A single Cisco ASA appliance can be partitioned into multiple virtual firewalls known also as “Security Contexts”.
Each security context acts as a separate firewall with its own security policy, interfaces and configuration.
However, some features are not available for virtual firewalls, such as IPSEC and SSL VPN, Dynamic Routing Protocols, Multicast and Threat Detection.
All firewall models (except ASA 5505) support multiple security contexts. By default, all models support 2 security contexts without a license upgrade (except the ASA 5510 which requires the security plus license).
The original running configuration is saved as “old_running.cfg” (in the root directory of the internal Flash memory).
Configuring Security Contexts
! Enable multiple context mode
ASA(config)# mode multiple
! Then reboot the appliance.
! Configure the administrator context
ASA(config)# admin-context administrator
ASA(config)# context administrator
ASA(config-ctx)# allocate-interface gigabitethernet0/1.10
ASA(config-ctx)# allocate-interface gigabitethernet0/1.11
ASA(config-ctx)# config-url flash:/admin.cfg
! Configure other contexts as required
ASA(config)# context customerA
ASA(config-ctx)# allocate-interface gigabitethernet0/2.100
ASA(config-ctx)# allocate-interface gigabitethernet0/2.200
ASA(config-ctx)# config-url flash:/customerA.cfg
! Configure other contexts as required
ASA(config)# context customerB
ASA(config-ctx)# allocate-interface gigabitethernet0/2.111
ASA(config-ctx)# allocate-interface gigabitethernet0/2.222
ASA(config-ctx)# config-url flash:/customerB.cfg
Changing between contexts and the system execution space:
When you connect with a console cable on the appliance, you will log in the system configuration (or the system execution space).
The “system execution space” is the global appliance space from where you can then enter into specific security contexts.
If you are logged in the “system execution space” and issue a “show run” command, this will ONLY show you the global system configuration and NOT the various security contexts configurations.
You will need to log into a specific security context in order to change or see its configuration.
To change between the system execution space and a context, or between contexts, see the following commands:
! To change to a context named CustomerA, enter the following command:
ASA# changeto context CustomerA
! The prompt changes to the following:
ASA/CustomerA#
! To change back to the system execution space, enter the following command:
ASA/CustomerA# changeto system
! The prompt changes to the following:
ASA#
Related Posts
- What is Cisco ASA Firewall – All you need to Know
- Traffic Rate and Bandwidth Limiting on Cisco ASA Firewall
- Cisco ASA Firewall (5500 and 5500-X) Security Levels Explained
- Cisco ASA 5505-5510-5520-5540-5550-5580 Performance Throughput and Specs
- Password Recovery for the Cisco ASA 5500 Firewall (5505,5510,5520 etc)