Your SlideShare is downloading. ×
How to configure cisco asa virtual firewall
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.


Saving this for later?

Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime - even offline.

Text the download link to your phone

Standard text messaging rates apply

How to configure cisco asa virtual firewall


Published on

How to configure cisco asa virtual firewall

How to configure cisco asa virtual firewall

Published in: Technology

  • Be the first to comment

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. How to Configure Cisco ASA Virtual Firewall?Device virtualization is one of the most popular topics in IT industry today and Ciscohas been supporting this concept in the majority of its network devices. Now we willtalk about Cisco ASA virtualization, which means multiple virtual firewalls on thesame physical ASA chassis. Virtual ASA is also known as “Security Context”.All Cisco firewall models (except ASA 5505) support multiple security contexts (i.evirtual firewalls). By default, all models support 2 security contexts without a licenseupgrade (except the Cisco ASA 5510 which requires the security plus license).Each Context has its own configuration file and security policy, i.e. one context iscompletely isolated and does not depend on other contexts. The exception is theAdmin Context, from which the whole ASA appliance (physical ASA) is managed andalso is used to create the other Contexts. For enabling the creation of virtual contextson the ASA appliance, we must switch to Multiple Context mode. In this mode somefeatures are not available, like Dynamic Routing, IPSEC and SSL VPN, Multicast andThreat Detection. Let’s make a little discussion when multiple context mode isadvisable and when it is not.When would you want to use multiple security contexts?●If you want to use the active/active failover feature. Keep in mind that withactive/active failover, you should not use more than half of the available bandwidth.●If you are an ISP and need to offer a different security context for each customer.● If you need to provide different security policies for various departments, users, orvendors and need to create a separate context for each one.● If you’d like to reduce hardware requirements by combining the functionality ofmultiple firewalls into one.When should you not use multiple security contexts?● If you need to provide VPN services such as remote access or site-to-site VPNtunnels.● If you need to use dynamic routing protocols. With multiple context mode, you canuse only static routes.● If you need to use QoS.● If you need to support multicast routing.● If you need to provide Threat Detection.Now let’s consider an example of how Contexts are configured. In the scenario in ourtopology below, we have one ASA appliance and let’s create two contexts for twocustomers and one admin context for ASA appliance management.Physical Topology Diagram:页 1
  • 2. Logical Topology Diagram:页 2
  • 3. Equipment Used in this LABASA 5520 – Cisco Adaptive Security Appliance Software Version 8.0(3)Catalyst 2960 – LAN Lite IOS.Before starting configuration let’s check if it works in Single context mode or multiplecontext mode. As I’ve already stated, ASA appliance must be in multiple contextmode for creating Security contexts.!Verify ASA Operating mode.asa # show modeSecurity context mode: single! enable multiple mode, for switching to this Mode, restart is required.asa(config)#mode multipleThen the following output is displayed. ASA Appliance converts the current runningconfiguration into two files: a new startup configuration that comprises the systemconfiguration, and “admin.cfg” that comprises the admin context (stored in the rootdirectory of the internal Flash memory). The original running configuration is savedas “old_running.cfg” (in the root directory of the internal Flash memory).WARNING: This command will change the behavior of the deviceWARNING: This command will initiate a Reboot页 3
  • 4. Proceed with change mode? [confirm]Convert the system configuration? [confirm]!The old running configuration file will be written to flashThe admin context configuration will be written to flashThe new running configuration file was written to flashSecurity context mode: multiple****** — SHUTDOWN NOW —****** Message to all terminals:****** change modeRebooting….Booting system, please wait…!after rebooting verify ASA Operation modeasa# show modeSecurity context mode: multipleAfter restarting let’s start configuration of Contexts. First configure the admincontext.!Configure the admin contextasa(config)# admin-context adminasa(config)# context adminasa(config-ctx)# allocate-interface Management0/0asa(config-ctx)# config-url disk0:/admin.cfg!configure the Sub-interfaces for Customer1interface GigabitEthernet0/1.11vlan 11interface GigabitEthernet0/0.21vlan 21!configure the Sub-interfaces for Customer2interface GigabitEthernet0/1.12vlan 12interface GigabitEthernet0/0.22vlan 22Now we start creating contexts for Customer-1 and Customer-2 and allocateinterfaces.! Configure the Customer1 context shown as C1 in diagram.asa(config)# context c1asa(config-ctx)# allocate-interface gigabitethernet0/0.21asa(config-ctx)# allocate-interface gigabitethernet0/1.11asa(config-ctx)# config-url disk0:/c1.cfg! Configure the Customer2 context shown as C2 in diagram.页 4
  • 5. asa(config)# context c2asa(config-ctx)# allocate-interface gigabitethernet0/0.22asa(config-ctx)# allocate-interface gigabitethernet0/1.12asa(config-ctx)# config-url disk0:/c2.cfgI will not describe how VLANs on Switches are configured. Let’s consider switchingbetween Contexts. We can switch to any context from admin context, but we can’tswitch from Customers context to anywhere.! Let’s log in to Customer1 context. The syntax of command is the following:changeto context <context name>asa#changeto context c1! Let’s switch to system configuration mode. Switching to this mode is available onlyfrom Admin Context. In system configuration mode Contexts are created andresources are allocated.asa#changeto systemMore Related Cisco Firewall Guides:Cisco ASA Firewall LicensingSimple Steps to Connect a Remote Office to Cisco ASA 5510How to Configure Cisco ASA 5505 Firewall?页 5