Hello
In multicontext ASA there is not support for ipsec or sslvpn at all. Look at
this output:
ASA1/c2/act# conf t
ASA1/c2/act(config)# cr
ASA1/c2/act(config)# crypto ?
configure mode commands/options:
ca Certification authority
key Long term key operations
ASA1/c2/act(config)#
ASA1/c2/act(config)# webvpn
^
ERROR: % Invalid input detected at '^' marker.
ASA1/c2/act(config)#
This means that there is no way to TERMINATE a vpn-session in a multicontext
ASA, like there is in a single context ASA.
When it comes to GET or DMVPN there is never support for vpn termination in
ASA, neither single context or multi context.
On the other hand, if you mean letting vpn-traffic THRU the ASA (dmvpn,
getvpn, ipsec, whatever) there is not difference between single- and
multi-context asa. Its "just" a matter of traffic filtering.
Regarding the second question; There are ways to share interfaces without
"mac address auto". For example you could define the mac addresses manually.
Mac address auto is imho just an easy way to get around the problem.
/Jimmy
2010/6/30 Kamran Shakil <[email protected]>
>
> first question in ASA:
> ===========================
> Is it true and valid for all scenrios of vpn ( get vpn , l2l ipsecvpn ,
> dmvpn ) to "NOT " work in MultiCOntext of ASA firewall??
>
> Another question in ASA;
> =======================
> In case of MultiContext questions, deliberately it is asked sometimes to
> use common/shared interface ? And the solution says use "mac-address auto"
> to get pass this jumbling situation ? is it the only option and is it
> important to use this command in such scenarios ? they say routing will not
> work otherwise! ( as per book i know in multicontext,i can only use static
> routing , dynamic routing is not supported at the moment ! )
>
> regards, Kamran Shakil ITA NDC Operations Engineer
> Cisco - IT Advance Services Team MidEast Data Systems LLC Oman Cell: + 968
> 95804126 Office: + 968 24576640
>
> Confidentiality Warning: "This message and any attachments are intended
> only for the use of the intended recipient(s), are confidential, and may be
> privileged. If you are not the intended
> recipient, you are hereby notified that any review, retransmission,
> conversion to hard copy, copying, circulation or other use of all or any
> portion of this message and any attachments is strictly
> prohibited. If you are not the intended recipient, please notify the sender
> immediately by return e-mail, and delete this message and any attachments
> from your system."
> _______________________________________________
> For more information regarding industry leading CCIE Lab training, please
> visit www.ipexpert.com
>
--
-------
Jimmy Larsson
Ryavagen 173
s-26030 Vallakra
Sweden
http://blogg.kvistofta.nu
-------
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
