cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
637
Views
0
Helpful
10
Replies

Security Context

estelamathew
Level 2
Level 2

Hello Dears,

Question-1:Can we have a 2 ASA Active Active in single mode.

Answer:

What I know about context is:

Question-2: If we have 2 ASA with Context-A and Context-B,then ASA-1 will be active for Context-A and standby for Context-B, For ASA-2 Context-B wil  be Active and ASA-1 will be standby. Please correct me if i m wrong???????????

Answer:

Thanks,

2 Accepted Solutions

Accepted Solutions

Estela,

Thanks for the .png attachment.  What halijenn said as not supportes is this

Context 1 can only process traffic from and to 10.1.1.0/24

Context 2 can only process traffic from and to 10.1.2.0/24

or they can switch roles and

Context 1 can process traffic from and to 10.1.2.0/24

Context 2 can process traffic from and to 10.1.1.0/24

at no time can both contexts process traffic for both 10.1.1.0/24 and 10.1.2.0/24

act/act failover can only load balance PER CONTEXT basis and not load balance over all traffic. Is this clear? If not pls. post your question.

-KS

View solution in original post

Yes, you are absolutely correct.

View solution in original post

10 Replies 10

Jennifer Halim
Cisco Employee
Cisco Employee

Question-1: No, ASA needs to be in multiple context mode to support more than one context.

Question-2: Yes, you can configure that both context A and B to be active on ASA-1, or alternatively you can configure context A to be active on ASA-1 and context B to be active on ASA-2.

Hope that answers your questions.

Nagaraja Thanthry
Cisco Employee
Cisco Employee

Hello,

You can certainly have multiple contexts being active on a single firewall.

The failover pair is just for redundancy.

Here is a useful link on configuring multiple context firewall.

http://cisco.biz/en/US/products/hw/vpndevc/ps2030/products_configuration_exa

mple09186a00808d2b63.shtml

Hope this helps.

Regards,

NT

Hello Dears,

In single customer do we need to create Multiple context????? . As i m sure we don't need but if so i want, then can i communicate between context's.suppose If i m creating context in single customer that means i m seperating subnets vlan's of the customer??? please correct me if i m wrong???

Thanks.

Definitely need to be in multi context mode before you can configure any context within an ASA.

It requires a reboot when you change the ASA from single to multi context mode, and to run Active-Active failover, the ASA needs to be in multi context mode.

Hello Halijenn,

I m planning to configure ASA for 1 customer,and he is insisting to configure in multiple context mode so that he can achieve Active Active session from the firewall. ASA dedicated to 1 customer do we really need to create multiple context within that customer????

USER GUIDE SAYS:

Multiple security contexts in the following situations: Please answer the question below.


• You are a service provider and want to sell security services to many customers. By enabling
multiple security contexts on the security appliance, you can implement a cost-effective,
space-saving solution that keeps all customer traffic separate and secure, and also eases
configuration.

OK,


• You are a large enterprise or a college campus and want to keep departments completely separate.

Answer: when Department don't want to speak to each other,,please correct me if i m wrong.????? If the department want to coummnicate then we would have created?????


• You are an enterprise that wants to provide distinct security policies to different departments.

Answer: ??????


• You have any network that requires more than one security appliance

Answer: what can be this situation.?????????

Thanks

The answer is no, and please educate the customer that Active/Active does not mean traffic is load balanced between 2 ASAs automatically.

Supported: Active/Active means that the customer can direct their traffic into 2 for example: subnet 10.1.1.0/24 to be routed through ASA-1 (which hosts context-1), and subnet 10.1.2.0/24 to be routed through ASA-2 (which hosts context-2).

Not Supported: What Active/Active can't do is route both 10.1.1.0/24 and 10.1.2.0/24 through something like VRRP address and ASA dynamically load balance the traffic between the 2 firewalls.

halijenn wrote:

The answer is no, and please educate the customer that Active/Active does not mean traffic is load balanced between 2 ASAs automatically.

Supported: Active/Active means that the customer can direct their traffic into 2 for example: subnet 10.1.1.0/24 to be routed through ASA-1 (which hosts context-1), and subnet 10.1.2.0/24 to be routed through ASA-2 (which hosts context-2).

Not Supported: What Active/Active can't do is route both 10.1.1.0/24 and 10.1.2.0/24 through something like VRRP address and ASA dynamically load balance the traffic between the 2 firewalls.

Thanks for ur precious help,

Please find the attached,

We have to manually load balance the traffic to ASA-1 OR ASA-2 if we are creating a context's as per the attached diagram. correct me if i m wrong????

Can't understood perfectly the below lines can u explore more???????

Not Supported:  What Active/Active can't do is route both 10.1.1.0/24 and 10.1.2.0/24  through something like VRRP address and ASA dynamically load balance the  traffic between the 2 firewalls.

ANSWER: 

Estela,

Thanks for the .png attachment.  What halijenn said as not supportes is this

Context 1 can only process traffic from and to 10.1.1.0/24

Context 2 can only process traffic from and to 10.1.2.0/24

or they can switch roles and

Context 1 can process traffic from and to 10.1.2.0/24

Context 2 can process traffic from and to 10.1.1.0/24

at no time can both contexts process traffic for both 10.1.1.0/24 and 10.1.2.0/24

act/act failover can only load balance PER CONTEXT basis and not load balance over all traffic. Is this clear? If not pls. post your question.

-KS

Hello Halijenn/Kusankar,

Thanks for Exploring the Answer:2 NOT SUPPORTED,it is very much clear to me now.


For Answer 1 SUPPORTED :Is the below statement correct ???

We have to manually direct the traffic to ASA-1 OR ASA-2 if we are  creating a context's as per the attached diagram in my previous mail. Correct me if i m  wrong????.

Yes, you are absolutely correct.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: