Cisco Firewall HA – SECURITY CONTEXT

Design & Configure

Cisco Firewall HA – SECURITY CONTEXT

Technology: Firewall 

Area: High Availability

Vendor: Cisco

Software: Cisco Adaptive Security Appliance (ASA)

Platform: Cisco ASA 5505, 5500, 5525

Description: 

The security context is a virtual instance of firewall which are separated from each other by default. Physical ASA appliance is divided into contexts creating many virtual firewalls. In typical implementations, contexts are mapped into VLANs or VRFs to the rest of the network. Context mode can use classes to allocate resources for particular contexts. For example, allocation can set the default class limit for maximum connections to 10 percent instead of unlimited, and to allow 5 site-to-site VPN tunnels with 2 tunnels allowed for VPN burst. To support multi-context mode ASA needs to be configured as multiple modes. 

Code 

To configure the context and class of firewalls use the commands below 

hostname(config)#mode mutliple
copy disk0:old_running.cfg startup-config

 

#Example of default class limit for conns to 10 percent and allow 5 site-to-site VPN 
hostname(config)# class default
hostname(config-class)# limit-resource conns 10%
hostname(config-class)# limit-resource vpn other 5
hostname(config-class)# limit-resource vpn burst other 2

 

#Example of gold class limit for conns to 15 percent and allow 10 site-to-site VPN 
hostname(config)# class gold
hostname(config-class)# limit-resource mac-addresses 10000
hostname(config-class)# limit-resource conns 15%
hostname(config-class)# limit-resource rate conns 1000
hostname(config-class)# limit-resource rate inspects 500
hostname(config-class)# limit-resource hosts 9000
hostname(config-class)# limit-resource asdm 5
hostname(config-class)# limit-resource ssh 5
hostname(config-class)# limit-resource rate syslogs 5000
hostname(config-class)# limit-resource telnet 5
hostname(config-class)# limit-resource xlates 36000
hostname(config-class)# limit-resource routes 5000
hostname(config-class)# limit-resource vpn other 10
hostname(config-class)# limit-resource vpn burst other 5

 

To create a context and change between contexts

hostname(config)# admin-context administrator
hostname(config)# context administrator
hostname(config-ctx)# allocate-interface gigabitethernet0/0.1
hostname(config-ctx)# allocate-interface gigabitethernet0/1.1
hostname(config-ctx)# config-url disk0:/admin.cfg
hostname(config-ctx)# context customer1
hostname(config-ctx)# allocate-interface gigabitethernet0/0.100 int1
hostname(config-ctx)# allocate-interface gigabitethernet0/0.102 int2
hostname(config-ctx)# allocate-interface gigabitethernet0/0.110-gigabitethernet0/0.115 int3-int8
hostname(config-ctx)# config-url ftp://user1:passw0rd@10.1.1.1/configlets/customer1.cfg
hostname(config-ctx)# member gold
hostname(config-ctx)# context customer2
hostname(config-ctx)# allocate-interface gigabitethernet0/1.200 int1
hostname(config-ctx)# allocate-interface gigabitethernet0/1.212 int2
hostname(config-ctx)# allocate-interface gigabitethernet0/1.230-gigabitethernet0/1.235 int3-int8
hostname(config-ctx)# config-url ftp://user1:passw0rd@10.1.1.1/configlets/customer2.cfg
hostname(config-ctx)# member silver

 

#Changing between contexts  
changeto context name
changeto system

 

Additional resources:

Overview of Next-Generation Firewall Security Products

Cisco ASA Active Standby Failover Design

 

Author: Krzysztof Osmałek
 
Previous

Cisco Firepower up to 60% discount

Place an order and get discounted Cisco FirePOWER or schedule
a call with Grandmetric Engineer

 

Newsletter