Cisco ASA multi Context migration

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Cisco ASA multi Context migration

L3 Networker

I am migrating a configuration over from a Cisco ASA that uses multiple contexts and have several questions about how to replicate that in a PA.

 

1. The ASA's use port-channel groups and for the internal and external those are shared. On the inside interface each belongs to the same group but uses a different VLAN tag. On the external interface, each interface uses the same group and same VLAN tag but the IP's for the interfaces are different. There is a system context that has interface information also. The question I have is can the PA be set up the same way? I am seeing contradicting information about this subject.

 

2. Each context has it's own routing table even though they share the internet connection (as stated above each external interface is on the same interface/VLAN tag but has a distinct IP address. Can this be done on the PA the same way? I know you can have multiple virtual routers or a shared router but would like to keep them separate.

 

Thanks.

3 REPLIES 3

Cyber Elite
Cyber Elite

Hello,

So the short answer is yes, they are called virtual systems, vsys for short.

 

https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-admin/virtual-systems.html

 

Cheers!

I guess I should have stated in the beginning that I know about vsys and that is the way I have been migrating the Cisco's with that in mind. My questions are trying to find out if I can do the things I am asking using multip vsys. Can I have an AE interface that is shared between the vsys that has the same VLAN tag (ae5.3)? Also, can an AE have a different tag for each vsys (ae4.2 and ae4.3)? Also, can the vsys have completely different virtual routers? The docs mention a case where a share virtual router is needed if you have a shared internet IP but does that mean if they have different IP's within the same subnet (i.e. both are ae5.3 but have different IP's). The Cisco ASA is set up this way and I am trying to migrate like-for-like.

 

Thanks,

Keith

vsys can have completely different virtual routers.

sub interfaces of a single aggregate interfaces can be split- so 5.3 to vsys1   and 5.4 to vsys2

 

  • 4619 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!