This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Cisco ASA multi Context migration

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Cisco ASA multi Context migration

aporue
L3 Networker

‎08-13-2019 01:44 PM

I am migrating a configuration over from a Cisco ASA that uses multiple contexts and have several questions about how to replicate that in a PA.

 

1. The ASA's use port-channel groups and for the internal and external those are shared. On the inside interface each belongs to the same group but uses a different VLAN tag. On the external interface, each interface uses the same group and same VLAN tag but the IP's for the interfaces are different. There is a system context that has interface information also. The question I have is can the PA be set up the same way? I am seeing contradicting information about this subject.

 

2. Each context has it's own routing table even though they share the internet connection (as stated above each external interface is on the same interface/VLAN tag but has a distinct IP address. Can this be done on the PA the same way? I know you can have multiple virtual routers or a shared router but would like to keep them separate.

 

Thanks.

2 people had this problem.
0 Likes Likes
3 REPLIES 3

OtakarKlier
Cyber Elite
Cyber Elite

‎08-15-2019 01:01 PM

Hello,

So the short answer is yes, they are called virtual systems, vsys for short.

 

https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-admin/virtual-systems.html

 

Cheers!

0 Likes Likes

aporue
L3 Networker
In response to OtakarKlier

‎08-15-2019 01:13 PM

I guess I should have stated in the beginning that I know about vsys and that is the way I have been migrating the Cisco's with that in mind. My questions are trying to find out if I can do the things I am asking using multip vsys. Can I have an AE interface that is shared between the vsys that has the same VLAN tag (ae5.3)? Also, can an AE have a different tag for each vsys (ae4.2 and ae4.3)? Also, can the vsys have completely different virtual routers? The docs mention a case where a share virtual router is needed if you have a shared internet IP but does that mean if they have different IP's within the same subnet (i.e. both are ae5.3 but have different IP's). The Cisco ASA is set up this way and I am trying to migrate like-for-like.

 

Thanks,

Keith

0 Likes Likes

Sec101
L4 Transporter
In response to aporue

‎08-21-2019 02:32 PM

vsys can have completely different virtual routers.

sub interfaces of a single aggregate interfaces can be split- so 5.3 to vsys1   and 5.4 to vsys2

 

0 Likes Likes
  • 5406 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks