ASA firewall can be divided into multiple virtual devices, known as Security Context. Each context acts as an independent firewall device, with its own security policy, interfaces, and administrators. Multiple contexts are similar to having multiple standalone devices.
With enabling of Multiple context mode enables some Benefits and limitation of using Cisco ASA Multiple Context Mode. It is advisable to save all configuration of Firewall in case Reverting to Single-mode firewall is required.
The Configuration of security context can be broken into eight steps-
- Enable multiple security context globally.
- Creating New Context
- Specifying Context Config-url path.
- Configure Interface or Allocating interfaces to context.
- Creating Class of Resources and allocating to Context.
We can check mode for firewall by using below command.
ciscoasa# show mode
Security context mode: single
1) Enable multiple security context globally.
ciscoasa# ciscoasa# config t
ciscoasa(config)# mode multiple
Once you enter mode multiple, ASA will ask for the confirmation and initiate for reboot.
ciscoasa# config t
ciscoasa(config)# mode multiple
WARNING: This command will change the behavior of the device
WARNING: This command will initiate a Reboot
Proceed with change mode? [confirm]
Convert the system configuration? [confirm]
!
The old running configuration file will be written to flash
Converting the configuration – this may take several minutes for a large configuration
The admin context configuration will be written to flash
The new running configuration file was written to flash
Security context mode: multiple
***
*** — SHUTDOWN NOW —
***
*** Message to all terminals:
***
*** change mode
Once system will reboot, it will create a new context name admin and will save the old configration file in flash or disk with name old_running.cfg
All active interface, nameif will be alloacted to admin context by default.
2) Creating New Context
To create new context, we have to define name and config URL path to store the config file of newly created context or we can tell the context to use any existing context config. If we do not provide URL path cisco ASA creates config file by default.
ciscoasa(config)# context Apple
Creating context ‘Apple’… Done. (2)
ciscoasa(config-ctx)# config-url disk0:apple.cfg
INFO: Converting disk0:apple.cfg to disk0:/apple.cfg
We can check the context available from System by using show context command.