Technology: Firewall
Area: High Availability
Vendor: Cisco
Software: Cisco Adaptive Security Appliance (ASA)
Platform: Cisco ASA 5505, 5500, 5525
The security context is a virtual instance of firewall which are separated from each other by default. Physical ASA appliance is divided into contexts creating many virtual firewalls. In typical implementations, contexts are mapped into VLANs or VRFs to the rest of the network. Context mode can use classes to allocate resources for particular contexts. For example, allocation can set the default class limit for maximum connections to 10 percent instead of unlimited, and to allow 5 site-to-site VPN tunnels with 2 tunnels allowed for VPN burst. To support multi-context mode ASA needs to be configured as multiple modes.
To configure the context and class of firewalls use the commands below:
hostname(config)#mode mutliple
copy disk0:old_running.cfg startup-config
#Example of default class limit for conns to 10 percent and allow 5 site-to-site VPN
hostname(config)# class default
hostname(config-class)# limit-resource conns 10%
hostname(config-class)# limit-resource vpn other 5
hostname(config-class)# limit-resource vpn burst other 2
#Example of gold class limit for conns to 15 percent and allow 10 site-to-site VPN
hostname(config)# class gold
hostname(config-class)# limit-resource mac-addresses 10000
hostname(config-class)# limit-resource conns 15%
hostname(config-class)# limit-resource rate conns 1000
hostname(config-class)# limit-resource rate inspects 500
hostname(config-class)# limit-resource hosts 9000
hostname(config-class)# limit-resource asdm 5
hostname(config-class)# limit-resource ssh 5
hostname(config-class)# limit-resource rate syslogs 5000
hostname(config-class)# limit-resource telnet 5
hostname(config-class)# limit-resource xlates 36000
hostname(config-class)# limit-resource routes 5000
hostname(config-class)# limit-resource vpn other 10
hostname(config-class)# limit-resource vpn burst other 5
To create a context and change between contexts
hostname(config)# admin-context administrator
hostname(config)# context administrator
hostname(config-ctx)# allocate-interface gigabitethernet0/0.1
hostname(config-ctx)# allocate-interface gigabitethernet0/1.1
hostname(config-ctx)# config-url disk0:/admin.cfg
hostname(config-ctx)# context customer1
hostname(config-ctx)# allocate-interface gigabitethernet0/0.100 int1
hostname(config-ctx)# allocate-interface gigabitethernet0/0.102 int2
hostname(config-ctx)# allocate-interface gigabitethernet0/0.110-gigabitethernet0/0.115 int3-int8
hostname(config-ctx)# config-url ftp://user1:passw0rd@10.1.1.1/configlets/customer1.cfg
hostname(config-ctx)# member gold
hostname(config-ctx)# context customer2
hostname(config-ctx)# allocate-interface gigabitethernet0/1.200 int1
hostname(config-ctx)# allocate-interface gigabitethernet0/1.212 int2
hostname(config-ctx)# allocate-interface gigabitethernet0/1.230-gigabitethernet0/1.235 int3-int8
hostname(config-ctx)# config-url ftp://user1:passw0rd@10.1.1.1/configlets/customer2.cfg
hostname(config-ctx)# member silver
#Changing between contexts
changeto context name
changeto system
Overview of Next-Generation Firewall Security Products
Cisco ASA Active Standby Failover Design