV interface?
By the way, I used to run PIX 515E 7.2(2) transparent mode filtering multiple subnets. The current ASA 5505 is on 9.0(1). Is it the limitation on the ASA 5505 model but not on the more powerful ASA model?
Thank youThank you @ttemirgaliyev, I tried but multiple context is not supported by ASA 5505.
I have an example of PIX configuration in transparent mode filtering multiple subnets. I was using this configuration in production environment in the past. I am wondering if ASA 5510 or higher can handle this setup.
: Saved
: Written by enable_15 at 10:57:25.766 UTC Wed Jul 16 xxxx
PIX Version 7.2(2)
firewall transparent
hostname pixfirewall
enable password xxxxxxxxxx encrypted
names
interface Ethernet0
nameif outside
security-level 0
interface Ethernet0.1
vlan 1
no nameif
no security-level
interface Ethernet1
nameif inside
security-level 100
interface Ethernet1.1
no vlan
no nameif
no security-level
passwd xxxxxxxxxx encrypted
ftp mode passive
access-list outside extended permit udp any host 10.0.0.210
access-list outside extended permit udp any host 10.0.0.3
access-list outside extended permit tcp any host 10.0.0.110 eq smtp
access-list outside extended permit tcp any host 10.0.0.110 eq www
access-list outside extended permit tcp any host 10.0.0.57 eq smtp
access-list outside extended permit tcp any host 10.0.0.57 eq www
access-list outside extended permit tcp any host 10.0.0.75 eq www
access-list outside extended permit tcp any host 10.0.0.75 eq ftp
access-list outside extended permit tcp any host 10.0.0.75 eq 5003
access-list outside extended permit tcp any host 10.0.0.75 eq 403
access-list outside extended permit tcp any host 10.0.0.75 eq 407
access-list outside extended permit tcp any host 10.0.0.76 eq ftp
access-list outside extended permit tcp any host 10.0.0.2 eq pcanywhere-data
access-list outside extended permit udp any host 10.0.0.2 eq pcanywhere-status
access-list outside extended permit tcp any host 10.0.10.61
access-list outside extended permit tcp any host 10.0.10.62
access-list outside extended permit tcp any host 10.0.10.63
access-list outside extended permit tcp any host 10.0.10.64
access-list outside extended permit tcp any host 10.0.13.225 eq ftp
access-list outside extended permit tcp host 192.168.4.30 host 10.0.17.254 eq telnet
access-list outside extended permit tcp any host 10.0.13.225 eq telnet
access-list outside extended permit tcp any host 10.0.10.61 eq 50
access-list outside extended permit udp any host 10.0.10.61 eq isakmp
access-list outside extended permit tcp any host 10.0.10.62 eq 50
access-list outside extended permit udp any host 10.0.10.62 eq isakmp
access-list outside extended permit tcp any host 10.0.10.63 eq 50
access-list outside extended permit udp any host 10.0.10.63 eq isakmp
access-list outside extended permit tcp any host 10.0.10.64 eq 50
access-list outside extended permit udp any host 10.0.10.64 eq isakmp
access-list outside extended permit tcp any host 10.0.0.219
access-list outside extended permit udp any host 10.0.0.219
access-list outside extended permit udp any host 10.0.10.61
access-list outside extended permit udp any host 10.0.10.62
access-list outside extended permit udp any host 10.0.10.63
access-list outside extended permit udp any host 10.0.10.64
access-list outside extended permit icmp any host 10.0.10.29
access-list outside extended permit tcp any host 10.0.10.29 eq ftp
access-list outside extended permit tcp any gt 1023 host 10.0.10.29 eq ftp-data
access-list outside extended permit tcp any host 10.0.0.110 eq pop3
access-list outside extended permit tcp any host 10.0.0.57 eq pop3
access-list outside extended permit tcp any host 10.0.10.27 eq pcanywhere-data
access-list outside extended permit udp any host 10.0.10.27 eq pcanywhere-status
access-list outside extended permit tcp any host 10.0.10.31 eq pcanywhere-data
access-list outside extended permit udp any host 10.0.10.31 eq pcanywhere-status
access-list outside extended permit tcp any host 10.0.0.222 eq pcanywhere-data
access-list outside extended permit udp any host 10.0.0.222 eq pcanywhere-status
access-list outside extended permit icmp any host 10.0.10.28
access-list outside extended permit tcp any host 10.0.10.28 eq pptp
access-list outside extended permit gre any host 10.0.10.28
access-list outside extended permit ip any host 10.0.10.28
access-list outside extended permit ip any host 10.0.10.29
access-list outside extended permit tcp any host 10.0.10.25 eq 8234
access-list outside extended permit tcp any host 10.0.17.217 eq 8234
access-list outside extended permit tcp any host 10.0.17.217 eq 8235
access-list outside extended permit tcp any host 10.0.17.217 eq www
access-list outside extended permit ip any host 10.0.10.36
access-list outside extended permit ip any host 10.0.10.37
access-list outside extended permit ip any host 10.0.10.38
access-list outside extended permit ip any host 10.0.10.39
access-list outside extended permit ip any host 10.0.10.40
access-list outside extended permit ip any host 10.0.10.41
access-list outside extended permit tcp any host 10.0.0.235 eq www
access-list outside extended permit tcp any host 10.0.10.2 eq www
access-list outside extended permit tcp any host 10.0.10.2 eq 3389
access-list outside extended permit tcp host 192.168.1.234 host 10.0.0.211 eq 4899
access-list outside extended permit tcp any host 10.0.0.211 eq www
access-list outside extended permit tcp any host 10.0.10.35 eq www
access-list outside extended permit tcp any host 10.0.10.36 eq www
access-list outside extended permit tcp any host 10.0.10.37 eq www
access-list outside extended permit tcp any host 10.0.10.38 eq www
access-list outside extended permit tcp any host 10.0.10.39 eq www
access-list outside extended permit tcp any host 10.0.10.40 eq www
access-list outside extended permit tcp any host 10.0.10.41 eq www
access-list outside extended permit tcp any host 10.0.0.110 eq https
access-list outside extended permit tcp any host 10.0.0.57 eq https
access-list outside extended permit tcp any host 10.0.0.75 eq https
access-list outside extended permit tcp any host 10.0.17.217 eq https
access-list outside extended permit tcp any host 10.0.0.234 eq 220
access-list outside extended permit tcp any host 10.0.0.235 eq https
access-list outside extended permit tcp any host 10.0.10.2 eq https
access-list outside extended permit tcp any host 10.0.0.211 eq https
access-list outside extended permit tcp any host 10.0.10.35 eq https
access-list outside extended permit tcp any host 10.0.10.36 eq https
access-list outside extended permit tcp any host 10.0.10.37 eq https
access-list outside extended permit tcp any host 10.0.10.38 eq https
access-list outside extended permit tcp any host 10.0.10.39 eq https
access-list outside extended permit tcp any host 10.0.10.40 eq https
access-list outside extended permit tcp any host 10.0.10.41 eq https
access-list outside extended permit tcp any host 10.0.10.35 eq 8234
access-list outside extended permit tcp any host 10.0.10.36 eq 8234
access-list outside extended permit tcp any host 10.0.10.37 eq 8234
access-list outside extended permit tcp any host 10.0.10.38 eq 8234
access-list outside extended permit tcp any host 10.0.10.39 eq 8234
access-list outside extended permit tcp any host 10.0.10.40 eq 8234
access-list outside extended permit tcp any host 10.0.10.41 eq 8234
access-list outside extended permit tcp any host 10.0.10.35 eq 8235
access-list outside extended permit tcp any host 10.0.10.36 eq 8235
access-list outside extended permit tcp any host 10.0.10.37 eq 8235
access-list outside extended permit tcp any host 10.0.10.38 eq 8235
access-list outside extended permit tcp any host 10.0.10.39 eq 8235
access-list outside extended permit tcp any host 10.0.10.40 eq 8235
access-list outside extended permit tcp any host 10.0.10.41 eq 8235
access-list outside extended permit udp any host 10.0.0.222
access-list outside extended permit gre any any
access-list outside extended permit ip host 10.0.10.28 any
access-list outside extended permit ip host 10.0.0.211 any
access-list outside extended permit ip host 10.0.10.35 any
access-list outside extended permit ip host 10.0.10.36 any
access-list outside extended permit ip host 10.0.10.37 any
access-list outside extended permit ip host 10.0.10.38 any
access-list outside extended permit ip host 10.0.10.39 any
access-list outside extended permit ip host 10.0.10.40 any
access-list outside extended permit ip host 10.0.10.41 any
access-list outside extended permit ip host 10.0.0.222 any
access-list outside extended permit ip host 10.0.0.234 any
access-list outside extended permit icmp host 10.0.0.234 any
access-list outside extended permit tcp any host 10.0.0.235 eq 3389
access-list outside extended permit ip host 10.0.0.254 any
access-list outside extended permit tcp any host 10.0.0.2 eq 3389
access-list outside extended permit tcp any host 10.0.13.240 eq 5900
access-list outside extended permit udp any host 10.0.13.240 eq 5900
access-list outside extended permit tcp any host 10.0.13.240 eq 3283
access-list outside extended permit udp any host 10.0.13.240 eq 3283
access-list outside extended permit tcp any host 10.0.13.240 eq ssh
access-list outside extended permit tcp any host 10.0.10.12 eq www
access-list outside extended permit tcp any host 10.0.0.212 eq www
pager lines 24
mtu outside 1500
mtu inside 1500
ip address 10.0.0.230 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
access-group outside in interface outside
route outside 0.0.0.0 0.0.0.0 10.0.0.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
snmp-server host inside 10.0.0.234 community xxxx
no snmp-server location
no snmp-server contact
snmp-server community xxxx
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
console timeout 0
prompt hostname context
Cryptochecksum:c887f562a196123a335c5ebeba0ad482
: end -
SSLVPN/webvpn in multiple context mode?
