ASA 5510 Multiple Contexts and VPN

Posted on 2009-05-02
Last Modified: 2013-11-16
I am disappointed to find out that I cannot have both security contexts for inter-VLAN routing and VPN end-point.

I have (2) ASA 5510 Security Plus appliances that I was going to use for failover mode, but am now considering using one for the security contexts and internal firewall between contexts and the other as the VPN end-point and as a firewall to the WAN connection.

Does this sound plausible, ridiculous, etc.?
Question by:Tercestisi

    Author Comment

    Here is a network diagram of what I am proposing above.

    Author Comment

    Sorry, pic didn't post; here it is.
    LVL 79

    Expert Comment

    Multiple security contexts and inter-vlan support are two different things.
    The ASA can certainly support both inter-vlan and VPN end-point at the same time.
    What it cannot do is support multiple security contexts and VPN at the same time.
    You can certainly use both ASA's in failover pair and support multiple vlans and vpn at the same time.

    Author Comment

    Sorry for not clarifying; we would like to use the multiple security contexts in order to firewall off specific VLAN's from one another. If I understand correctly we would not be able to do this without utilizing multiple contexts.
    LVL 79

    Expert Comment

    You do not have to use multiple contexts. You simply use a trunk port to the ASA and sub-interfaces for each vlan. Access rules and security levels firewall off the vlans from one another, yet provide a common "outside" Internet access interface.
    You would use multiple contexts if you had multiple tenents/customers that each wanted their own "virtual" firewall and you had enough physical ports to support that, and if you wanted to maintain separate firewall configurations for each vlan.


    Author Comment

    Hmm, interesting... I do remember reading in the example that multiple contexts were being applied to shared tenants in a building.

    So, without using multiple contexts I can still:

    1) Utilize sub-interfaces
    2) Utilize access rules between the VLAN's
    2ie) VLAN 401 can talk to all other VLAN's, VLAN 402 can only talk to VLAN 405, and only (1) specific IP on VLAN 403 can talk to VLAN 407.

    It's very important that only certain IP's from certain VLAN's can talk to eachother, as many of the VLAN's run controllers for feed management systems and the like; security and worm-prevention is very important.

    Everywhere I've read stated to look into multiple contexts to do this... if I don't need to use multiple contexts that would be great!
    LVL 79

    Accepted Solution

    You do not need multiple contexts. Just sub-interfaces and access-lists.
    But, you do have to be careful on how you build the acl.
    vlan 401 talks to all other VLAN's - OK
    VLAN 402 can only talk to VLAN 405 - and 401
    1 IP on VLAN 403 talks to VLAN 407 - and 401
    You have to be sure to allow the reverse, but it all depends on how they talk.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    Suggested Solutions

    Title # Comments Views Activity
    VOIP phones -- seperate VLANS ? 7 53
    Virl for Cisco 4 beginner 6 57
    Show ip route - definition 1 45
    AnyConnect to 3rd vpn site 4 45
    This article assumes you have at least one Cisco ASA or PIX configured with working internet and a non-dynamic, public, address on the outside interface. If you need instructions on how to enable your device for internet, or basic configuration info…
    The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
    This video discusses moving either the default database or any database to a new volume.
    Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

    758 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    11 Experts available now in Live!

    Get 1:1 Help Now