ASA Multiple Context

Done By: Tariq Bader CCIE # 35627

1
INTRODUCTION

2
 Introduction

ASA firewall supports software virtualization,

by means of so-called firewall contexts.
Every context has its own set of routing,
filtering/inspection and address translation
rules.
All contexts must be in either routing or
transparent firewall mode you cannot mix
modes in different contexts.
3
 Introduction
Supported Features:
Only static routing
Firewall features
IPS
Management
Unsupported Features (for ASA pre 9 versions)
VPN termination
Dynamic Routing Protocol
QoS
New features introduced in ASA 9:
Site-to-Site VPN in multiple context mode
New resource type for site-to-site VPN tunnels
Dynamic routing in Security Contexts
New resource type for routing table entries
Mixed firewall mode support in multiple context mode

4
 Introduction
Where do we use Multiple context?
In ISPs, were they sell security services to many customers,
they implement a cost-effective, space saving solution.
Large Enterprises who keeps their departments completely
separated.
Basically, we use multiple context whenever there is a
network that requires more than one security appliance.

Note: The multiple context feature is not supported on

the ASA 5505 Series Adaptive Security Appliance.

5
CONTEXT TYPES

6
 Context Types

System Context
Admin Context
Normal Context

7
 System Context
The System administrator adds and manages contexts by
the configuration of each context configuration location,
allocated interfaces, and other context operational
parameters in the system configuration.

The system configuration identifies basic settings for the

security appliance. You cannot assign any IP addresses
when you are under the system context, with exception to
the management interface.

You can upgrade or downgrade the PIX/ASA software only

in the System EXEC mode, not in the other context modes.

8
 Admin Context
The admin context is like any other context, except that when a user logs
in to the admin context, that user will have system administrator rights,
and can access the system and all other contexts

Admin context configuration must reside on the Flash memory.

If you convert from a Single mode to the Multiple Context mode, the
admin context is created automatically and the configuration file will be
created on the flash memory

This context could be combined with any regular user context or be

dedicated.

Note: Admin context (when it is dedicated) is not counted in the context

license. For example, if you get the license for two contexts, you are
allowed to have the admin context and two other contexts.

9
 Normal Context
Is the actual partitioned firewall.

Contexts can be accessed via Console, Telnet,

SSH, and ASDM

If you log in to an non-admin context, you can

only access the configuration for that context

10
CONFIGURATION

11
Configuration
Note: The ports on
the switch that are
connected to ASA
must be in trunk
mode since
multiple VLAN
traffic has to travel
through it once the
ASA interfaces are
broken into
subinterfaces.

12
 Configuration
In order to turn the firewall to the multiple
contexts mode, you should enter the command
mode multiple when logged via the console port.
Note: You may do this remotely but you risk
losing connection to the box.
This will force mode change to multiple and
reload the appliance.
If you connect to the appliance the console port,
you are logging into the system context after the
reload.
13
 Configuration
When you convert from single mode to multiple mode, the
security appliance converts the running configuration into
two files:
1. New startup configuration that comprises the system
configuration.
2. admin.cfg that comprises the admin context (in the root
directory of the internal Flash memory).
The original running configuration is saved as
old_running.cfg (in the root directory of the internal Flash
memory).
The original startup configuration is not saved.
The security appliance automatically adds an entry for the
admin context to the system configuration with the name
"admin.
14
 Configuration Steps
You should to do the following things while
logged into the system context:

1) Configure physical interfaces. You need to un-

shutdown the interfaces that you want to
allocate to the contexts. If you are creating sub-
interfaces using VLANs, you should do it under
the system context as well.

15
 Configuration Steps
2) Define the admin context.
This is a special context that allows logging in the
firewall remotely (via ssh, telnet or https).
This context should be configured first as the
firewall wont let you create any other contexts
prior to designating the admin context using the
global command admin-context <NAME>.
As we have said this context is automatically
created When you convert from the single-
context mode.

16
 Configuration Steps
3) Define additional contexts if needed and allocate
physical interfaces to the contexts.
Use the command allocate-interface <Physical-
Interface> [<Iface-Name>] under the context
configuration mode for interface allocation.
Here <Physical-Interface> is the physical interface or
sub-interface name and <Iface-Name> is the name that
the context sees for this interface.
Using this command you can hide the real interface
names from the context administrators (e.g. hide VLAN
numbers), in order to provide additional level of
isolation from the physical configuration.

17
 Configuration Steps
4) Change to the context configuration, and
proceed as usual.
Assign interface names, security levels and IP
addresses.
Set up static routes for subnets not directly connected
to the context even for the subnets connected to
another contexts.

18
 Configuration Notes
Every configured context should have a configuration URL defined using the command
config-url <PATH> to store its configuration. Without this command, the context
configuration is incomplete.

After the context has been defined, you may switch to the in-context configuration using
the command changeto context <NAME>.

In order to access the system context remotely, you should log into the admin context using
any configured remote access method and issue the command changeto system.

Enter the allocateinterface command(s) before you enter the configurl command. The
security appliance must assign interfaces to the context before it loads the context
configuration; the context configuration can include commands that refer to interfaces
(interface, nat, global...). If you enter the configurl command first, the security appliance
loads the context configuration immediately. If the context contains any commands that refer
to interfaces, those commands fail.

Use the command write memory all in the system context to save all contexts configuration
on the persistent storage. You may also save configuration for a context individually when
logged under the particular context using the command write memory.

19
 Configuration Notes
Physical interfaces could be shared among contexts,
i.e. you may assign the same interface to different
contexts.

Interface sharing is the unique feature of the ASA

firewall contexts, and this is what makes it stand apart
from IOS VRF technology.erface to different contexts.

