ASA Multi-Mode Configuration
Last Updated: [last-modified] (UTC)
Context Configuration
There are six basic steps to configuring contexts:
- Enable multi-context mode
- Configure interfaces in the system context
- Add a context
- Configure resource management
- Assign MAC addresses to context interfaces
- Configure settings within the context
See the configuration in action here:
Enable Multicontext mode
You can convert an existing ASA to multi-context mode, or you can use a fresh ASA. If using an existing ASA, the original running config is saved as old_running.cfg.
The mode multiple command enables multi-context mode. The ASA requires a reboot after running this command.
The original running config is converted into a new context. This will also happen whether this is on an existing ASA or a new one. At this point there are two config files. The traditional startup configuration is for the system space. A new file called admin.cfg is created for the first context.
CiscoASA(config)# mode multiple WARNING: This command will change the behavior of the device WARNING: This command will initiate a Reboot Proceed with change mode? [confirm] Convert the system configuration? [confirm] The old running configuration file will be written to flash Converting the configuration - this may take several minutes for a large configuration The admin context configuration will be written to flash The new running configuration file was written to flash Security context mode: multiple CiscoASA(config)#
CiscoASA# show mode Security context mode: multiple CiscoASA# show context Context Name Class Interfaces Mode URL *admin default Management0/0 Routed disk0:/admin.cfg Total active Security Contexts: 1
NOTE: If you have migrated config to a context, you may not be able to connect with SSH. To resolve this:
- Connect to the console of the ASA
- Generate a new RSA key with crypto key generate rsa general-keys modulus 2048
- Test logging on over SSH
Restoring Single-Context Mode
To restore single context mode, copy the backup file, old_running.cfg, to the startup-config. This overrides the existing system configuration. Next, change the mode back to single.
This will restore the config as it was originally backed up. If you’ve made changes to the context since creating the backup, those changes will be lost.
CiscoASA# copy disk0:/old_running.cfg startup-config Source filename [old_running.cfg]? 3991 bytes copied in 0.40 secs CiscoASA(config)# mode single WARNING: This command will change the behavior of the device WARNING: This command will initiate a Reboot Proceed with change mode? [confirm] Security context mode: single CiscoASA(config)#
Interface Configuration
Physical interfaces are ‘owned’ by the system. Interfaces are first configured in the system before being allocated to any contexts. This includes configuring port channels and VLANs. This does not include security features such as nameif or security-level.
In this example, two interfaces are added to an etherchannel. The etherchannel is then configured as two sub-interfaces, each with a separate VLAN. Although not shown here, remember to configure the connected switch.
CiscoASA(config)# interface gigabitEthernet 0/0 CiscoASA(config-if)# channel-group 1 mode active CiscoASA(config-if)# no shutdown CiscoASA(config-if)# interface gigabitEthernet 0/1 CiscoASA(config-if)# channel-group 1 mode active CiscoASA(config-if)# no shutdown CiscoASA(config-if)# interface port-channel 1.100 CiscoASA(config-subif)# vlan 100 CiscoASA(config-subif)# interface port-channel 1.200 CiscoASA(config-subif)# vlan 200
Create Contexts
Each new context has an individual name, which can be up to 32 characters long, and is case-sensitive. Each context has a config file. Set the config file location with the config-url command.
After creating a context, it’s time to assign physical interfaces. The example below uses a mapped-name. This is the name for the interface within the context. Specifying the visible keyword allows the real interface name to be seen in the context. An example of this is when running a show interface command.
The same interface may be allocated to more than one routed-mode context. Each transparent-mode context must have it’s own unique interfaces.
! Create a new context for the edge CiscoASA(config)# context edge Creating context 'edge'... Done. (2) CiscoASA(config-ctx)# description Edge Firewall CiscoASA(config-ctx)# allocate-interface port-channel1.100 int100 visible CiscoASA(config-ctx)# config-url disk0:/edge.cfg WARNING: Could not fetch the URL disk0:/edge.cfg INFO: Creating context with default config ! Allocate interfaces to the Admin context CiscoASA(config)# context admin CiscoASA(config-ctx)# allocate-interface port-channel1.200 int200
Use the changeto command to change to a context, and back to system.
! Enter the 'edge' context
CiscoASA# changeto context edge
CiscoASA/edge#
! See the allocated interface
CiscoASA/edge# show interface
Interface int100 "", is down, line protocol is down
System name Port-channel1.100, VLAN identifier 100
Available but not configured via nameif
! Go back to 'System'
CiscoASA/edge# changeto system
CiscoASA#
Optionally, a different context can be assigned as the admin context. Do this with the admin-context command. This will not create a new context.
