à Security Context is a way of dividing a physical firewall into one or more logical firewalls.
à This is also known simply as any of the following; Virtual Firewall, Multitenant, or Partitioning firewall appliances.
à By default, each ASA supports 2 Security Contexts, if we want ASA to support more than 2 security contexts then we need to buy the license.
à Maximum number of contexts supported by ASA is 250.
àEach context operates as an independent virtual device, with its own security policy, interfaces, and administrators. Multiple contexts are similar to having multiple stand-alone devices.
à By default ASA runs in single context mode.
à There are three different types of contexts are mainly used in ASA firewall.
SYSTEM Context
à Also known as default context or system execution space.
à Does not count against the license.
à used for controlling physical port assignments, context creations, and failover information if required.
à The system Context does not have any interfaces allocated to itself as it does not process any traffic.
à The system context creates a new configuration file whenever we create a normal context and it can be stored locally on flash or on FTP Server.
àSystem Context can be accessed only from console port as it does not have any physical ports attached to it.
Admin Context
à Admin Context is the special context that can be used to access system context or system execution space via the network.
à In simple terms when you do console to ASA it goes to system execution space & if you do SSH/Telnet/ASDM it goes to admin context.
à By default, the first context becomes the admin context.
à This context’s configuration file is admin.cfg, and is on local storage.
à The admin context configuration file must be on flash.
à It is possible to make any normal context as admin context by using the command.
àThe Admin Context does have interfaces allocated to itself as it is used for managing the firewall.
à Basically we allocate management interface to an Admin Context.
à The user who is managing the admin context has permissions to access any other context.
Normal Context
à This is the actual virtual firewall.
à Each and every normal context need to have following parameters,
i) Name of the Context
ii) Physical Interfaces need to be allocated
iii) Location of the configuration file to be stored.
à There are three different types of contexts are mainly used in ASA firewall.
SYSTEM Context
à Also known as default context or system execution space.
à Does not count against the license.
à used for controlling physical port assignments, context creations, and failover information if required.
à The system Context does not have any interfaces allocated to itself as it does not process any traffic.
à The system context creates a new configuration file whenever we create a normal context and it can be stored locally on flash or on FTP Server.
àSystem Context can be accessed only from console port as it does not have any physical ports attached to it.
Admin Context
à Admin Context is the special context that can be used to access system context or system execution space via the network.
à In simple terms when you do console to ASA it goes to system execution space & if you do SSH/Telnet/ASDM it goes to admin context.
à By default, the first context becomes the admin context.
à This context’s configuration file is admin.cfg, and is on local storage.
à The admin context configuration file must be on flash.
à It is possible to make any normal context as admin context by using the command.
àThe Admin Context does have interfaces allocated to itself as it is used for managing the firewall.
à Basically we allocate management interface to an Admin Context.
à The user who is managing the admin context has permissions to access any other context.
Normal Context
à This is the actual virtual firewall.
à Each and every normal context need to have following parameters,
i) Name of the Context
ii) Physical Interfaces need to be allocated
iii) Location of the configuration file to be stored.
à If one interface is allocated to more than one context then the interface is called as a shared interface.
à By default, the traffic does not forwarded to the shared interface as MAC address is not unique.
à In order to make MAC address unique, we need to execute the following command from system execution space.
ASA(config)# mac-address auto
à All the broadcast and multicast destined packets, the packets are duplicated and sent to each context.
Configuration
1) Login into System Execution Space from Console or SSH or telnet and create a context.
ASA(config)# Context Sales
Creating context 'sales'... Done. (2)
ASA(config-ctx)# description sales
2) Allocate the physical interfaces to the context.
ASA(config-ctx)# allocate-interface ethernet0
ASA(config-ctx)# allocate-interface ethernet1
3) Specify the configuration url for the context
ASA(config-ctx)# config-url disk0:/sales.cfg
à By default, the traffic does not forwarded to the shared interface as MAC address is not unique.
à In order to make MAC address unique, we need to execute the following command from system execution space.
ASA(config)# mac-address auto
à All the broadcast and multicast destined packets, the packets are duplicated and sent to each context.
Configuration
1) Login into System Execution Space from Console or SSH or telnet and create a context.
ASA(config)# Context Sales
Creating context 'sales'... Done. (2)
ASA(config-ctx)# description sales
2) Allocate the physical interfaces to the context.
ASA(config-ctx)# allocate-interface ethernet0
ASA(config-ctx)# allocate-interface ethernet1
3) Specify the configuration url for the context
ASA(config-ctx)# config-url disk0:/sales.cfg
Verification:
ASA# show context
Ref: Cisco.com
Md.Kareemoddin
CCIE # 54759
Good work! Many thanks
ReplyDeleteabsolutely nice note.
ReplyDeletethanks you so much.