ASA 5520 virtual firewalls & SSL VPN

kosalasuranjith · ‎08-17-2008

We are going to install two ASA 5520 boxes with HA ( Active-Active or Active-Passive )

The boxes include 50 context licenses(virtual Firewalls) and SSL VPN licenses 750 Nos. each.

IS it impossible to use VPNs and contexts licenses with HA?

dhananjoy chowdhury · ‎08-17-2008

Hi,

If you are configuring the ASA firewalls in Multi context mode , then you cannot use the features like VPN, dynamic routing,etc.

If you go for Active/Active HA, you must have multiple contexts and so IPSec or SSL VPN cannot be enabled.

kosalasuranjith · ‎08-18-2008

IS it same, if we configure Active-Passive mode??

Farrukh Haroon · ‎08-18-2008

Well its obviously not 'same', Active Active lets you load share the traffic across the two firewalls, which is a better use of resources. However sometimes it makes it pretty difficult to troubleshoot network problems. If your primary WAN/internet link satisfies your needs you can go with Active/Passive. The same would also be true for the ASA throughput. If the throughput of one firewall suffices, you can go for Active/Passive. However to run VPNs this is your only choice on the Cisco Platform.

Regards

Farrukh

kosalasuranjith · ‎08-18-2008

I mean that if we configure two ASAs as Active/ Passive mode, Can't we still use virtual firewalls, and VPNs??

Farrukh Haroon · ‎08-18-2008

In Active/Passive mode you can use VPNs. However to run virtual firewalls you have to go into 'mode multiple'. As soon as you do that, you have say bye-bye to VPNs,Dynamic routing and some other features.

Regards

Farrukh

azore2007 · ‎08-19-2008

Hi all

How come Cisco ASA cant support VPN's in multi-context mode if you dedicate physical interfaces with different public IP's for each firewall.

I was thinking of integrating our office FW with our new production ASA 5520 and do a virtual a/s setup.

But killing VPN support isnt even an option.

Cisco must fix this imo :)

Farrukh Haroon · ‎08-19-2008

Yes I totally agree, we must all push Cisco for this. You should start with your account manager.

Regards

Farrukh

azore2007 · ‎08-20-2008

Good news everyone

Talked with our companys account manager and he informed me that VPN support is being worked on and should be released during 2008.

cisco24x7 · ‎08-20-2008

Let get something clear here:

- Active/Active in ASA will NOT provide load-sharing from the same source. For

example, if you have a host 192.168.1.1 behind

a pair of ASA in Active/Active mode, load-sharing will not be possible by splitting

the traffic from host 192.168.1.1 through both

ASA. ASA in Active/Active mode is like HSRP

with multiple groups.

Others Firewall vendors such as Checkpoint

and/or Nokia have IPSO clustering and ClusterXL that will allow load-sharing through

multiple firewalls from the same source. Checkpoint can do up to 32-node clusters. In other words, you can load-sharing traffics through 32 nodes from the same source, and that you can terminate VPN in Active/Active

mode as well. These features have been

available for almost 5 years now.

kosalasuranjith · ‎03-08-2010

Dear All,

This was a discussion, we had about a year ago.

But I think still we are not getting the solution. Hope that I m correct.

Still we can t create IPSec VPN tunnels etc in Multi context mode.

We are facing problems, because CISCO has not going to provide this feature.

Can anybody informs, if there are any updates?

Regards,

Kosala