Cisco Switching/Routing :: 3750 - ASA Multiple Context Mode
Nov 16, 2011
Im looking for some clarification regarding running a Cisco ASA in transparent mode with multiple contexts. To give you an insight into the network design we have the following -
Collapsed Core/Aggregation Layer running Cisco 3750s. The 2 Cisco 3750s are using SVIs with HSRP for default gateways per customer with a total of 8 customers. Each customer is segregated into seperate VLANs with Cisco 2960 switches used in the Access layer. Each customer has 2 Cisco 2960 switches with redundant uplinks to the Core/Aggregation layer. Customers are spanning tree loadbalanced between core/aggregation switches.
What i need to now do is add two transparent firewalls into the mix in either an active/active or active/standby setup. I need the firewalls to support all 8 customers, therefore I am guessing they need to run in multiple context mode. Having read into this it has left me somewhat confused as to how to integrate them into the above setup as a bump in the wire so to speak.
View 2 Replies
ADVERTISEMENT
Jan 13, 2013
I have two ASA 5510 in an Active/Active failover configuration; On the first ASA I have a license for five security contexts, on the second one I have the default two. On the pair I configured seven security contexts and everything works as expected; so far so good. Let's suppose now that the first ASA (the one with the license for 5 contexts) goes up in smoke; all the contexts migrate to the surviving firewall and life is still good. But what happens if, for some reason, I need to reboot the second ASA before the first one is repaired? My guess is that it will come up with just its own license for two contexts and that I will not be able to operate all my virtual firewalls.
View 2 Replies
View Related
Jan 4, 2012
I know most QoS capabilities aren't available in multiple context mode, but I need to do some really simple policing on one of my contexts. I just want to apply a hard 20Mbps cap on an interface. I've seen a few places that suggest that basic policing is possible in multiple context mode, but apparently not by the normal commands.
View 5 Replies
View Related
Mar 18, 2011
I've got an ASA which has a number of contexts. They all share the same external interface, and in the interest of saving addresses I'm wondering if the standby address for each context is really necessary. I know that in active/passive the standby address is what allows the two to communicate and monitor that particular interface, however, in active/active I don't see the point as the context is either going to be on one or the other.
View 2 Replies
View Related
Mar 11, 2013
We already know that ASA 9.0 supports site-to-site VPN in multiple context mode. But remote access VPN isn't supported. Obviously, SSL-VPN is a very important feature for most multi-tenant deployment scenarios where each context acts as a border firewall towards the Internet for each tenant. The alternative to terminate all tenant remote-access VPNs in one context means that each tenant would have to be routable from the ASA, which of course isn't a reasonable requirement in most cases.
So, what I'd like to do is to deploy an ASA cluster, and provide remote access VPNs for each tenant, where the connectivity for each remote access group can be addressed with whatever IP address space, and that goes into it's own VRF in the back-end.
As far as I can tell, this isn't doable with the ASA, since multiple context mode prohibits the use of remote access VPN, and I can't think of any other work-around than either having individual firewalls running in single context mode for each tenant, or demand that all tenants are interoperable routing-wise and configure a separate ip address pool in a single context mode for each tenant.
Essentially, there's no good way to implement this with multiple virtual firewalls, using cisco firewalls?
View 1 Replies
View Related
Oct 19, 2011
I am running a ASA 5510 in multiple context mode. IOS 6.4(2), ASDM 6.4(5)106.
In older ios/asdm versions it was possible to backup the configuration using ASDM.
In 6.4(5)106 i am missing this feature (see attachment)
Is it possible to backup a multiple context firewall using ASDM and above mentioned software versions?
View 3 Replies
View Related
Jun 4, 2012
I have a pair of ASA 5520s in active/standby failover mode, single context. I'll be migrating to multiple context mode later this week. Do I need to break failover first? Or if I don't need to, should I? Or can I do this while maintaining failover? Can either of these scenarios will work (or fail). I'll be remote, doing my work via SSH, but have somebody local who can console in if needed.
Migration option #1
Log into active/primary ASA
Configure Multiple Context mode
Reboot both devices
Login to active/primary ASA
[code]....
View 1 Replies
View Related
Jul 17, 2012
I have 2xASA5510 with securityPlus license.i have configured 3 context and Active/Active Failover.Everything works fine. But also want to use rometeAccessVPN but couldn't fine anything for VPN. does it support VPN in multiple mode?
View 3 Replies
View Related
Jul 1, 2012
On my production environment I have a firewall with already two contexts defined (15% of CPU used) and I want to add a new one.
This context is going to use the same interfaces as the others contexts. When I will enable the context, can I have some sort of repercussion on these two context ?
View 3 Replies
View Related
Oct 24, 2012
I have a network with a Catalyst 3750 as the main switch and then some Catalyst 2960 switches that are plugged in to that. I have a server running windows server 2008 with a couple of virtual machines running in Hyper-V. I created 4 VLANS listed below and gave the 3750 the following IP Address.I would like the 3750 to only be configurable from VLAN 40 but currently every VLAN can connect to it, I noticed in the standard web page settings there was a setting for "Management VLAN" but it was set to 1 and would not let me change it, I kinda assumed that was for the management port in the back.-Now the tricky part, I was trying to set up routing between the VLANs and so far I have only been able to get a sort of "all or nothing" routing to work. I can turn IP routing on and add two or more VLANs to the routing and it works fine. But what I was hoping to do is create a couple of "junction vlans" that would only route to one or two other vlans. For instance, I wanted to create a VLAN 100 that routed to VLAN 20 and 30 but nothing else. I also want to route VLAN 1 just to VLAN 30, and so on. I am able to do each one of the cases but only one, it seems like the switch only supports one "routing table" am I missing something or is this just a limitation of the switch?
View 2 Replies
View Related
Sep 16, 2012
I got an ASA 5510 system currently in single context mode, with CSC SSM installed. Single ISP uplink to internet, no VPN. And now customer would like add another ISP uplink, without invest another box for HA.What come across my mind is make the current box into multi context. There's some area i need to concern and also need yours perspective on it.
Question 1: For making the firewall into multi context, am i need to do it from scratch, issue mode multiple command. Then rebuilt the current production config into one of the context, then another context meant for the new IPS uplink, and one admin context?
Question 2: For CSC -SSM licensing requirement, model ASA 5510 with security plus license is able to support 2 context. So if i split my firewall like what i mention in question, what exactly number of context do i own (admin, context A, context B)?
Question 3: For CSC-SSM module in multi context mode, so the management port of CSC SSM must attach at admin context?
Question 4: After configured all the policy and traffic to scan, how exactly i should do in order apply this policy to the interface? Should i only enable at admin context, then firewall service-policy rules, and apply it global, OR should i also do the same action on context A and Context B?
View 3 Replies
View Related
Apr 11, 2012
I would like to configure a 3750 switch port to be able to use two vlans. I know you can do this with a voice and data vlan, but what about two data vlans ? Say I have two devices, one on a 10 subnet and the other on a 172 subnet, but i only have one wall jack for both devices to plug into. So I use a mini switch to connect both devices and connect the switch to the wall jack; and of course this all leads back to one switch port. When I go to enter the switchport access vlan 172 cmd, how would I also make it so the device on the 10 subnet could route out ?
View 9 Replies
View Related
Mar 5, 2012
I'm looking for switches that support single mode fiber connections and would like to know if "WS-C3750-FS-S Catalyst 3750 24 100BaseFX + 2 SFP" and "WS-C3750G-12S-S Catalyst 3750 12 SFP" can serve the purpose?
View 6 Replies
View Related
Jun 19, 2012
A multisite network is currently supporting muticast using PIM dense mode, which is enabled on router/switch LAN and WAN interfaces across all locations. I am about to introduce Nexus switches to the main LAN. How can I make dense and sparse mode coexist to ensure flow of muticast traffic between devices supporting and dense and sparse mode? Eventually, I want to transition to the sparse mode; however, it has to be done gradually, even within a single site. The leacy equipment includes Cat 3750 and 4500s.
View 2 Replies
View Related
Nov 15, 2012
What should the duplex mode to be set on a routed port gi0/21 that are running HSRP ? I try setting the gi0/21 to full, but it caused the port to be down. The only way for the port to be up is setting it to half duplex.
Cisco 3750 Switch
==============
interface GigabitEthernet0/21
no switchport
ip address 10.200.104.34 255.255.255.248
[Code].....
View 2 Replies
View Related
Mar 23, 2013
Devices are 3750-24TS Switches, software version is 12.2(55)SE6. how to troubleshoot this issue, I have a pair of ports which are not bundling, no matter what. Is the same behavior with LACP or PAgP. In this outputs I have only the PAgP case.
Output is similar to:
Group Port-channel Protocol Ports
------+-------------+-----------+-----------------------------------------------
12 Po12(SD) PAgP Fa1/0/23(I) Fa1/0/24(I)
Configuration on ports is simple:
SW1:
interface FastEthernet1/0/24
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 12 mode desirable
[code]....
View 3 Replies
View Related
Jan 16, 2013
This is regarding VLAN creation on C3750E switch.I want to create new Vlan 94 on this switch and also I want to allowed same interfaces like Vlan 95 & Vlan 96. [code]
View 7 Replies
View Related
Jun 4, 2012
I am troubleshooting a fiber connectivity issue.Now I have two switches, one is 3750, and another is small biz 300 series switch. Both switch has a single mode smf gbic. Now I have two swtiches face to face and connect with a single mode cable. Do you think if I would get a link light on? Both ports are no shutdown.
View 3 Replies
View Related
Mar 25, 2012
3750 can not support multiple subnets in it's DHCP server pool config.
Is this an issue that can be fixed with a different iOS or is there a different Cisco switch that I can replace the 3750 with that will handle multiple subnets within an individual pool?
View 1 Replies
View Related
Jan 14, 2013
We have a pair of cisco Asa 5520 currently running multiple context mode. We wish to change to single context mode for following reasonWe will migrate infrastructure to hosted vendor . I was thinking of configuring site to site . Current Asa we pal to kee since wireless sits in our DMz and we have net screen that hosts tunnel for erp1. Is context change required for running site to site2. Is it a good idea for creating site to site on to make sure wireless network and oracle traffic goes through managed firewall ?
