ASA Multi-Mode Configuration

ASA Multi-Mode Configuration

Last Updated: Oct 5, 2018 @ 9:33 am (UTC)

 

Please review the ASA Multiple Context Mode article before reading this one.

 

 


Context Configuration

There are six basic steps to configuring contexts:

  1. Enable multi-context mode
  2. Configure interfaces in the system context
  3. Add a context
  4. Configure resource management
  5. Assign MAC addresses to context interfaces
  6. Configure settings within the context

 

See the configuration in action here:

 

Enable Multicontext mode

You can convert an existing ASA to multi-context mode, or you can use a fresh ASA. If using an existing ASA, the original running config is saved as old_running.cfg.

The mode multiple command enables multi-context mode. The ASA requires a reboot after running this command.

The original running config is converted into a new context. This will also happen whether this is on an existing ASA or a new one. At this point there are two config files. The traditional startup configuration is for the system space. A new file called admin.cfg is created for the first context.

 

Enable Multi-Context Mode
CiscoASA(config)# mode multiple
WARNING: This command will change the behavior of the device
WARNING: This command will initiate a Reboot
Proceed with change mode? [confirm]
Convert the system configuration? [confirm]
The old running configuration file will be written to flash

Converting the configuration - this may take several minutes for a large configuration

The admin context configuration will be written to flash

The new running configuration file was written to flash
Security context mode: multiple
CiscoASA(config)#
 
 
Verify Configuration
CiscoASA# show mode
Security context mode: multiple


CiscoASA# show context
Context Name      Class                Interfaces           Mode         URL
*admin            default              Management0/0        Routed       disk0:/admin.cfg

Total active Security Contexts: 1

 

NOTE: If you have migrated config to a context, you may not be able to connect with SSH. To resolve this:

  1. Connect to the console of the ASA
  2. Generate a new RSA key with crypto key generate rsa general-keys modulus 2048
  3. Test logging on over SSH

 

Restoring Single-Context Mode

To restore single context mode, copy the backup file, old_running.cfg, to the startup-config. This overrides the existing system configuration. Next, change the mode back to single.

This will restore the config as it was originally backed up. If you’ve made changes to the context since creating the backup, those changes will be lost.

 
Restore Single-Context Mode
CiscoASA# copy disk0:/old_running.cfg startup-config

Source filename [old_running.cfg]?

3991 bytes copied in 0.40 secs


CiscoASA(config)# mode single
WARNING: This command will change the behavior of the device
WARNING: This command will initiate a Reboot
Proceed with change mode? [confirm]
Security context mode: single
CiscoASA(config)#

 

Interface Configuration

Physical interfaces are ‘owned’ by the system. Interfaces are first configured in the system before being allocated to any contexts. This includes configuring port channels and VLANs. This does not include security features such as nameif or security-level.

In this example, two interfaces are added to an etherchannel. The etherchannel is then configured as two sub-interfaces, each with a separate VLAN. Although not shown here, remember to configure the connected switch.

 

Configure Physical Interfaces
CiscoASA(config)# interface gigabitEthernet 0/0
CiscoASA(config-if)# channel-group 1 mode active
CiscoASA(config-if)# no shutdown

CiscoASA(config-if)# interface gigabitEthernet 0/1
CiscoASA(config-if)# channel-group 1 mode active
CiscoASA(config-if)# no shutdown

CiscoASA(config-if)# interface port-channel 1.100
CiscoASA(config-subif)# vlan 100

CiscoASA(config-subif)# interface port-channel 1.200
CiscoASA(config-subif)# vlan 200

 

Create Contexts

Each new context has an individual name, which can be up to 32 characters long, and is case-sensitive. Each context has a config file. Set the config file location with the config-url command.

After creating a context, it’s time to assign physical interfaces. The example below uses a mapped-name. This is the name for the interface within the context. Specifying the visible keyword allows the real interface name to be seen in the context. An example of this is when running a show interface command.

The same interface may be allocated to more than one routed-mode context. Each transparent-mode context must have it’s own unique interfaces.

 

Allocate interfaces
! Create a new context for the edge
CiscoASA(config)# context edge
Creating context 'edge'... Done. (2)
CiscoASA(config-ctx)# description Edge Firewall
CiscoASA(config-ctx)# allocate-interface port-channel1.100 int100 visible
CiscoASA(config-ctx)# config-url disk0:/edge.cfg

WARNING: Could not fetch the URL disk0:/edge.cfg
INFO: Creating context with default config




! Allocate interfaces to the Admin context
CiscoASA(config)# context admin
CiscoASA(config-ctx)# allocate-interface port-channel1.200 int200

 

Use the changeto command to change to a context, and back to system.

 
Change Contexts
! Enter the 'edge' context
CiscoASA# changeto context edge
CiscoASA/edge#


! See the allocated interface
CiscoASA/edge# show interface
Interface int100 "", is down, line protocol is down
        System name Port-channel1.100, VLAN identifier 100
        Available but not configured via nameif


! Go back to 'System'
CiscoASA/edge# changeto system
CiscoASA#

 

Optionally, a different context can be assigned as the admin context. Do this with the admin-context command. This will not create a new context.

 

Assign an Admin Context
CiscoASA# show context
Context Name      Class                Interfaces           Mode         URL
*admin            default              Management0/0,Port-  Routed       disk0:/admin.cfg
                                       channel1.200
 edge             default              Port-channel1.100    Routed       disk0:/edge.cfg

Total active Security Contexts: 2


CiscoASA(config)# admin-context edge


CiscoASA# show context
Context Name      Class                Interfaces           Mode         URL
 admin            default              Management0/0,Port-  Routed       disk0:/admin.cfg
                                       channel1.200
*edge             default              Port-channel1.100    Routed       disk0:/edge.cfg

Total active Security Contexts: 2

 

Resource Management Configuration

Classes restrict the amount of resources a context may use. In the example below, two classes are created and assigned to the two contexts.

See Cisco’s documentation for a comprehensive list of resources to configure.

 
Configure Resource Classes
CiscoASA(config)# class default
CiscoASA(config-class)# limit-resource conns 20%
CiscoASA(config-class)# limit-resource routes 500
CiscoASA(config-class)# limit-resource vpn other 5

CiscoASA(config-class)# class gold
CiscoASA(config-class)# limit-resource conns 80%
CiscoASA(config-class)# limit-resource routes 2000
CiscoASA(config-class)# limit-resource vpn other 15

CiscoASA(config-class)# context edge
CiscoASA(config-ctx)# member gold

CiscoASA(config-ctx)# context admin
CiscoASA(config-ctx)# member default

 

Assign MAC Addresses

MAC addresses may be auto-assigned or manually assigned. This happens within the context when the using the nameif command on the interface.

When using auto configuration, the ASA may generate the entire MAC, or the admin may specify a prefix. If specifying a prefix, the rest is auto generated. If a prefix is not specified, it is generated with the last two bytes of the real interface.

 
Configure MAC Address
CiscoASA# changeto context edge
CiscoASA/edge# configure terminal
CiscoASA/edge(config)# interface int100
CiscoASA/edge(config-if)# mac-address 1a1a.1a1a.1a1a

 

Configure Settings Within the Context

Context configuration is now complete. The rest of the configuration is within the context, like normal. This includes interface config, ACLs, inspections, and so on.

 

 


Monitoring and Verification

Show context information with show context and show context detail. Run these commands from system execution space.

This includes a list of contexts, assigned interfaces, and the URL of the configuration file.

 

Show Contexts
CiscoASA# show context
Context Name      Class                Interfaces           Mode         URL
*admin            default              Management0/0,Port-  Routed       disk0:/admin.cfg
                                       channel1.200
 edge             gold                 Port-channel1.100    Routed       disk0:/edge.cfg

Total active Security Contexts: 2

Specifying the detail keyword shows extra information, such as real and mapped interfaces. This is useful to see if a context has been configured or not, without entering the context.

 

Show Context Details
CiscoASA# show context detail
Context "system", is a system resource
  Config URL: startup-config
  Real Interfaces:
  Mapped Interfaces: GigabitEthernet0/0, GigabitEthernet0/1,
     GigabitEthernet0/2, GigabitEthernet0/3, GigabitEthernet0/4,
     GigabitEthernet0/5, GigabitEthernet0/6, GigabitEthernet0/7,
     GigabitEthernet1/0, GigabitEthernet1/1, GigabitEthernet1/2,
     GigabitEthernet1/3, GigabitEthernet1/4, GigabitEthernet1/5,
     Internal-Control0/0, Internal-Data0/0, Internal-Data0/1,
     Internal-Data0/2, Internal-Data0/3, Management0/0, Port-channel1,
     Port-channel1.100, Port-channel1.200, Port-channel2
  Class: default, Flags: 0x00000819, ID: 0

Context "admin", has been created
  Config URL: disk0:/admin.cfg
  Real Interfaces: Management0/0, Port-channel1.200
  Mapped Interfaces: int200, Management0/0
  Real IPS Sensors:
  Mapped IPS Sensors:
  Class: default, Flags: 0x00000813, ID: 1

Context "edge", has been created
  Desc: Edge Firewall
  Config URL: disk0:/edge.cfg
  Real Interfaces: Port-channel1.100
  Mapped Interfaces: int100
  Real IPS Sensors:
  Mapped IPS Sensors:
  Class: gold, Flags: 0x00000811, ID: 2

Context "null", is a system resource
  Config URL: ... null ...
  Real Interfaces:
  Mapped Interfaces:
  Real IPS Sensors:
  Mapped IPS Sensors:
  Class: default, Flags: 0x00000809, ID: 507

Check resource allocation to see what resources are configured.

 

Show Resource Allocation
CiscoASA# show resource allocation
Resource                    Total          % of Avail
 Conns [rate]           unlimited
 Inspects [rate]        unlimited
 Syslogs [rate]         unlimited
 Conns                    1001000             100.18%
 Hosts                  unlimited
 IPSec                  unlimited
 Mac-addresses             131072             200.00%
 ASDM                          10               5.00%
 SSH Client                    10              10.00%
 SSH Server                    10              10.00%
 Storage                unlimited
 Telnet                        10              10.00%
 Xlates                 unlimited
 Routes                      2500               0.00%
 Other VPN Sessions            20               0.40%
 Other VPN Burst                0
 AnyConnect                     0
 AnyConnect Burst               0
 IKEv1 in-negotiatio    unlimited
 
 
Show Resource Details
show resource allocation detail

Additionally, actual resource usage can be seen.

 

Show Resource Summary
CiscoASA# show resource usage summary
Resource                 Current        Peak      Limit        Denied Context
Routes                         0           2  unlimited             0 Summary
 
Show Used Resources
CiscoASA# show resource usage context admin
Resource                 Current        Peak      Limit        Denied Context
Routes                         0           2        500             0 admin

 

References

Cisco – Multiple Context Mode

Leave a Reply