Natting with multiple context

Unanswered Question
Aug 24th, 2010

Hi All,

Can natting be done on a multiple context ASA? So basically if all 10 different contexts on the ASA wants to nat their internal IPs can they do that? How about static NAT?

Thanks

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
sidcracker Tue, 08/24/2010 - 21:30

Thanks Nagaraja for the url. Are there any limitations for natting that you are aware of? Or can Multi Context do excatly what a single context do?

My other question is I know that threat detection is not supported on the multicontext? But how about the IPS SSM module?

Thanks

Nagaraja Thanthry Tue, 08/24/2010 - 21:38

Hello,

All NAT features are supported in multiple context mode just like single

context mode. As long as you are not re-using addresses on the outside

interfaces of different contexts, you should be fine.

It seems like you can use the IPS module also in the multiple context mode.

Here is a link that outlines the configuration requirements:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/i...

tml#wp1091984

Hope this helps.

Regards,

NT

sidcracker Wed, 08/25/2010 - 18:12

Hi Nagaraja,

Thanks for you help in this matter. If I were to allocate resources for contexts, what would be the best configuration to input when I have about 10 customers in ASA. Is it best to allow unlimited connections from all customers or is it advisable to llimit the configurations. I have read the Cisco guide for resources but just wanted to understand what is the best practise implemented by other organizations.

Thanks

Phillip Strelau Mon, 08/30/2010 - 13:32

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;}

Hi NT,

     Best practices would have you limiting the amount of resources each context is able to consume. Let's take a scenario where one context is under a DOS attack. If you allow this context unlimited access to all resources it will starve other contexts from being able to access these resources. By limiting each context to a pre determined limit of resources you can prevent this from occurring. Best practices would also be to monitor the contexts from some time before implementing such limitations so that you will not block legitimate traffic.


--Phil

Actions

This Discussion