cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1393
Views
5
Helpful
3
Comments
Tariq Bader
Cisco Employee
Cisco Employee

 

Introduction:

This document describes an issue faced by an user and a training ".ppt" for multiple context

Problem:

User is trying to understand all options for routing to two different ASA's in active/active mode, which requires multiple context mode.User have an existing 4500E switch behind a single ASA 5520 right now, and the default gateway that the 4500E advertises to his internal networks is the ip address of the 5520.  He would like to replace the existing 5520 with two 5525-x ASA's and have them setup in active/active mode.

Currently his 12 locations are terminated with fiber to the 4500E and from there its default gateway is the existing single ASA that user have. From what he understand, with the new design he has to make the ASA's into multiple context mode in order to do active/active fail-over , and load balance between the two ASA's.

What user doesn't want to have is to put a policy route on each incoming fiber port and policy route traffic based on source IP. He think this would be a huge waste of resources and complicate the setup on the 4500E.  Is there any other way to accomplish this besides policy routing or a separate switch between the ASA's and the 4500E?

 

Solution:

Multiple context most often is used where user have distinct security policies, often in multi-tenant (or distinct business unit) use of a given firewall. In such a case, Active-Active allows us to spread the load across the units while having redundancy.

Most installations I have seen use bigger firewalls to get more throughput. A few use VPN clustering or round robin DNS for remote access VPN gateways on the ASA platform. The few Active-Active setups seen across have all had one of the use cases. User is right that clustering does have a number of features that don't work in distributed mode.

Useful training to understand the multiple contexts feature on the ASA and all its related topics.

 

Source Discussion:

https://supportforums.cisco.com/discussion/12166261/asa-multiple-context-pre-routing

Comments
Jouni Forss
VIP Alumni
VIP Alumni

Hi,

Judging by the mentioned limitations of the Multiple Context mode this applies to the older software levels and not the most current ones. (No mixed mode Security Contexts and no VPN suppport, and I guess Dynamic Routing Protocols also?)

- Jouni

Tariq Bader
Cisco Employee
Cisco Employee

You right, i have updated that

Julio Carvajal
VIP Alumni
VIP Alumni

Hi Tariq,

Really Good Job as this is really complete!

Regards,

Jcarvaja

http://laguiadelnetworking.com

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: