US Region

Grandmetric LLC
Lewes DE 19958
16192 Coastal Hwy USA
EIN: 98-1615498
+1 302 691 94 10

EMEA Region

ul. Metalowa 5, 60-118 Poznań, Poland
NIP 7792433527
+48 61 271 04 43


Grandmetric LTD
Office 584b
182-184 High Street North
E6 2JA
+44 20 3321 5276

  • en
  • pl
  • Cisco Firewall HA – SECURITY CONTEXT

    Design & Configure

    Cisco Firewall HA – SECURITY CONTEXT

    Technology: Firewall 

    Area: High Availability

    Vendor: Cisco

    Software: Cisco Adaptive Security Appliance (ASA)

    Platform: Cisco ASA 5505, 5500, 5525


    The security context is a virtual instance of firewall which are separated from each other by default. Physical ASA appliance is divided into contexts creating many virtual firewalls. In typical implementations, contexts are mapped into VLANs or VRFs to the rest of the network. Context mode can use classes to allocate resources for particular contexts. For example, allocation can set the default class limit for maximum connections to 10 percent instead of unlimited, and to allow 5 site-to-site VPN tunnels with 2 tunnels allowed for VPN burst. To support multi-context mode ASA needs to be configured as multiple modes. 


    To configure the context and class of firewalls use the commands below 

    hostname(config)#mode mutliple
    copy disk0:old_running.cfg startup-config


    #Example of default class limit for conns to 10 percent and allow 5 site-to-site VPN 
    hostname(config)# class default
    hostname(config-class)# limit-resource conns 10%
    hostname(config-class)# limit-resource vpn other 5
    hostname(config-class)# limit-resource vpn burst other 2


    #Example of gold class limit for conns to 15 percent and allow 10 site-to-site VPN 
    hostname(config)# class gold
    hostname(config-class)# limit-resource mac-addresses 10000
    hostname(config-class)# limit-resource conns 15%
    hostname(config-class)# limit-resource rate conns 1000
    hostname(config-class)# limit-resource rate inspects 500
    hostname(config-class)# limit-resource hosts 9000
    hostname(config-class)# limit-resource asdm 5
    hostname(config-class)# limit-resource ssh 5
    hostname(config-class)# limit-resource rate syslogs 5000
    hostname(config-class)# limit-resource telnet 5
    hostname(config-class)# limit-resource xlates 36000
    hostname(config-class)# limit-resource routes 5000
    hostname(config-class)# limit-resource vpn other 10
    hostname(config-class)# limit-resource vpn burst other 5


    To create a context and change between contexts

    hostname(config)# admin-context administrator
    hostname(config)# context administrator
    hostname(config-ctx)# allocate-interface gigabitethernet0/0.1
    hostname(config-ctx)# allocate-interface gigabitethernet0/1.1
    hostname(config-ctx)# config-url disk0:/admin.cfg
    hostname(config-ctx)# context customer1
    hostname(config-ctx)# allocate-interface gigabitethernet0/0.100 int1
    hostname(config-ctx)# allocate-interface gigabitethernet0/0.102 int2
    hostname(config-ctx)# allocate-interface gigabitethernet0/0.110-gigabitethernet0/0.115 int3-int8
    hostname(config-ctx)# config-url ftp://user1:passw0rd@
    hostname(config-ctx)# member gold
    hostname(config-ctx)# context customer2
    hostname(config-ctx)# allocate-interface gigabitethernet0/1.200 int1
    hostname(config-ctx)# allocate-interface gigabitethernet0/1.212 int2
    hostname(config-ctx)# allocate-interface gigabitethernet0/1.230-gigabitethernet0/1.235 int3-int8
    hostname(config-ctx)# config-url ftp://user1:passw0rd@
    hostname(config-ctx)# member silver


    #Changing between contexts  
    changeto context name
    changeto system


    Additional resources:

    Overview of Next-Generation Firewall Security Products

    Cisco ASA Active Standby Failover Design


    Author: Krzysztof Osmałek

    Cisco Firepower up to 60% discount

    Place an order and get discounted Cisco FirePOWER or schedule
    a call with Grandmetric Engineer

    Get Quote