Configuring Multiple Context Mode in Cisco ASA

You can partition a single ASA into multiple virtual devices, known as security contexts. Each context works like an independent device, with its own security policy, interfaces, and administrators. Multiple contexts are similar to having multiple standalone devices. Many features are supported in multiple context mode, including routing tables, firewall features, IPS, and management. Some features are not supported, including VPN and dynamic routing protocols.

Why to Use Security Contexts

You might want to use multiple security contexts in the following situations:

• You are a service provider and want to sell security services to many customers. By enabling multiple security contexts on the ASA, you can implement a cost-effective, space-saving solution that keeps all customer traffic separate and secure, and also eases configuration.
• You are a large enterprise or a college campus and want to keep departments completely separate.
• You are an enterprise that wants to provide distinct security policies to different departments.
• You have any network that requires more than one ASA.

Context Configuration Files

The ASA includes a configuration for each context that identifies the security policy, interfaces, and almost all the options you can configure on a standalone device. You can store context configurations on the internal flash memory or the external flash memory card, or you can download them from a TFTP, FTP or HTTP server.

System Configuration

The system administrator adds and manages contexts by configuring each context configuration location, allocated interfaces, and other context operating parameters in the system configuration, which, like a single mode configuration, is the startup configuration. The system configuration identifies basic settings for the ASA. The system configuration does not include any network interfaces or network settings for itself; rather, when the system needs to access network resources (such as downloading the contexts from the server), it uses one of the contexts that is designated as the admin context. The system configuration does include a specialized failover interface for failover traffic only.

Admin Context Configuration

The admin context is just like any other context, except that when a user logs in to the admin context, then that user has system administrator rights and can access the system and all other contexts. The admin context is not restricted in any way, and can be used as a regular context. However, because logging into the admin context grants you administrator privileges over all contexts, you might need to restrict access to the admin context to appropriate users. The admin context must reside on flash memory, and not remotely.
If your system is already in multiple context mode, or if you convert from single mode, the admin context is created automatically as a file on the internal flash memory called admin.cfg. This context is named “admin.” If you do not want to use admin.cfg as the admin context, you can change the admin context.

Packet Classification in ASA

Each packet that enters the ASA must be classified, so that the ASA can determine to which context to send a packet.

If the destination MAC address is a multicast or broadcast MAC address, the packet is duplicated and delivered to each context. For management traffic destined for an interface, the interface IP address is used for classification. The routing table is not used for packet classification.

Unique Interfaces

If only one context is associated with the ingress interface, the ASA classifies the packet into that context. In transparent firewall mode, unique interfaces for contexts are required, so this method is used to classify packets at all times.

Unique MAC Addresses

If multiple contexts share an interface, then the classifier uses the interface MAC address. The ASA lets you assign a different MAC address in each context to the same shared interface. By default, shared interfaces do not have unique MAC addresses; the interface uses the burned-in MAC address in every context. An upstream router cannot route directly to a context without unique MAC addresses. You can set the MAC addresses manually when you configure each interface.

NAT Configuration

If you do not use unique MAC addresses, then the mapped addresses in your NAT configuration are used to classify packets. We recommend using MAC addresses instead of NAT, so that traffic classification can occur regardless of the completeness of the NAT configuration.

Management Access to Security Contexts

The ASA provides system administrator access in multiple context mode as well as access for individual context administrators.

System Administrator Access

You can access the ASA as a system administrator in two ways:

• Access the ASA console: From the console, you access the system execution space, which means that any commands you enter affect only the system configuration or the running of the system (for run-time commands).
• Access the admin context using Telnet, SSH, or ASDM: As the system administrator, you can access all contexts. When you change to a context from admin or the system, your username changes to the default “enable_15” username. If you configured command authorization in that context, you need to either configure authorization privileges for the “enable_15” user, or you can log in as a different name for which you provide sufficient privileges in the command authorization configuration for the context. To log in with a username, enter the login command. For example, you log in to the admin context with the username “admin.” The admin context does not have any command authorization configuration, but all other contexts include command authorization. For convenience, each context configuration includes a user “admin” with maximum privileges. When you change from the admin context to context A, your username is altered, so you must log in again as “admin” by entering the login command. When you change to context B, you must again enter the login command to log in as “admin.”

