I need to find out whether the ASA 5500-X Series Next-Generation Firewalls are VRF-Aware using the latest IOS Version (9.1.x / 9.2.x). I have searched the Release Notes for the IOS Versions but not finding anything. I do believe that this is not a supported feature yet.
I also have this requirement for an ASA to be "VRF aware" as you put it. My take on this though is to map an ASA security context to each VRF. However, one thing I can't find out is whether I can run separate instances of OSPF in an ASA context ? According to the Cisco support docs OSPF is only supported in single context mode on the 5500 series but I'm not sure whether this has changed with the next generation 5500X series - can anyone help with this ?
You can run separate dynamic routing protocols in each ASA Context, as well as use L2L VPN out of each context. Qos is one of the the only caveats left between single and multiple context mode.
Just have a transit vlan to each context in a seperate VRF, run vrf aware routing protocols on that vrf, and treat each context on the other end of the transit vlan / sub interface seperately, and form a neigborship with the Core switch/ router.
If what you are asking is MULTIPLE processes in the same context, the answer is - Here is it working in single context mode:
TESTERRRR# sh ospf interface
tomado is up, line protocol is up Internet Address 10.1.1.1 mask 255.255.255.0, Area 0 Process ID 3, Router ID 220.127.116.11, Network Type BROADCAST, Cost: 10 Transmit Delay is 1 sec, State WAITING, Priority 1 No designated router on this network No backup designated router on this network Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 Hello due in 0:00:04 Wait time before Designated router selection 0:00:34 Index 1/1, flood queue length 0 Next 0x0(0)/0x0(0) Last flood scan length is 0, maximum is 0 Last flood scan time is 0 msec, maximum is 0 msec Neighbor Count is 0, Adjacent neighbor count is 0 Suppress hello for 0 neighbor(s) lettuce is up, line protocol is up Internet Address 10.2.1.1 mask 255.255.255.0, Area 0 Process ID 4, Router ID 10.230.28.254, Network Type BROADCAST, Cost: 10 Transmit Delay is 1 sec, State DR, Priority 1 Designated Router (ID) 10.230.28.254, Interface address 10.2.1.1 No backup designated router on this network Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 Hello due in 0:00:02 Index 1/1, flood queue length 0 Next 0x0(0)/0x0(0) Last flood scan length is 0, maximum is 0 Last flood scan time is 0 msec, maximum is 0 msec Neighbor Count is 0, Adjacent neighbor count is 0 Suppress hello for 0 neighbor(s)
But I have not tried it in multiple context mode.
Better to have ONE process, and multiple Contexts, connected upstream to different VRFs
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...