Even if we have only single point of failure at the edge it is well to have 2 upstream links. Having 2 upstream links is involved with having 2 VPN tunnels. If one of the tunnel goes down, the second takes over the tasks of the first one.
Cisco recently has made a small step to improve ASA and has implemented logical tunnels, what means we got route based VPN! Really? Did we? Not so fast. Yes, we got route based VPN but still we have to add routes manually.
NAT and ACL are one the first things that are being configured right after deployment of the new ASA or Router on the edge. They behave differently in both cases and knowing which feature is proceed first over the other in particular direction can save us a lot of time and nerves.
NAT on ASA differs to NAT on IOS routers regarding configuration.At first glance may seems to be very confusing, but as we see in a while the crucial is understanding where particular types of NAT takes place, then configuration is easy.
Regarding Fault Tolerance ASA provides 2 solutions: Active/Standby and Active/Active. Whereas Active/Standby is simple in use Active/Active provides not only redundancy but load sharing as well. On the other hand, requires more expansive license. Anyway, in this article we will compare them and see how to configure.
Multiple Context on ASA provides the highest level of virtualization, within one single chassis we get 2 virtual firewalls. Each with separate Data and Control Plane. Idea similar to VRF but in Multiple Context we may share one interface between 2 contexts what makes its more sophisticated.