The Cisco ASA hardware appliances (not virtual appliances) supports partitioning the ASA into multiple virtual devices, known as security contexts. Each context acts as an independent device, with its own Access Control Lists, interfaces, NAT configuration and Role Based Administrative access. The main reasons for using ASA Multi context are for networks that require more than one ASA, or assigning different policies to different departments (without purchasing new hardware) or service provider selling services to customers etc.
Three types of contexts exist: –
- System context – Identifies and creates the base configuration of each contexts, including allocates resources, interfaces and storage.
- Admin context – Just like a regular context, except that when a user logs into the admin context, that user has system administrative rights to login to each regular context.
- Regular context – Isolated context, using the resources allocated from the system context. Does not have the ability to change/allocate additional resources nor access another context (system, admin or regular).
More information can be found in the Cisco documentation https://www.cisco.com/c/en/us/td/docs/security/asa/asa914/configuration/general/asa-914-general-config/ha-contexts.html
Unsupported Features
Not all ASA features are supported in Multi Context mode, the list below are unsupported features as of ASA 9.14.
Multiple context mode does not support the following features:
- RIP
- OSPFv3. (OSPFv2 is supported.)
- Multicast routing
- Threat Detection
- Unified Communications
- QoS
- Static route tracking
- Virtual Tunnel Interfaces (VTI)
Multiple context mode does not currently support the following features for Remote Access VPN:
- Clientless SSL VPN
- AnyConnect 2.x and earlier
- IKEv1
- WebLaunch
- VLAN Mapping
- HostScan
- VPN load balancing
- Customization
- L2TP
Configuration
The following configuration was applied on a single Cisco ASA 5515-X running software version 9.12.2
Convert from single to multiple context
- Connect to the ASA using a console cable.
- Run the command show mode to determine the current mode
When converting from single to multiple context mode, the current running configuration will become the configuration in the “admin” context. In this example, the figure below represents the current interface configuration.
- Run the command mode multiple to convert to Multiple Context mode.
After the ASA has been rebooted, the login prompt will appear. You will receive a message stating that the CXSC (Firepower) module is no longer supported.
System Context
After the reboot the ASA will be in the “system” context.
- Run show running-config to display the base configuration.
You observe no interface configuration (even though it was specified in the initial single context mode), the “class default” resource configuration and the “admin” context configuration.
ASA5515# show run : Saved : : Serial Number: XXXXXXXXXXXXXXXX : Hardware: ASA5515, 8192 MB RAM, CPU Clarkdale 3058 MHz, 1 CPU (4 cores) : ASA Version 9.12(2) <system> ! hostname ASA5515 domain-name lab.local enable password ***** pbkdf2 no mac-address auto ! interface GigabitEthernet0/0 ! interface GigabitEthernet0/1 ! interface GigabitEthernet0/2 shutdown ! interface GigabitEthernet0/3 shutdown ! interface GigabitEthernet0/4 shutdown ! interface GigabitEthernet0/5 ! interface Management0/0 shutdown ! class default limit-resource All 0 limit-resource Mac-addresses 16384 limit-resource ASDM 5 limit-resource SSH 5 limit-resource Telnet 5 limit-resource Http 6 ! ftp mode passive pager lines 24 no failover no asdm history enable arp timeout 14400 no arp permit-nonconnected arp rate-limit 16384 ssh stricthostkeycheck console timeout 0 admin-context admin context admin allocate-interface GigabitEthernet0/0 allocate-interface GigabitEthernet0/1 config-url disk0:/admin.cfg
Create Resource Limits
Resource Management is used to limit the use of resources per context, without these limits one or more context may use too many resources and cause other contexts to be denied connections.
When converting to multiple the following resource limits are created as default, every context will inherit resources from the “default” class.
Resource limits are configured under the system context.
The following is a list of the “default” limits.
class default limit-resource All 0 limit-resource Mac-addresses 16384 limit-resource ASDM 5 limit-resource SSH 5 limit-resource Telnet 5 limit-resource Http 6
VPN resources are NOT defined in the “default” class, so therefore VPN connectivity disabled as default in multiple context mode.
class VPN limit-resource VPN AnyConnect <value> limit-resource VPN Other <value>
Storage URLs
A context can use flash memory to store files, such as AnyConnect image, AnyConnect profiles, DAP xml configuration etc. Private storage is unique to each context or a read-only shared storage available to any context. Root folders are created in the system context.
Create the private and shared storage folders
mkdir disk1:/PRIVATE-STORAGE mkdir disk1:/SHARED-STORAGE
Configure the contexts to use storage using the storage-url command
context admin storage-url private disk0:/PRIVATE-STORAGE context ! context ONE storage-url shared disk0:/SHARED-STORAGE shared storage-url private disk0:/PRIVATE-STORAGE private
View the contents of disk0:/SHARED-STORAGE reveals the contents of the shared storage.
View the contents of disk0:/PRIVATE-STORAGE reveals sub-folders for each context has been created.
ASDM
ASDM need only need configuring under the system, this same ASDM image will apply to each context.
asdm image disk0:/asdm-7141-48.bin
MAC addresses
If multiple contexts share a physical interface, an upstream router cannot route directly to a context without unique MAC addresses. You can enable auto-generation of MAC addresses globally in the system context or you can also set the MAC addresses manually when you configure each interface under the unique context.
From system context run the following command to configure unique MAC addresses per context interface.
mac-address auto prefix 19
Admin Context
From the system context run the command show context
From the output below, you will observe the “admin” context has interfaces GigabitEthernet0/0 and 0/1 pre-configured.
- Run the command changeto context admin
Notice the CLI prompt includes the current context connected to
- Run the command show running-config
From the output below you can confirm the configuration as specified when running in single mode has been imported into the “admin” context.
Create new context
From the system context create a new context.
- If not already in system context, tun the command changeto system to connect to the system
- Create a new context, run the command context <unique-name>
At a minimum the new context needs interfaces allocating to the context and configuration URL to store the configuration specified. Optionally (if required) class membership for resource limits can be configured, if not the default resource limits are inherited.
- Define the interfaces using the command allocate-interfaces <interface-name>
allocate-interface GigabitEthernet0/0 allocate-interface GigabitEthernet0/2
NOTE – The interfaces can be unique per context or shared. In this example we are sharing the GigabitEthernet0/0 interface with the admin context.
- Define a shared storage url.
storage-url shared disk0:/SHARED-STORAGE shared
- Define the configuration storage location, this file is accessible from the system context
config-url disk0:/one.cfg
- Use the command changeto context ONE
The ASA context is now ready to be configured as per a normal ASA.
Useful commands
changeto system changeto context admin|<user defined> show context show mode admin-context <CONTEXT NAME>
Template
ASA Multi-context template is available in the templates section of this website.