multiple security contexts - ASA 5500 no VPN support

Unanswered Question
Nov 16th, 2008

I need a work around - I have upgraded my ASA to support multiple contexts (two of my clients share infrastructure but maintain two separate ISP), now I dont have VPN for 40+ remote locations

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (2 ratings)
nefkensp Mon, 11/17/2008 - 04:31

I'm sorry to tell you that, but as far as I know, also in ASA 8.0.4, it is not possible to have VPN's in combination with multiple contexts. The commands are not supported.

Workaround is I think in extra hardware, be it a router or another ASA as VPN terminator, which you route through the correct context if necessary.

Kind regards

P-J Nefkens

srue Mon, 11/17/2008 - 06:18

because of the way multiple contexts classify packets, i don't think VPNs will ever be possible in this configuration.

like the other posted said, you need more hardware.

or do away with multiple contexts and instead use subinterfaces and correctly configured acl's to keep their traffic seperate.

also try private vlans.

dancarrick Mon, 11/17/2008 - 14:16

hmmm, thanks for the information. The issue I have is that there are two clients that are sharing the ASA hardware (and internal L2 devices), whilst maintaining separate ISPs, so multiple contexts is the way to achieve this as I cannot do PBR on the ASA and there are cost constraints on additional hardware - otherwise I would have a router for PBR.

I may be able to utilise a VPN3005 for the VPN tunnel end point and client VPN.

I havent been able to find any configuration examples / design documents for implementing a VPN concentrator as well as the ASA - any further help would be greatly appreciated.



This Discussion