RE: ASA 5550 question from Joseph L. Brunner on 2010-10-07 (Ccielab archives 10/2010)

From: Joseph L. Brunner <joe_at_affirmedsystems.com>
Date: Thu, 7 Oct 2010 20:16:33 -0400

Sorry my reply from before was to this;

As I was saying yesterday, I have seen a high level (cisco live?) type white
paper where the logic and abilities of the Cisco ASA multi-context packet
forwarder are explained. This is true for both shared and non-shared
interfaces for the ASA and FWSM. With the ASA, often context's share the same
physical interface, where with the FSWM, logical vlan interfaces are created
within each context from vlans allocated to the system context by IOS, and
further allocated by the system context to each context.

Because of the way the packet forwarder is designed to (sorry for lack of a
better term) "match flows with contexts" stateless protocols can't be
forwarded, such as OSPF, RIP, EIGRP and crypto maps can't be applied,
presumably where further action would be required (like decryption) before the
packet router could forward traffic back to the correct context.

For these reasons, without some major "ipad" level invention in the works, I
don't see the ASA ever supporting multiple contexts and routing
protocols/crypto maps.

Perhaps, I'm just being pessimistic- but buying a cisco product with the
expectation they will "eventually" add a feature you require in production via
a future code release is a mistake. However, getting dmvpn in my ISR's in 2005
was better than sex and cold drinks on a private beach, having previously
managed 50 (50-1)/2 fully meshed VPN TUNNELS! (YIKES)

-Joe

From: Jay McMickle [mailto:jay.mcmickle_at_yahoo.com]
Sent: Thursday, October 07, 2010 8:03 PM
To: Shaughn Smith; Joseph L. Brunner
Cc: Cisco certification
Subject: Re: ASA 5550 question

I don't think it's a licensing thing- I think it's a context thing. Have you
tried this at the ADMIN context, and then filtering at the Fxxxxt context? We
don't run our ASA's with Contexts where VPN's terminate.

Cisco TAC?

Regards,
Jay McMickle- CCNP, CCSP, CCDP, MCSE

________________________________
From: Shaughn Smith <maniac.smg_at_gmail.com>
To: Joseph L. Brunner <joe_at_affirmedsystems.com>
Cc: Cisco certification <ccielab_at_groupstudy.com>
Sent: Wed, October 6, 2010 2:11:51 PM
Subject: Re: ASA 5550 question

I wouldnt mind putting in a checkpoint but the client is a Cisco house.

Any way around this issue ? Are they going to have to pay for new licensing
?

On Wed, Oct 6, 2010 at 9:09 PM, Joseph L. Brunner
<joe_at_affirmedsystems.com<mailto:joe_at_affirmedsystems.com>>wrote:

> Crypto not allowed partner...
>
> Sorry...
>
> Time for a checkpoint
>
> -----Original Message-----
> From: nobody_at_groupstudy.com<mailto:nobody_at_groupstudy.com>
[mailto:nobody_at_groupstudy.com<mailto:nobody_at_groupstudy.com>] On Behalf Of
> Shaughn Smith
> Sent: Wednesday, October 06, 2010 3:06 PM
> To: Cisco certification
> Subject: ASA 5550 question
>
> Hi All
>
> I have a Cisco ASA 5550 running which in turn is running 3 contexts.
>
> Everything has been running smoothly but now the client is asking for Ipsec
> remote access VPN's.
>
> I have no issue configuring this as i have done it 100 times before,
> however
> when i type the crypto ipsec command i get this as an option
>
> Fxxxxt(config)# crypto ?
>
> configure mode commands/options:
> ca Certification authority
> key Long term key operations
>
> ie IPSEC is not supported. Now i dont know if this is a licencing issue or
> an actual software version
>
> Here is the SH VER output
>
> icensed features for this platform:
> Maximum Physical Interfaces : Unlimited
> Maximum VLANs : 250
> Inside Hosts : Unlimited
> Failover : Active/Active
> VPN-DES : Enabled
> VPN-3DES-AES : Enabled
> Security Contexts : 2
> GTP/GPRS : Disabled
> SSL VPN Peers : 2
> Total VPN Peers : 5000
> Shared License : Disabled
> AnyConnect for Mobile : Disabled
> AnyConnect for Linksys phone : Disabled
> AnyConnect Essentials : Disabled
> Advanced Endpoint Assessment : Disabled
> UC Phone Proxy Sessions : 2
> Total UC Proxy Sessions : 2
> Botnet Traffic Filter : Disabled
>
> This platform has an ASA 5550 VPN Premium license.
>
> Says 3DES-AES is enabled but that might be for SSL VPN's. I have really
> done
> any research yet but sure it has to do with the VPN Premium licence.
>
> Thanks
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net<http://www.ccie.net/>
Received on Thu Oct 07 2010 - 20:16:33 ART

This archive was generated by hypermail 2.2.0 : Mon Nov 01 2010 - 06:42:05 ART