Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA 5520 virtual firewalls & SSL VPN

We are going to install two ASA 5520 boxes with HA ( Active-Active or Active-Passive )

The boxes include 50 context licenses(virtual Firewalls) and SSL VPN licenses 750 Nos. each.

IS it impossible to use VPNs and contexts licenses with HA?

10 REPLIES

Re: ASA 5520 virtual firewalls & SSL VPN

Hi,

If you are configuring the ASA firewalls in Multi context mode , then you cannot use the features like VPN, dynamic routing,etc.

If you go for Active/Active HA, you must have multiple contexts and so IPSec or SSL VPN cannot be enabled.

New Member

Re: ASA 5520 virtual firewalls & SSL VPN

IS it same, if we configure Active-Passive mode??

Re: ASA 5520 virtual firewalls & SSL VPN

Well its obviously not 'same', Active Active lets you load share the traffic across the two firewalls, which is a better use of resources. However sometimes it makes it pretty difficult to troubleshoot network problems. If your primary WAN/internet link satisfies your needs you can go with Active/Passive. The same would also be true for the ASA throughput. If the throughput of one firewall suffices, you can go for Active/Passive. However to run VPNs this is your only choice on the Cisco Platform.

Regards

Farrukh

New Member

Re: ASA 5520 virtual firewalls & SSL VPN

I mean that if we configure two ASAs as Active/ Passive mode, Can't we still use virtual firewalls, and VPNs??

Re: ASA 5520 virtual firewalls & SSL VPN

In Active/Passive mode you can use VPNs. However to run virtual firewalls you have to go into 'mode multiple'. As soon as you do that, you have say bye-bye to VPNs,Dynamic routing and some other features.

Regards

Farrukh

New Member

Re: ASA 5520 virtual firewalls & SSL VPN

Hi all

How come Cisco ASA cant support VPN's in multi-context mode if you dedicate physical interfaces with different public IP's for each firewall.

I was thinking of integrating our office FW with our new production ASA 5520 and do a virtual a/s setup.

But killing VPN support isnt even an option.

Cisco must fix this imo :)

Re: ASA 5520 virtual firewalls & SSL VPN

Yes I totally agree, we must all push Cisco for this. You should start with your account manager.

Regards

Farrukh

New Member

Re: ASA 5520 virtual firewalls & SSL VPN

Good news everyone

Talked with our companys account manager and he informed me that VPN support is being worked on and should be released during 2008.

Silver

Re: ASA 5520 virtual firewalls & SSL VPN

Let get something clear here:

- Active/Active in ASA will NOT provide load-sharing from the same source. For

example, if you have a host 192.168.1.1 behind

a pair of ASA in Active/Active mode, load-sharing will not be possible by splitting

the traffic from host 192.168.1.1 through both

ASA. ASA in Active/Active mode is like HSRP

with multiple groups.

Others Firewall vendors such as Checkpoint

and/or Nokia have IPSO clustering and ClusterXL that will allow load-sharing through

multiple firewalls from the same source. Checkpoint can do up to 32-node clusters. In other words, you can load-sharing traffics through 32 nodes from the same source, and that you can terminate VPN in Active/Active

mode as well. These features have been

available for almost 5 years now.

New Member

Re: ASA 5520 virtual firewalls & SSL VPN

Dear All,

This was a discussion, we had about a year ago.

But I think still we are not getting the solution. Hope that I m correct.

Still we can t create IPSec VPN tunnels etc in Multi context mode.

We are facing problems, because CISCO has not going to provide this feature.

Can anybody informs, if there are any updates?

Regards,

Kosala

1130
Views
0
Helpful
10
Replies
CreatePlease to create content