We already know that ASA 9.0 supports site-to-site VPN in multiple context mode. But remote access VPN isn't supported. Obviously, SSL-VPN is a very important feature for most multi-tenant deployment scenarios where each context acts as a border firewall towards the Internet for each tenant. The alternative to terminate all tenant remote-access VPNs in one context means that each tenant would have to be routable from the ASA, which of course isn't a reasonable requirement in most cases.
So, what I'd like to do is to deploy an ASA cluster, and provide remote access VPNs for each tenant, where the connectivity for each remote access group can be addressed with whatever IP address space, and that goes into it's own VRF in the back-end.
As far as I can tell, this isn't doable with the ASA, since multiple context mode prohibits the use of remote access VPN, and I can't think of any other work-around than either having individual firewalls running in single context mode for each tenant, or demand that all tenants are interoperable routing-wise and configure a separate ip address pool in a single context mode for each tenant.
Essentially, there's no good way to implement this with multiple virtual firewalls, using cisco firewalls? Or am I missing something?If you set up a pair of single-context ASAs for VPN termination, configure a group policy per customer and use the 'Restrict access to VLAN' feature, you could separate customers' traffic and still just use one FW pair for all customers. This pair would connect to the same switch infrastructure as your multi-context edge firewall and thus allow a consolidated solution.
Sent from Cisco Technical Support iPad App -
Dynamic Routing Protocol Support in Cisco ASA Multiple Context Mode
Dear Experts,
Wold like to know whether dynamic Routing Protocol Support in Cisco ASA Firewall Multiple Context Mode. If yes then please provide OS version and Hardware Model of Cisco ASA Firewall. Appreciate the quick response. Thanks.Hi,
Check out this document for the information
http://www.cisco.com/en/US/docs/security/asa/roadmap/asa_new_features.html#wp93116
Its lists the following for software level 9.0(1)
Multiple Context Mode Features
Dynamic routing in Security Contexts
EIGRP and OSPFv2 dynamic routing protocols are now supported in multiple context mode. OSPFv3, RIP, and multicast routing are not supported.
Seems to me you would need some 9.x version to support the above mentioned Dynamic Routing Protocols.
I don't think its related to the hardware model of the ASA other than that it requires a model that supports Multiple Context Mode. To my understanding the only model that doesnt support that is ASA5505 of the whole ASA5500 and ASA5500-X series.
Hope this helps
- Jouni -
Multiple context mode, how to download the packet capture file
Hi guys,
Is there a way to download the packet capture file from a specific context? I know that I used to use https://<ASA_IP>/admin/capture/<capture> to download it if it is just one context.
The ASA uses mgmt 0/0 for management and it is connected in a separate OOB network. Only this network has TFTP servers for uploading the capture file. The context in question is in transparent mode. Its IP doesn't have access to any TFTP server.
Thanks!
DifanHello Difan,
Please refer the following document.
https://supportforums.cisco.com/document/69281/asa-using-packet-capture-troubleshoot-asa-firewall-configuration-and-scenarios
Also what version of the ASA code are you using?
Regards,
Jai Ganesh K -
ASDM_HANDLER problem on multiple context mode
Hello,
Has any anybody seen this error?
