I am going to purchase two ASA5520's security plus's, and 2 x 20 security context license to partition 10 departments in our environment. This is to maintain separation between departments and bill for internet bandwidth based on usage.
One problem some of these departments need external VPN access (site-to-site and client-to-site). It states in the security context this is not supported. When they mention it is not supported is that just in each security context or not at all?
I am just worried I now need to do a single config for all 10 departments and will hit problems as max interfaces is 25 (where each department needs 4 (inside, outside, dmz1, dmz2) interfaces). Also it means the security context license would need to be returned to the supplier!.
Hi Adrian, When you run either the ASA series or PIX series in multiple context mode, VPN is not supported so you would need a seperate device to run the VPN access on. If its only a small VPN requirement then something like the base model 5510 would be ok. Bring it in on a DMZ interface from the context that you require.
hi there all u need is a single vpn concentrator and add the vpn private to a shared dmz interface which is shared among multiple context. u will have to use a shared interface cause the vpn supports only a single private interface.also make sure this shared interface is onyl used by vpn and not by ur servers cause traffic from a shared interface to a another shared interface is not allowed. this is only if u are using a shared public interface to the internet.so let all the vpn site-to-site and remote access vpns terminate on the vpn concentrator and from there it will be given to the respectve context. i have done this and it works fine. it;s a markeitn gimic by cisco by supporting for context without vpns so people will buy the vpn concentrator. this is the only way u can achieve vpns with context.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...