Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 686
  • Last Modified:

ASA 5510 Multiple Contexts and VPN

I am disappointed to find out that I cannot have both security contexts for inter-VLAN routing and VPN end-point.

I have (2) ASA 5510 Security Plus appliances that I was going to use for failover mode, but am now considering using one for the security contexts and internal firewall between contexts and the other as the VPN end-point and as a firewall to the WAN connection.

Does this sound plausible, ridiculous, etc.?
0
Tercestisi
Asked:
Tercestisi
  • 4
  • 3
1 Solution
 
TercestisiAuthor Commented:
Here is a network diagram of what I am proposing above.
0
 
TercestisiAuthor Commented:
Sorry, pic didn't post; here it is.
corp-network.jpg
0
 
lrmooreCommented:
Multiple security contexts and inter-vlan support are two different things.
The ASA can certainly support both inter-vlan and VPN end-point at the same time.
What it cannot do is support multiple security contexts and VPN at the same time.
You can certainly use both ASA's in failover pair and support multiple vlans and vpn at the same time.
0
The Growing Need for Data Analysts

As the amount of data rapidly increases in our world, so does the need for qualified data analysts. WGU's MS in Data Analytics and maximize your leadership opportunities as a data engineer, business analyst, information research scientist, and more.

 
TercestisiAuthor Commented:
Sorry for not clarifying; we would like to use the multiple security contexts in order to firewall off specific VLAN's from one another. If I understand correctly we would not be able to do this without utilizing multiple contexts.
0
 
lrmooreCommented:
You do not have to use multiple contexts. You simply use a trunk port to the ASA and sub-interfaces for each vlan. Access rules and security levels firewall off the vlans from one another, yet provide a common "outside" Internet access interface.
You would use multiple contexts if you had multiple tenents/customers that each wanted their own "virtual" firewall and you had enough physical ports to support that, and if you wanted to maintain separate firewall configurations for each vlan.

0
 
TercestisiAuthor Commented:
Hmm, interesting... I do remember reading in the example that multiple contexts were being applied to shared tenants in a building.

So, without using multiple contexts I can still:

1) Utilize sub-interfaces
2) Utilize access rules between the VLAN's
2ie) VLAN 401 can talk to all other VLAN's, VLAN 402 can only talk to VLAN 405, and only (1) specific IP on VLAN 403 can talk to VLAN 407.

It's very important that only certain IP's from certain VLAN's can talk to eachother, as many of the VLAN's run controllers for feed management systems and the like; security and worm-prevention is very important.

Everywhere I've read stated to look into multiple contexts to do this... if I don't need to use multiple contexts that would be great!
0
 
lrmooreCommented:
You do not need multiple contexts. Just sub-interfaces and access-lists.
But, you do have to be careful on how you build the acl.
vlan 401 talks to all other VLAN's - OK
VLAN 402 can only talk to VLAN 405 - and 401
1 IP on VLAN 403 talks to VLAN 407 - and 401
You have to be sure to allow the reverse, but it all depends on how they talk.
0

Featured Post

The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now