On the firewall multiple context I used to jump from one context to another, but now when I log in to the admin context and I try to jump to another context I receive this error. Could no find any bug on release notes for that.Hi,
I have not personally seen this error before. Though I don't use ASDM that much anyway. We used to have FWSMs in multiple context mode and now have ASAs running multiple context mode and I have never seen this.
Have you checked the situation (as the error message suggests) from the CLI of the ASA to see if there is a lot of ASDM sessions in the "admin" context of the unit?
show asdm sessions
- Jouni -
VRF issue with Firewall in transparent Mode.
Hi Guys,
I have 7609 Router and 6513 L3 Switch connected Through ASA 5545.
I am running Multiple VRF between router and Switch and BGP routing Protocol. When they are connected directly to each other everything is normal, however, when I have connected them via ASA 5545 then everything fails. I am using ASA in transparent Mode.
My question is: Do ASA require different setting in case of VRF? If yes, then please give me sample config.I have taken following output from Firewall will this be any help?
sh interface ouTSIDE
Interface GigabitEthernet0/1 "OUTSIDE", is up, line protocol is up
Hardware is i82574L rev00, BW 1000 Mbps, DLY 10 usec
Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)
Input flow control is unsupported, output flow control is off
MAC address 7c69.f68f.df78, MTU 1500
IP address 175.4.8.35, subnet mask 255.255.255.248
8435 packets input, 680680 bytes, 0 no buffer
Received 8135 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
8138 L2 decode drops
0 packets output, 0 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 1 interface resets
0 late collisions, 0 deferred
0 input reset drops, 0 output reset drops
input queue (blocks free curr/low): hardware (476/461)
output queue (blocks free curr/low): hardware (511/511)
Traffic Statistics for "OUTSIDE":
297 packets input, 118503 bytes
0 packets output, 0 bytes
297 packets dropped
1 minute input rate 0 pkts/sec, 13 bytes/sec
1 minute output rate 0 pkts/sec, 0 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 6 bytes/sec
5 minute output rate 0 pkts/sec, 0 bytes/sec
5 minute drop rate, 0 pkts/sec
ciscoasa# show asp drop
Frame drop:
FP L2 rule drop (l2_acl) 297
ASA Version 9.0(1)
firewall transparent
ciscoasa# show module all
Mod Card Type Model Serial No.
0 ASA 5545-X with SW, 8 GE Data, 1 GE Mgmt ASA5545
ips ASA 5545-X IPS Security Services Processor ASA5545-IPS
Mod MAC Address Range Hw Version Fw Version Sw Version
0 7c69.f68f.df77 to 7c69.f68f.df80 1.0 2.1(9)8 9.0(1)
ips 7c69.f68f.df75 to 7c69.f68f.df75 N/A N/A 7.1(4)E4
Mod SSM Application Name Status SSM Application Version
ips IPS Up 7.1(4)E4
Mod Status Data Plane Status Compatibility
0 Up Sys Not Applicable
ips Up Up
Mod License Name License Status Time Remaining
ips IPS Module Enabled perpetual
ciscoasa#
I have create Ehtertype ACL and permit any traffic.
cdp traffic has passed through but I am still not able to ping :( -
Support IPSec VPN Client in ASA Multiple Context Mode
I've looked at under "Cisco ASA Series CLI Configuration Guide, 9.0" on "Configuring Multiple Context Mode", it says
"IPsec sessions—5 sessions. (The maximum per context.) ". Does it mean in ASA Multiple Contest Mode support IPSec VPN Client? I just want to confirm it because I can't seem find any doc that clearly spell it out. I'll appreciate anyone who can clarify it.
Thank Jason.
( Please direct me to the right group if I'm not for the first time I post it in the Cisco support forum)This is from the v9.3 config-guide:
Unsupported Features
Multiple context mode does not support the following features:
Remote access VPN. (Site-to-site VPN is supported.) -
Are VPN Clients supported in multiple context mode?
Hi,
Recently our company has bought two Cisco ASA 5515-X firewalls for at our datacenter. I am new on configuring a Cisco ASA but sofar things are looking good. I have configured them both with HA (active/active) in multiple context mode. Currently they host two security contexts.
I want to configure VPN Client functionallity for Remote Access. As far as I know they come with two user licenses. But there is no VPN Client wizard available and I can't find a way to enable it.
- Is VPN Client supported in Multiple Context mode?
- What is AnyWhere Essentials vs Premium Peers?
Boudewijn
Here is some additional output fromt he current configuration:
Cisco Adaptive Security Appliance Software Version 9.1(2) <context>
Device Manager Version 7.1(3)
Encryption hardware device : Cisco ASA-55xx on-board accelerator (revision 0x1)
Boot microcode : CNPx-MC-BOOT-2.00
SSL/IKE microcode : CNPx-MC-SSL-PLUS-T020
IPSec microcode : CNPx-MC-IPSEC-MAIN-0024
Number of accelerators: 1
Baseboard Management Controller (revision 0x1) Firmware Version: 2.4
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 100 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
Security Contexts : 2 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 250 perpetual
Total VPN Peers : 250 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
IPS Module : Disabled perpetual
Cluster : Disabled perpetual
This platform has an ASA 5515 Security Plus license.Hi,
No form of VPN Client is supported when you are using an ASA in Multiple Context mode.
The only type of VPN supported in the newer 9.x softwares is L2L VPN / Site to Site VPN
This might answer the VPN Licensing related question
http://packetpushers.net/cisco-asa-licensing-explained/
I never seem to remember it exactly myself even.
- Jouni -
Active/standby in multiple context mode
is active/standby configuration possible in multilple context mode? i cannot find an article regarding this matter.
Hello John,
It is available
Actually the ones you need are the regular ones (documents) as the ASA will trigger failover if one of the context fail
Important Notes
For multiple context mode, the ASA can fail over the entire unit (including all contexts) but cannot fail over individual contexts separately.
. Active/Standby Failover is available on units that run in either single or multiple context mode. Both failover configurations support stateful or stateless (regular) failover.
VPN failover is not supported on units that run in multiple context mode as VPN is not supported in multiple context. VPN failover is available only for
Active/Standby Failover configurations in single context configurations.
With this I think you are ready to start configuring it:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml
Julio -
Multiple context mode and Active Active
Hi Everyone,
ASA in multiple context mode works as active active mode.
ASA has 2 contexts admin and x.
We have 2 physical ASA say ASA1 and ASA2 .
Under system context we have hostname ASA
When i ssh to ASA1 it brings the ASA/admin mode.
sh failover shows
sh failover shows
This host: Primary
This host: Primary
When i try to login to ASA 2 it brings me to ASA/x prompt.
sh failover shows
This context: Active
Peer context: Standby Ready
Need to know is there any way that i can login to other physical ASA?
i hope my question makes sense.
Message was edited by: mahesh parmarHi Mahesh,
To it seems that you are logging to different contexts in these 2 cases.
Normally an admin always logs to the "admin" context IP address owned either by the primary IP address for the Active unit or the secondary IP address for the Standby unit.
So what I would suggest you do first is that you go to the context "admin" and issue the command "show run interface"
Then go to the context "x" and issue the command "show run interface"
Now check the IP addresses on the interfaces.
Especially the interface on the "admin" context should contain an IP address for both of the ASA units. Check the interface IP address which originally lead you to the "admin" context.
For example
ip address 10.10.10.1 255.255.255.0 standby 10.10.10.2
If the above were true you would connecto the IP address 10.10.10.1 when you wanted to connect to the Active unit and use the IP address 10.10.10.2 when you wanted to connect to the current Standby unit
- Jouni
Maybe you are looking for
-
Reg DYNP_VALUES_UPDATE.
Hi all, Does the FM DYNP_VALUES_UPDATE work only with the same screen?My requirement is to update the field values of a main screen according to the value selected from a drop-down in a subscreen.I am able to update values of the same subscreen
-
Getting garbage characters at the begining of xml
Hi Experts, I am using file adapter to pick XML file. Using TEXT mode & encoding "ISO-8859-1" as it has some special characters. But when file is picked by PI in moni XML payload contain some garbage characters at the begining of the XML declaration.
-
Setting the font style and color for FileChooser labels
Hi Friends, I have a certain standard Font style and color set for my application GUI. Now, I want to set the style and color for Swing components like FileChooser. Is it possible ? Also is it possible to localize JOptionPane ? Please advise. Best re
-
Preserving aspect ratio 16:9
I've placed several Flash videos on a Web site, all 4:3 standard definition. All look fine. I have one video that's 16:9 widescreen high-definition. When I try to place it on the same site (using the same HTML snippet code as the others), much of the
-
After updating my IPad I have lost the icon for the App Store how do I get it back?
Can't find my App Store icon after new update?