It really depends on what you are trying to achieve with your firewalls.
Multi mode is useful if you have service provider type setup where you can allocate a context to each customer and give them control of their own virtual firewall. It can also be useful if you have different depts. within your company which are responsible for their own security.
Having said that we use multi contexts on our firewalls in our datacentre. It allows us to segregate the firewalls based on server function which makes the access-lists more manageable and we can also create a context on the firewall which maps to a context on our ACE blades.
There are however some downsides to using multi context which may or may not be an issue for you.
1) The context licenses themselves are not cheap as you are in effect buying multiple firewalls.
2) You cannot run a routing protocol on the FWSM's. In single mode you can use RIP or OSPF on the FWSM's but in multi mode you can only use static routing.
3) We are currently running v2.3 on our FWSM's which means you cannot have a mixture of routed vs transparent contexts. I believe this restriction has been lifted on v3.1 but it's worth checking.
Overall i'm comfortable with the decision we made and haven't found any of the restrictions too onerous. What i would suggest is that you work out how much firewalling you are actually going to be doing in terms of access-lists, statics etc, who needs access to the firewall (is it under single management or not) and if you are planning to deploy any of the other sevice modules.
Thanks for the answers. I do have another question. When you run FWSM in single mode you can create x number of virtual firewalls correct? If that is true then I can create different access-lists for each virutal firewall? I like the idea of segregating my servers via virtual firewalls. For example, Webservers, applications servers and DB Servers. I Would want to have them on different firewalls (virtually) from each other. Can I do this in single mode?
BTW: Management will be done with a single person me, (the green guy :-))
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...