View 22 Replies
View Related
Apr 27, 2011
I am looking to deploy a cloud/borderless network solution and cannot get my head around how the licenses (AnyConnect Mobile and essentials) will be applied in a multiple context deployment. Any correct documentation.
View 1 Replies
View Related
Jan 8, 2012
i have 6509+FWSM(4.0.4) now i wanna use stite to stite and ez vpn in the fwsm (multiple context) multiple context mode in fwsm support ipsec vpn?
View 2 Replies
View Related
Aug 12, 2012
I have a Failover pair of ASA5550's running ASDM 6.2(5) and ASA 8.2(2). Originally they were setup with 2 context's and an admin context but one of the contexts has now been removed. I would like to now migrate to single mode before I go about patching them to the latest software.
View 4 Replies
View Related
Mar 8, 2013
I need to configure multiple context mode with active/standby failover solution.
Even after reading some Cisco documents I still can't understand if active/standby failover configuration has to be done within the admin context only or also within every single context (context-1, context-2 for example). In this case I have to allocate as failover interface a subinterface for each context (admin, context-1, context-2), right ?
Therefore a I have an other question: within the admin context, in a failover solution, do I have to allocate all interfaces I want to be moniotred, even though some will be used by context-1 only context and some others will be used by context-2 only context ?
An other question is: if active/standby failover configuration has to be done within each context, can I set regular failover within context-1 while stateful failover within context-2 ?
The last question is: can I use management interface within all 3 contexts ?
View 8 Replies
View Related
Jun 13, 2012
I have a Fail over pair of ASA5550's running ASDM 6.2(5) and ASA 8.2(2). Originally they were setup with 2 context's and an admin context but one of the contexts has now been removed. I would like to now migrate to single mode before I go about patching them to the latest software.
View 2 Replies
View Related
Apr 24, 2012
Is it possible to have context in transperant mode and routed mode. Means if i need three context then 2 of them is in routed mode and one of them is in transperant mode. If yes then how, i can 't find this info in cisco website.?I am havin 5585-x and asa version 8.4?
View 8 Replies
View Related
Feb 6, 2011
I would like to know does MSE 3350 supports HA mode,I have 2 M|SE 3350 appliance and I want to configure one as primary and second as redundent for the primary,I am not finding any documentation for the same in the cisco website.
View 2 Replies
View Related
Sep 20, 2012
I have two ACE working on active-standby mode, I have one context configured on bridge mode, with two vlans, the client (vlan 100) and server (vlan 101) sides.I need to balance another service for two servers (different from the ones on the first context ) on the vlan 101, so as the documentation says i can't configure the same vlan on another context because it is already configured on the 1st context as bridge.so my question is the only way i could balance this service is to configure it on the same context??. or there is another way?.These are the design limitations that i have to do this:
1.- I can't change the servers IP address.
2.- The VIP which will answer the clients request is on the same IP network segment as the servers, for example: server1: 192.168.100.125, server2: 192. 168. 100.126, VIP: 192.168.100.124
View 1 Replies
View Related
Jun 10, 2012
configure the Firewall ASA 5510 in context based configuration in HA Mode with two different subnet....
IP Details are below.....:
interface Ethernet0/0
nameif outside
security-level 0
[Code].....
View 1 Replies
View Related
May 8, 2013
I am desiging a topology with two Cat 6509 and Two ACE Module, one ACE per Catalyst. I am thinking to use bridge mode for the customer contexts, I would like to know if the Bridged mode is an Assymetric topology.
The server gateway is the ip address of the ACE or the Router?
View 6 Replies
View Related
Jun 1, 2013
On ASA 5515 it shows it is in transparent mode and it has multi context.As in transparent ASA we know it has single Management IP address.This ASA is connected to one switch on two ports gi2 and gi3.One port carries vlan say 800 to the ASA.Other port carries vlan 500 from the ASA to switch But when i log onto ASA and do sh run it shows no VLan info there.
View 3 Replies
View Related
Mar 12, 2012
clients ---asa--3750--cisco ace--- servers behind vip
|
visa card transaction servers
I am able to setup a vip on ace using routing mode on ACE,as the servers need to see the client ip ,so we are not performing SNAT,this part is working fine.
when a request comes from the client ,it goes to the vip and to one of the backend servers ,and the request will be forwaded back to the ace ,as the default gateway on the servers is pointing to the server vlan on ace.
but if the transaction from the servers need to go to the visa card transaction servers ,how can we acheive this ,and after fetching the data from visa servers,does the reply will be fwd to the ACE or ASAs directly.
View 2 Replies
View Related
Aug 28, 2008
When i try logging by HTTPS on a router i have next errors.
%HTTPS: http ssl get context fail (-41104)
HTTP: ssl get context failed (-40407)
I have a 2821 router with
c2800nm-advipservicesk9-mz.124-15.T1.bin ios
View 9 Replies
View Related