Context Administrator Access

You can access a context using Telnet, SSH, or ASDM. If you log in to a non-admin context, you can only access the configuration for that context. You can provide individual logins to the context.

Information About MAC Addresses

To allow contexts to share interfaces, you should assign unique MAC addresses to each shared context interface. The MAC address is used to classify packets within a context. If you share an interface, but do not have unique MAC addresses for the interface in each context, then other classification methods are attempted that might not provide full coverage. In the rare circumstance that the generated MAC address conflicts with another private MAC address in your network, you can manually set the MAC address for the interface within the context.

Default MAC Address

If you disable MAC address generation, the physical interface uses the burned-in MAC address, and all sub-interfaces of a physical interface use the same burned-in MAC address.

Interaction with Manual MAC Addresses

If you manually assign a MAC address and also enable auto-generation, then the manually assigned MAC address is used. If you later remove the manual MAC address, the auto-generated address is used.
Because auto-generated addresses (when using a prefix) start with A2, you cannot start manual MAC addresses with A2 if you also want to use auto-generation.

Failover MAC Addresses

For use with failover, the ASA generates both an active and standby MAC address for each interface. If the active unit fails over and the standby unit becomes active, the new active unit starts using the active MAC addresses to minimize network disruption.

Configuring Multiple Contexts

To configure multiple context mode, perform the following steps:

Step 1 Enable multiple context mode.

When you convert from single mode to multiple mode, the ASA converts the running configuration into two files: a new startup configuration that comprises the system configuration, and admin.cfg that comprises the admin context (in the root directory of the internal flash memory). The original running configuration is saved as old_running.cfg (in the root directory of the internal flash memory). The original startup configuration is not saved. The ASA automatically adds an entry for the admin context to the system configuration with the name “admin.”

ciscoasa(config)# mode multiple

The mode multiple command changes to multiple context mode. You are prompted to reboot the ASA.

To Restore Single Context Mode, copy the backup version of your original running configuration to the current startup configuration using copy flash:old_running.cfg startup-config command and then set the mode to single mode using mode single command as shown below.

hostname(config)# copy flash:old_running.cfg startup-config
hostname(config)# mode single

Step 2 Configure Security Context

The security context definition in the system configuration identifies the context name, configuration file URL, and interfaces that a context can use.

Step 1 Add or modify a context using context <name> command, where <name> is a string up to 32 characters long. This name is case sensitive, so you can have two contexts named “customerA” and “CustomerA,” for example.
You can use letters, digits, or hyphens, but you cannot start or end the name with a hyphen. “System” or “Null” are reserved names, and cannot be used.

hostname(config)# context administrator

Step 2 (Optional) Add a description for this context using description command.

hostname(config)# description Administrator Context

Step 3 To allocate a physical interface, use allocate-interface physical_interface
[mapped_name] [visible | invisible] command, where physical_interface is  the interface you can use in the context and The mapped_name is an alphanumeric alias for the interface that can be used within the context instead of the interface ID. If you do not specify a mapped name, the interface ID is used within the context. For security purposes, you might not want the context administrator to know which interfaces are being used by the context. A mapped name must start with a letter, end with a letter or digit, and have as interior characters only letters, digits, or an underscore. For example, you can use the following names: int0, inta, int_0. Specify visible keyword to see the real interface ID in the show interface command if you set a mapped name. The default invisible keyword shows only the mapped name.

hostname(config-ctx)# allocate-interface gigabitethernet0/1.10 int1
hostname(config-ctx)# allocate-interface gigabitethernet0/1.20 int2

Step 4 Specify the URL from which the system downloads the context configuration. When you add a context URL, the system immediately loads the context so that it is running, if the configuration is available.

hostname(config-ctx)# config-url ftp://user1:[email protected]/configlets/test1.cfg

Removing a Security Context

You can only remove a context by editing the system configuration. You cannot remove the current admin context, unless you remove all contexts using the clear context command. You can use no context <name> command Removes a single context and clear context command to remove all contexts (including the admin context).

Back