02-01-2012 12:10 PM - edited 03-11-2019 03:22 PM
In the latest code, is VPN still disabled when using contexts? If you use a 5520 as an ISP based firewall for customers, then what would be used for VPN access? Also how many contexts does a 5520 support, and would putting 2 interfaces into an etherchannel for inside, and 2 for outside work? Reason I ask about that, the inside and outside would connect to 2 different core routers. I would be for an MPLS setup.
02-01-2012 12:37 PM
Mulitple contexts (still) do not support VPN features. Reference here.
Per an entry just above that one (direct link), a base 5520 license supports 2 contexts and you can license upgrade to 5, 10 or 20.
Re the Etherchannel question, that could work. the advantages (vice just using separate individual physical interfaces per context) could be arguable depending on your use case.
02-01-2012 12:42 PM
but please remember that even though the newer ASA OS'er supports adding the licenses togheter you have to buy some upgrade license for upgrade your 5 to 15 contexts - if you have a 5 context license and buy a 10 context you have 10 and not 15...
02-01-2012 12:53 PM
Oh I understand Cisco licenses quite well. Several years of head banging when the wrong one is ordered has finaly paid off. They all see me when ordering licenses! I have a print out of all the SKU's for the licensing.
If you start with 5, L-ASA-SC-5=, then to go to 10, L-ASA-SC-5-10=, next step up 10 to 20, L-ASA-SC-10-20=
Same with SSL licenses. Gets to be really annoying when renewing the CSC licenses.
SO the 5520 max is 20 contexts. VPN's are still unsupported, and I can group interfaces together for increased throughput to avoid bottlenecks. What would be used to VPN access then, a router behind the ASA running ipsecurity plus IOS?
02-01-2012 01:13 PM
yes - these licenses can be a pain ;-)
regarding the vpns - I think that I would do the endpoint in front of the ASA on a router so that I could inspect the un-encrypted traffic...
best regards /ti
02-01-2012 01:18 PM
tahequivoice wrote:
... What would be used to VPN access then, a router behind the ASA running ipsecurity plus IOS?
A Juniper SRX.
Seriously - the usual answer: it depends. I've seen separate ASAs, routers running IPsec and even - yes - other vendors' firewalls. That's what keeps guys like us fully employed - figuring out the right set of solutions given the customer's requirements and equipment's capabilities.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide