Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA-X multiple context mode and CX

We have ASA 5555X with two contexts and AVC, WSE, IPS licensed activated.  All upgraded with latest software ASA9.2 and CX 9.3

Plan to create two contexts, one for Internet  and one for partners, each context has active context in one  physical box and standby context in another physical box for load balancing and HA,  AVX,WSE & IPS CX filter is only enabled in Internet context, Is this design  fully supported ?

(Not able to run clustering due to physcial and switch limitation).

 

  • Firewalling
1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

The current CX releases

The current CX releases support multiple context ASA configurations. The only caution is that a given CX only supports a single set of policies but in your use case that shouldn't be an issue.

Whether one, the other or both contexts direct traffic to the CX module for inspection via a service-policy it will work OK and is a supported configuration. You cannot differentiate policies inside the CX based on which context the traffic comes from but as long as you're OK with that restriction, there should be no issue.

If you're running in an HA pair (or have more CX modules elsewhere), it's recommended to use the separately licensed multiple device mode PRSM in a separate VM to keep the policies synchronized between the CX instances. Otherwise you need to make every change exactly the same in both CX units of an HA pair - there's no synchronization like there is in the base ASA when using single device mode (on-box) PRSM.

1 REPLY
Hall of Fame Super Silver

The current CX releases

The current CX releases support multiple context ASA configurations. The only caution is that a given CX only supports a single set of policies but in your use case that shouldn't be an issue.

Whether one, the other or both contexts direct traffic to the CX module for inspection via a service-policy it will work OK and is a supported configuration. You cannot differentiate policies inside the CX based on which context the traffic comes from but as long as you're OK with that restriction, there should be no issue.

If you're running in an HA pair (or have more CX modules elsewhere), it's recommended to use the separately licensed multiple device mode PRSM in a separate VM to keep the policies synchronized between the CX instances. Otherwise you need to make every change exactly the same in both CX units of an HA pair - there's no synchronization like there is in the base ASA when using single device mode (on-box) PRSM.

81
Views
0
Helpful
1
Replies
This widget could not be displayed.