Hello Dears,

In single customer do we need to create Multiple context????? . As i m sure we don't need but if so i want, then can i communicate between context's.suppose If i m creating context in single customer that means i m seperating subnets vlan's of the customer??? please correct me if i m wrong???

Thanks.

Definitely need to be in multi context mode before you can configure any context within an ASA.

It requires a reboot when you change the ASA from single to multi context mode, and to run Active-Active failover, the ASA needs to be in multi context mode.

Hello Halijenn,

I m planning to configure ASA for 1 customer,and he is insisting to configure in multiple context mode so that he can achieve Active Active session from the firewall. ASA dedicated to 1 customer do we really need to create multiple context within that customer????

USER GUIDE SAYS:

Multiple security contexts in the following situations: Please answer the question below.

• You are a service provider and want to sell security services to many customers. By enabling
multiple security contexts on the security appliance, you can implement a cost-effective,
space-saving solution that keeps all customer traffic separate and secure, and also eases
configuration.

OK,

• You are a large enterprise or a college campus and want to keep departments completely separate.

Answer: when Department don't want to speak to each other,,please correct me if i m wrong.????? If the department want to coummnicate then we would have created?????

• You are an enterprise that wants to provide distinct security policies to different departments.

Answer: ??????

• You have any network that requires more than one security appliance

Answer: what can be this situation.?????????

Thanks

The answer is no, and please educate the customer that Active/Active does not mean traffic is load balanced between 2 ASAs automatically.

Supported: Active/Active means that the customer can direct their traffic into 2 for example: subnet 10.1.1.0/24 to be routed through ASA-1 (which hosts context-1), and subnet 10.1.2.0/24 to be routed through ASA-2 (which hosts context-2).

Not Supported: What Active/Active can't do is route both 10.1.1.0/24 and 10.1.2.0/24 through something like VRRP address and ASA dynamically load balance the traffic between the 2 firewalls.

halijenn wrote:
The answer is no, and please educate the customer that Active/Active does not mean traffic is load balanced between 2 ASAs automatically.
Supported: Active/Active means that the customer can direct their traffic into 2 for example: subnet 10.1.1.0/24 to be routed through ASA-1 (which hosts context-1), and subnet 10.1.2.0/24 to be routed through ASA-2 (which hosts context-2).
Not Supported: What Active/Active can't do is route both 10.1.1.0/24 and 10.1.2.0/24 through something like VRRP address and ASA dynamically load balance the traffic between the 2 firewalls.

Thanks for ur precious help,

Please find the attached,

We have to manually load balance the traffic to ASA-1 OR ASA-2 if we are creating a context's as per the attached diagram. correct me if i m wrong????

Can't understood perfectly the below lines can u explore more???????

Not Supported:  What Active/Active can't do is route both 10.1.1.0/24 and 10.1.2.0/24  through something like VRRP address and ASA dynamically load balance the  traffic between the 2 firewalls.

ANSWER: 

Hello Halijenn/Kusankar,

Thanks for Exploring the Answer:2 NOT SUPPORTED,it is very much clear to me now.

For Answer 1 SUPPORTED :Is the below statement correct ???

We have to manually direct the traffic to ASA-1 OR ASA-2 if we are  creating a context's as per the attached diagram in my previous mail. Correct me if i m  wrong????.