CiscoASA# show context
Context Name Class Interfaces Mode URL
*admin default Management0/0,Port- Routed disk0:/admin.cfg
channel1.200
edge default Port-channel1.100 Routed disk0:/edge.cfg
Total active Security Contexts: 2
CiscoASA(config)# admin-context edge
CiscoASA# show context
Context Name Class Interfaces Mode URL
admin default Management0/0,Port- Routed disk0:/admin.cfg
channel1.200
*edge default Port-channel1.100 Routed disk0:/edge.cfg
Total active Security Contexts: 2
Resource Management Configuration
Classes restrict the amount of resources a context may use. In the example below, two classes are created and assigned to the two contexts.
See Cisco’s documentation for a comprehensive list of resources to configure.
CiscoASA(config)# class default CiscoASA(config-class)# limit-resource conns 20% CiscoASA(config-class)# limit-resource routes 500 CiscoASA(config-class)# limit-resource vpn other 5 CiscoASA(config-class)# class gold CiscoASA(config-class)# limit-resource conns 80% CiscoASA(config-class)# limit-resource routes 2000 CiscoASA(config-class)# limit-resource vpn other 15 CiscoASA(config-class)# context edge CiscoASA(config-ctx)# member gold CiscoASA(config-ctx)# context admin CiscoASA(config-ctx)# member default
Assign MAC Addresses
MAC addresses may be auto-assigned or manually assigned. This happens within the context when the using the nameif command on the interface.
When using auto configuration, the ASA may generate the entire MAC, or the admin may specify a prefix. If specifying a prefix, the rest is auto generated. If a prefix is not specified, it is generated with the last two bytes of the real interface.
CiscoASA# changeto context edge CiscoASA/edge# configure terminal CiscoASA/edge(config)# interface int100 CiscoASA/edge(config-if)# mac-address 1a1a.1a1a.1a1a
Configure Settings Within the Context
Context configuration is now complete. The rest of the configuration is within the context, like normal. This includes interface config, ACLs, inspections, and so on.
Monitoring and Verification
Show context information with show context and show context detail. Run these commands from system execution space.
This includes a list of contexts, assigned interfaces, and the URL of the configuration file.
CiscoASA# show context
Context Name Class Interfaces Mode URL
*admin default Management0/0,Port- Routed disk0:/admin.cfg
channel1.200
edge gold Port-channel1.100 Routed disk0:/edge.cfg
Total active Security Contexts: 2
Specifying the detail keyword shows extra information, such as real and mapped interfaces. This is useful to see if a context has been configured or not, without entering the context.
CiscoASA# show context detail
Context "system", is a system resource
Config URL: startup-config
Real Interfaces:
Mapped Interfaces: GigabitEthernet0/0, GigabitEthernet0/1,
GigabitEthernet0/2, GigabitEthernet0/3, GigabitEthernet0/4,
GigabitEthernet0/5, GigabitEthernet0/6, GigabitEthernet0/7,
GigabitEthernet1/0, GigabitEthernet1/1, GigabitEthernet1/2,
GigabitEthernet1/3, GigabitEthernet1/4, GigabitEthernet1/5,
Internal-Control0/0, Internal-Data0/0, Internal-Data0/1,
Internal-Data0/2, Internal-Data0/3, Management0/0, Port-channel1,
Port-channel1.100, Port-channel1.200, Port-channel2
Class: default, Flags: 0x00000819, ID: 0
Context "admin", has been created
Config URL: disk0:/admin.cfg
Real Interfaces: Management0/0, Port-channel1.200
Mapped Interfaces: int200, Management0/0
Real IPS Sensors:
Mapped IPS Sensors:
Class: default, Flags: 0x00000813, ID: 1
Context "edge", has been created
Desc: Edge Firewall
Config URL: disk0:/edge.cfg
Real Interfaces: Port-channel1.100
Mapped Interfaces: int100
Real IPS Sensors:
Mapped IPS Sensors:
Class: gold, Flags: 0x00000811, ID: 2
Context "null", is a system resource
Config URL: ... null ...
Real Interfaces:
Mapped Interfaces:
Real IPS Sensors:
Mapped IPS Sensors:
Class: default, Flags: 0x00000809, ID: 507
Check resource allocation to see what resources are configured.
CiscoASA# show resource allocation Resource Total % of Avail Conns [rate] unlimited Inspects [rate] unlimited Syslogs [rate] unlimited Conns 1001000 100.18% Hosts unlimited IPSec unlimited Mac-addresses 131072 200.00% ASDM 10 5.00% SSH Client 10 10.00% SSH Server 10 10.00% Storage unlimited Telnet 10 10.00% Xlates unlimited Routes 2500 0.00% Other VPN Sessions 20 0.40% Other VPN Burst 0 AnyConnect 0 AnyConnect Burst 0 IKEv1 in-negotiatio unlimited
show resource allocation detail
Additionally, actual resource usage can be seen.
CiscoASA# show resource usage summary Resource Current Peak Limit Denied Context Routes 0 2 unlimited 0 Summary
CiscoASA# show resource usage context admin Resource Current Peak Limit Denied Context Routes 0 2 500 0 admin
References
Cisco – Multiple Context Mode