When an interface is shared between two contexts,

certain classification rules should be applied to
determine which context the incoming packets should
use.

20
 Configuration Notes
If there is a shared physical interface between the contexts, each context
could generally have different IP and MAC addresses on this interface.

It is possible to share the IP address as well, though. If you want to assign

the same IP address to the shared interfaces in multiple context mode
youll need to give the logical interfaces a separate MAC address.

You may use non-overlapping subnets or simply different IPs on the same
subnet.

By default both contexts will inherit the same MAC address from the
shared physical interface. This might result in the firewall not being able to
classify the incoming traffic properly.

Use the command mac-address auto in the system context to

automatically generate a MAC address for every new virtual interface.

21
 Configuration
In order to enable multiple mode, enter this command:
hostname(config)# mode multiple
You are prompted to reboot the security appliance.
CiscoASA(config)# mode multiple
WARNING: This command will change the behavior of the device
WARNING: This command will initiate a Reboot
Proceed with change mode? [confirm]
Convert the system configuration? [confirm]
!
The old running configuration file will be written to flash
The admin context configuration will be written to flash
The new running configuration file was written to flash
Security context mode: multiple
***
*** SHUTDOWN NOW
***
*** Message to all terminals:
***
*** change mode
Rebooting....

22
 Configuration
Creating a new context:

Ciscoasa(config)# Context ContextA

Ciscoasa(config-ctx)# description text
Ciscoasa(config-ctx)# Allocate-interface
<Physical_interface> [mapped name]
Ciscoasa(config-ctx)# Config-url url

You cant rename the context, you will have to delete it,
then create a new one with the new name.
Delete a Context:
No context ContextA

23
Example Scenario

24
FIREWALL CONTEXTS ROUTING

25
 Firewall Context Routing
As mentioned previously, in the multiple-
context mode the firewall supports only static
routing.
you need to configure a static route for every
non-directly connected subnet for a firewall
context or set up a static default route.
All adjacent routers should be also configured
with static routes to allow for full connectivity.

26
 Firewall Context Routing
Routing between contexts:
firewall contexts do not share IP routing tables,
and thus if you want to establish communications
between the routing contexts you need either of
the following:
1. Configure each context with a set of static routes for
the subnets connected or located behind the other
context.
2. Use an external router that has full knowledge of the
subnets behind each of the contexts to provide
connectivity.

27
 Firewall Context Routing
Context Cascading
Recall that physical interfaces could be shared
between the contexts.
In some scenarios, you may even configure the
same physical interface as the inside for one
context and outside for another. This is called
context cascading. *Look at the figure below:

28
FIREWALL CONTEXTS
CLASSIFICATION

29
 Firewall Contexts Classification
It is easy to assign an input packet to the
context if the interface where it has been
received is uniquely allocated to the context.
If the interface is shared, additional rules are
needed.

30
 Firewall Contexts Classification
Shared interfaces classification rules:
1) The firewall looks at the destination MAC address of the
packet the destination MAC designated the next-hop for
the packet.*
2) If the MAC address is the same in both contexts for the same
interface, the firewall attempts to use NAT configuration in
every context to resolve the conflicts.
This may happen if you intentionally assign the same IP address to
both contexts or did not assign different MAC addresses to the
shared interfaces.
The firewall attempts to match the destination IP address and
TCP/UDP port information in the packet with the active translation
slots in every context. The context with the matching translation slot is
selected as the target context.
This type of classification allows sharing the same IP subnet or even IP
address on the shared interface.
You are not required to have unique MAC addresses in each context,
as the translation slots are used for traffic classification.
31
 Firewall Contexts Classification
Shared interfaces classification rules:
3) If all contexts on the shared interface use the
same IP address/MAC then you cannot access
the contexts on the shared interface.
Why? Because for traffic destined to the firewall itself,
it classifies based on the destination IP address.
So it is generally recommended to use separate IP
addresses (MAC could be the same) on the shared
interfaces.

32
RESOURCE MANAGEMENT

33
 Resource Management
The firewall has limited resources, shared
between the contexts.
The resources include concurrent connections,
inspections, translation slots, management
sessions (telnet, ssh and https) number of inside
hosts and so on.
Some of those resources are limited based on the
licensing option e.g. the number of inside hosts.
Others are limited by the firewall hardware.
34
 Resource Management
In order to avoid resource contention and exhaustion,
the firewall allows limiting per-context resources using
the resource class concept.
Every class specifies the amount of resource available
to a context. Classes are assigned to the contexts to
enforce the limits.
By default, all contexts are assigned class default.
Note that contexts do not share the particular class
resources. They only inherit the resource limits set by a
class.

35
 Resource Management
When you create a new class, it inherits all
limits from the default resource class.
When you re-define any particular limit in the
new class, you automatically override the
default setting for this limit.
You may also configure the default class
settings and all classes will inherit these
values, unless they redefine them.

36
Resource Management

37
 Resource Management
The appliance never reserves any resources for classes. It
simply uses them to compute the resource limits and
satisfies any request that is within the limit for a given class.
For example, suppose the system supports up to 1000
connection maximum, and you create new class with the
limit of 500 connections. You assign this class to 3 contexts.
At the peak of their usage every context may request up to
500 connections, exceeding the total limit of 1000. Thus it
is up to the administrator to properly set limits and prevent
resource starvation.
You may set resource limits in absolute values (e.g. number
of connections or hosts) or in percent's of the maximum
resource available.

38
 Resource Management
The syntax is:
class <NAME>
limit-resource <Resource> [<Value>|{1-100%}]

Some resources, like Conns, Inspects and Syslogs

support rate limiting, using the command:
limit-resource rate [{Conns|Inspects|Syslogs}|{1-100%}]

39
Q&A

40