Configuring Multiple Context Mode in Cisco ASA

Cisco ASA Firewall has the feature support to be divided into multiple virtual devices known as Device Contexts. With each context being an independent device, having own security policy, interfaces and administrators. While features like routing tables, firewall features, IPS, and management being supported in multiple context mode, some features are not supported like VPN and dynamic routing protocols.

Following diagram will be referred to while configuring Multiple context on ASA Firewall.

Below is step by step procedure to enable multiple context mode –

Step 1 – Enable multiple context mode.

Step 2 – (Optional) Configure classes for resource management.

Step 3 – Configure interfaces in the system execution space

Step 4 – Configure security contexts.

Step 5 – (Optional) automatically assign MAC addresses to context interfaces.

Step 6 – Complete interface configuration in the context.

 

Step 1 – Enable multiple context mode.

Before configuring multiple context mode , let’s see what is the present context mode of ASA Firewall –

ASA# show mode

Security context mode: single

Now lets change mode to “Multiple” Context mode –

ASA# conf t

ASA(config)# mode multi

WARNING: This command will change the behavior of the device

WARNING: This command will initiate a Reboot

Proceed with change mode? [confirm]

Convert the system configuration? [confirm]

!

The old running configuration file will be written to flash

Converting the configuration – this may take several minutes for a large configuration

The admin context configuration will be written to flash

The new running configuration file was written to flash

Security context mode: multiple

***

*** — SHUTDOWN NOW —

***

*** Message to all terminals:

***

***   change mode

Rebooting……

Now lets verify the context mode –

ASA# show mode

Security context mode: multiple

ASA#

As shown from the output , ASA is configured in “Multiple” Context mode.

Step 2 – (Optional) Configure classes for resource management.

For example, to set the default class limit for conns to 10 percent instead of unlimited, enter the

following commands:

ASA(config)# class default

ASA(config-class)# limit-resource conns 10%

To add a class called gold, enter the following commands:

ASA(config)# class gold

ASA(config-class)# limit-resource mac-addresses 10000

ASA(config-class)# limit-resource conns 15%

ASA(config-class)# limit-resource rate conns 1000

ASA(config-class)# limit-resource rate inspects 500

ASA(config-class)# limit-resource hosts 9000

ASA(config-class)# limit-resource asdm 5

ASA(config-class)# limit-resource ssh 5

ASA(config-class)# limit-resource rate syslogs 5000

ASA(config-class)# limit-resource telnet 5

ASA(config-class)# limit-resource xlates 36000

Step 3 – Configure interfaces in the system execution space

Interface GigabitEthernet0/0.10

Vlan 10

Interface GigabitEthernet0/0.20

Vlan 20

Step 4 Configure security contexts.

ASA(config)# admin-context administrator

ASA(config)# context administrator

ASA(config-ctx)# allocate-interface gigabitethernet0/0.1

ASA(config-ctx)# config-url flash:/admin.cfg

 

ASA(config-ctx)# context CONTEXT1

ASA(config-ctx)# allocate-interface gigabitethernet0/0.10 int10

ASA(config-ctx)# config-url disk0:/CONTEXT1.cfg

ASA(config-ctx)# member gold

 

ASA(config-ctx)# context CONTEXT2

ASA(config-ctx)# allocate-interface Gigabitethernet0/0.20 int20

ASA(config-ctx)# config-url disk0:/CONTEXT2.cfg

ASA(config-ctx)# member gold

Step 5 – (Optional) Automatically assign MAC addresses to context interfaces.

The MAC address is used to classify packets within a context

ASA(config)# mac-address auto prefix 19

Step 6 – Complete interface configuration in the context.

ASA# changeto context CONTEXT1

ASA/CONTEXT1# conf t

ASA/CONTEXT1(config)# interface int10

ASA/CONTEXT1(config-if)#  nameif INSIDE_CONTEXT1

ASA/CONTEXT1(config-if)#  security-level 100

ASA/CONTEXT1(config-if)#  ip address 10.10.10.1 255.255.255.0

ASA/CONTEXT1(config-if)# end

Now let’s move to CONTEXT2 context and configure interfaces.

ASA/CONTEXT1# changeto context CONTEXT2

ASA/CONTEXT2# conf t

ASA/CONTEXT2(config)# interface int20

ASA/CONTEXT2(config-if)#  nameif INSIDE_CONTEXT2

ASA/CONTEXT2(config-if)#  security-level 100

ASA/CONTEXT2(config-if)#  ip address 20.20.20.1 255.255.255.0

ASA/CONTEXT2(config-if)# end

Verification

Below verification shows the contexts formed on ASA and associated interfaces to each context –

ASA# sh context
Context Name       Class          Interfaces             URL
*admin             default                               disk0:/admin.cfg
CONTEXT1           gold           GigabitEthernet0/0.10  disk0:/CONTEXT1.cfg
CONTEXT2           gold           GigabitEthernet0/0.20  disk0:/CONTEXT2.cfg

Total active Security Contexts: 3

[the_ad_placement id=”ad-17sept17″]
Please follow and like us:

Comments

comments

Add a Comment