Multiple Context Mode

We were discussing multiple context mode in class today and it sounded like something I should do with my new ASA5520. But then tonight I read that some features are not available in multiple context mode, so that made me rethink the whole thing. It seems you lose VPN, Multicast & Dynamic Routing with multiple context mode. I know we want the VPN for sure and not sure I want to limit our abilities on the rest. Am I reading this right?

--Sandy

[aguilera]

You are right!

Multiple context mode does not support :

•Dynamic routing protocols (only static routes)

•VPN (You can not use the FW as a VPN server or VPN Peer)
* If you choose to use Security Context, you can terminate the VPN connections on the Edge Router, or an a Concentrator.

•Multicast (a way around this is to create a tunnel for mcast traffic to flow though)

[pixuser]

Could you elaborate on the case of virtual instances with VPN.

Don't you think that this would be a very important feature to be enabled on PIX ?

Thanks,
pixuser

[aguilera]

Virtual Private Networks? or Virtual Firewalls?

Remember... Routers and other VPN Gateways were terminating VPN connections way before PIX and ASAs were.

Unfortunately, integrated functionality has spoiled us. In some ways it has even skewed our perception of device functionality vs. a device's ability. In this case, using one function disables the firewalls ability to perform another.

Remember just because a box has the function available doesn't mean you have to use it. Evaluate your environment and see if you can justify the need for security contexts.

If your working environment has site-to-site VPNs or remote access VPNs and is solely dependent on your Firewall to act as a VPN Peer or VPN Server then using Security Contexts are not an option for you.

If your working environment has alternate VPN Gateways then Security Contexts could be an option for you.

If the loss of Dynamic Routing, VPNs and Multicasting are not issue for you then go for it.

- aguilera