Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
596
Views
0
Helpful
9
Replies

ASA NG 5515-X multicontext support for WSE/AVC and IPS

Go to solution
remi-reszka
Level 1
Level 1

‎05-08-2014 07:19 AM - edited ‎03-11-2019 09:10 PM

Hello,

I am designing network security with Cisco ASAs. I have a redundant core / distribution switching in VSS and 2 ASAs (Active / Standby) and trying to evaluate whether I could run multiple security services on one pair of ASA in virtual contexts rather then deploying more ASAs. I need to run DMZ so that it could go in one virtual context, then I need to run WSE, AVC and possibly IPS to protect internal users LANs and also deploy web and application security, here not sure if that is supported in a virtual context and with active/standby setup, apart from that I need to protect the servers with FW rules and IPS, here also a dilemma whether this will work in a virtual context and active / standby setup.

What would you recommend, having separate pair of ASAs for each security service or I could do all that with one pair of ASAs and multi context setup?

Thanks in advance for quick and informative responses.

Remi

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to remi-reszka

‎05-08-2014 10:24 AM

The CX doesn't allow you to use context as an operator for policies. I am not informed on the internals but it obviously knows which context a given flow came from or else it would't know where to put the traffic "back into" the host ASA.

There should be no possibility of traffic co-mingling within the CX. It only acts as a tool to inspect and enforce policy on a given flow and then put it back to the ASA (when appropriate) for egress processing.

FYI you may want to review BRKSEC-2699 from Cisco Live! Milan earlier this year (available from http://www.ciscolive365.com). It has some good explanations about CX policies etc.

View solution in original post

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to remi-reszka

‎05-27-2014 03:02 PM

No problem.

Unfortunately you need licenses on both ASAs for the services to work (for either A/A or A/S mode). The CX modules don't share feature licenses like the base ASA does.

View solution in original post

0 Helpful
9 Replies 9

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎05-08-2014 07:48 AM

Remi,

NGFW services (WSE, AVC and IPS, depending on your license) are supported on ASAs operating in multi-context mode. The catch is that the NGFW services aren't aware of the contexts per se (as of this time). So you have a single policy set configured in PRSM for a given ASA (or ASA HA pair) that will apply to all your traffic.

Of course, each context has its own service-policy that is used to direct the appropriate traffic to the CX module for inspection and policy enforcement.

Hope this helps.

0 Helpful

Go to solution
remi-reszka
Level 1
Level 1
In response to Marvin Rhoads

‎05-08-2014 08:18 AM

Thanks Marvin. So the scenario I am describing would work correct? All I need to do is in PRSM configure various policy-sets and match the traffic globally based on certain rules that would be relevant to certain contexts?

Thanks,

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to remi-reszka

‎05-08-2014 08:44 AM

Yes, that's the high level approach.

As long as you create your policies based on addresses and keep in mind that you don't have explicit context awareness in PRSM, then you should be fine.

0 Helpful

Go to solution
remi-reszka
Level 1
Level 1
In response to Marvin Rhoads

‎05-08-2014 08:52 AM

OK cool. What is the purpose of the explicit context awareness in PRSM? Is it there but still not supported?

The only concern I have is about DMZ on same ASA pair. I guess it should be fine because I would not sent any DMZ traffic to CX module (where it would get mixed up with users or servers traffic) and since DMZ would be on a separate virtual context the security would be maintained. Also the DMZ will be kept on a separate VRF and will need to do VRF leaking from DMZ inside VLAN into servers VLAN in the services VRF.

How about sending both users (for WSE and AVC) and servers (for IPS) traffic into the same CX module? That would work fine?

 

Thanks in advance,

Remi

 

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to remi-reszka

‎05-08-2014 10:24 AM

The CX doesn't allow you to use context as an operator for policies. I am not informed on the internals but it obviously knows which context a given flow came from or else it would't know where to put the traffic "back into" the host ASA.

There should be no possibility of traffic co-mingling within the CX. It only acts as a tool to inspect and enforce policy on a given flow and then put it back to the ASA (when appropriate) for egress processing.

FYI you may want to review BRKSEC-2699 from Cisco Live! Milan earlier this year (available from http://www.ciscolive365.com). It has some good explanations about CX policies etc.

0 Helpful

Go to solution
remi-reszka
Level 1
Level 1
In response to Marvin Rhoads

‎05-08-2014 03:19 PM

Sounds good, many thanks Marvin.

Best regards,

Remi

0 Helpful

Go to solution
remi-reszka
Level 1
Level 1
In response to Marvin Rhoads

‎05-27-2014 02:40 PM

Hello Marvin,

I know we already closed this post but could I just ask you something real quick? Whether my ASAs are in active/active or active/standby configuration how about the licensing for WSE/AVC and IPS? Do I but the licensing only for one box or need to purches for each box separately. Can't seem to find much information on that.

Thanks very much in advance.

Remi

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to remi-reszka

‎05-27-2014 03:02 PM

No problem.

Unfortunately you need licenses on both ASAs for the services to work (for either A/A or A/S mode). The CX modules don't share feature licenses like the base ASA does.

0 Helpful

Go to solution
remi-reszka
Level 1
Level 1
In response to Marvin Rhoads

‎05-27-2014 03:47 PM

I will take it into consideration, thanks a lot Marvin!

Best regards,

Remi

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card