Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
677
Views
0
Helpful
5
Replies

Contexts and VPN

tahequivoice
Level 2
Level 2

‎02-01-2012 12:10 PM - edited ‎03-11-2019 03:22 PM

In the latest code, is VPN still disabled when using contexts? If you use a 5520 as an ISP based firewall for customers, then what would be used for VPN access?  Also how many contexts does a 5520 support, and would putting 2 interfaces into an etherchannel for inside, and 2 for outside work?  Reason I ask about that, the inside and outside would connect to 2 different core routers.  I would be for an MPLS setup.

Labels:
0 Helpful
5 Replies 5

Marvin Rhoads
Hall of Fame
Hall of Fame

‎02-01-2012 12:37 PM

Mulitple contexts (still) do not support VPN features. Reference here.

Per an entry just above that one (direct link), a base 5520 license supports 2 contexts and you can license upgrade to 5, 10 or 20.

Re the Etherchannel question, that could work. the advantages (vice just using separate individual physical interfaces per context) could be arguable depending on your use case.

0 Helpful

tiwang
Level 3
Level 3
In response to Marvin Rhoads

‎02-01-2012 12:42 PM

but please remember that even though the newer ASA OS'er supports adding the licenses togheter you have to buy some upgrade license for upgrade your 5 to 15 contexts - if you have a 5 context license and buy a 10 context you have 10 and not 15...

0 Helpful

tahequivoice
Level 2
Level 2
In response to tiwang

‎02-01-2012 12:53 PM

Oh I understand Cisco licenses quite well. Several years of head banging when the wrong one is ordered has finaly paid off. They all see me when ordering licenses! I have a print out of all the SKU's for the licensing.

If you start with 5, L-ASA-SC-5=, then to go to 10, L-ASA-SC-5-10=, next step up 10 to 20, L-ASA-SC-10-20=

Same with SSL licenses. Gets to be really annoying when renewing the CSC licenses.

SO the 5520 max is 20 contexts. VPN's are still unsupported, and I can group interfaces together for increased throughput to avoid bottlenecks.  What would be used to VPN access then, a router behind the ASA running ipsecurity plus IOS?

0 Helpful

tiwang
Level 3
Level 3
In response to tahequivoice

‎02-01-2012 01:13 PM

yes - these licenses can be a pain ;-)

regarding the vpns - I think that I would do the endpoint in front of the ASA on a router so that I could inspect the un-encrypted traffic...

best regards /ti

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to tahequivoice

‎02-01-2012 01:18 PM 

tahequivoice wrote:
...  What would be used to VPN access then, a router behind the ASA running ipsecurity plus IOS?

A Juniper SRX.

Seriously - the usual answer: it depends. I've seen separate ASAs, routers running IPsec and even - yes - other vendors' firewalls. That's what keeps guys like us fully employed - figuring out the right set of solutions given the customer's requirements and equipment's capabilities.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card