ASA multiple context

Unanswered Question
Jun 13th, 2008

What is multiple context on the ASA do?

I have multiple customers that go into my ASA 5540 firewall to access certain resources/vlan on the internal network. Is multiple context applies to this scenario? Is this a best practice?

thanks.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
francisco_1 Fri, 06/13/2008 - 08:58

With multiple context mode, you can enables a physical firewall to be partitioned into multiple standalone firewalls. Each standalone firewall acts and behaves as an independent entity with its own configuration, interfaces, security policies, routing table, and administrators. In Cisco ASA, these virtual firewalls are known as security contexts.

The following are some example scenarios in which security contexts are useful in network deployments:

You act as a service provider and you want to provide firewall services to customers.However, you do not want to purchase additional physical firewalls for each customer.

You administer a large enterprise with different departmental groups, and each department wants to implement its own security policies.

You have overlapping networks in your organization and you want to provide firewall services to all of those networks without changing the addressing scheme.

You currently manage many physical firewalls and you want to integrate security policies into one physical firewall.

so in your case you have clients connecting to your firewall via vpn to access internal resources, then you dont need to apply any addtional context to your firewall.

kope@northropgr... Fri, 06/13/2008 - 10:23

so i have three customers want to access my internal network through the firewall.

My internal network have VLAN 10,20,30,40,and

50.

Customer A want to access only VLAN 10

Customer B want to access only VLAN 10,20

Customer C want to access only VLAN 10,20,30,40,50.

Is mulitiple security context apply to this scenario? Or i just better to go with a Single context mode? Security is my main concern, is Multiple security context makes it more secure here? Ther reason i said that is they can have their own routing table.

Is this making sense? Thanks.

francisco_1 Sat, 06/14/2008 - 08:40

you are only routing the traffic for the customers through the ASA then no need for multiple security context. how are they accessing the internal network? via vpn?

all you will need to do is enable routing on the ASA to route to the different vlans on the internal networks and apply ACL rule to restrict connectivity.

Actions

This Discussion