Cisco Support Community
Community Member

5520 - security context - VPN access headaches

Dear Support,

Wondering if anyone can help me?

I am going to purchase two ASA5520's security plus's, and 2 x 20 security context license to partition 10 departments in our environment. This is to maintain separation between departments and bill for internet bandwidth based on usage.

One problem some of these departments need external VPN access (site-to-site and client-to-site). It states in the security context this is not supported. When they mention it is not supported is that just in each security context or not at all?

I am just worried I now need to do a single config for all 10 departments and will hit problems as max interfaces is 25 (where each department needs 4 (inside, outside, dmz1, dmz2) interfaces). Also it means the security context license would need to be returned to the supplier!.

Thanks in advance,

Regards, Adrian.

Community Member

Re: 5520 - security context - VPN access headaches

Hi Adrian, When you run either the ASA series or PIX series in multiple context mode, VPN is not supported so you would need a seperate device to run the VPN access on. If its only a small VPN requirement then something like the base model 5510 would be ok. Bring it in on a DMZ interface from the context that you require.

Hope this helps.


Community Member

Re: 5520 - security context - VPN access headaches

Hi Rob,

Thanks for your assistance, unfortunately deploying another 8-10 5510 ASA's for the support of the VPN is not viable.

I'm thinking possibly looking at a set of cisco 3000 series vpn concentrators. You wouldn't know if these can assign a particular users to a specific VLAN when they connect?

The other option is to have a huge single config with separate VLANs on the outside, inside, dmz1 and dmz2 interfaces.

The version i have is below;

sh ver

Cisco Adaptive Security Appliance Software Version 7.1(1)

Device Manager Version 5.1(1)

Compiled on Thu 19-Jan-06 15:02 by builders

System image file is "disk0:/asa711-k8.bin"

Config file at boot was "startup-config"

xx up 22 days 23 hours

Hardware: ASA5520, 512 MB RAM, CPU Pentium 4 Celeron 2000 MHz

Internal ATA Compact Flash, 64MB

BIOS Flash AT49LW080: @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)

Boot microcode : CNlite-MC-Boot-Cisco-1.2

SSL/IKE microcode: CNlite-MC-IPSEC-Admin-3.03

IPSec microcode : CNlite-MC-IPSECm-MAIN-2.04

0: Ext: GigabitEthernet0/0 : address is 0013.c480.f110, irq 9

1: Ext: GigabitEthernet0/1 : address is 0013.c480.f111, irq 9

2: Ext: GigabitEthernet0/2 : address is 0013.c480.f112, irq 9

3: Ext: GigabitEthernet0/3 : address is 0013.c480.f113, irq 9

4: Ext: Management0/0 : address is 0013.c480.f114, irq 11

5: Int: Internal-Data0/0 : address is 0000.0001.0002, irq 11

6: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 5

Licensed features for this platform:

Maximum Physical Interfaces : Unlimited

Maximum VLANs : 100

Inside Hosts : Unlimited

Failover : Active/Active

VPN-DES : Enabled

VPN-3DES-AES : Enabled

Security Contexts : 2

GTP/GPRS : Disabled

VPN Peers : 750

WebVPN Peers : 2

This platform has an ASA 5520 VPN Plus license.

Thanks again, regards Adrian.

Community Member

Re: 5520 - security context - VPN access headaches

hi there all u need is a single vpn concentrator and add the vpn private to a shared dmz interface which is shared among multiple context. u will have to use a shared interface cause the vpn supports only a single private interface.also make sure this shared interface is onyl used by vpn and not by ur servers cause traffic from a shared interface to a another shared interface is not allowed. this is only if u are using a shared public interface to the let all the vpn site-to-site and remote access vpns terminate on the vpn concentrator and from there it will be given to the respectve context. i have done this and it works fine. it;s a markeitn gimic by cisco by supporting for context without vpns so people will buy the vpn concentrator. this is the only way u can achieve vpns with context.

i hope this explains it well.

incase u have any more queries do let me know.



CreatePlease to create content