Cisco经典文档

当前位置: 首页Cisco经典文档PIX/ASA 7.x 及更高版本: 多上下文(Multiple Context )配置示例_英文原版


PIX/ASA 7.x and Above: Multiple Context Configuration Example

            

 

                                                       文档下载:

切换至中文版


Contents

Introduction
Prerequisites
      Requirements
      Components Used
      Related Products
      Conventions
Background Information
      Context Configuration Files
      Management Access to Security Contexts
Configure
      Network Diagram
      Enable or Disable Multiple Context Mode
      Configure a Security Context
      ASA 8.x - System Execution Space Configuration
      Change Between Contexts and the System Execution Space
      ASA - Context1 Configuration
      ASA - Context2 Configuration
      Save Configuration Changes in Multiple Context Mode
Verify
Troubleshoot
      Restore Single Context Mode
      Assigning the Same IP Address for Multiple Interfaces in Multiple Context Mode
      Assign the Same IP Address to the Shared Interfaces in the Multiple Context Mode
      Rename the Context
      Delete Context


Introduction

This document describes the steps used to configure multiple context in security appliances.

You can partition a single security appliance into multiple virtual devices, known as security contexts. Each context is an independent device, with its own security policy, interfaces, and administrators. Multiple contexts are similar to multiple standalone devices. Many features are supported in multiple context mode, which include routing tables, firewall features, IPS, and management. Some features are not supported, which include VPN and dynamic routing protocols.

You can use multiple security contexts in these situations:

  • You are a service provider and want to sell security services to many customers. If you enable multiple security contexts on the security appliance, you can implement a cost-effective, space-saving solution that keeps all customer traffic separate and secure, and also eases configuration.

  • You are a large enterprise or a college campus and want to keep departments completely separate.

  • You are an enterprise that wants to provide distinct security policies to different departments.

  • You have any network that requires more than one security appliance.

Note: In Multi-context mode, you can upgrade or downgrade the PIX/ASA software only in the System EXEC mode, not in the other context modes.

For more information about the steps used to configure multiple context in the Firewall Service Module (FWSM), refer to FWSM: Multiple Context Configuration Example.

Prerequisites

Requirements

There are no specific requirements for this document.

Components Used

The information in this document is based on these software and hardware versions:

  • Cisco 5500 Series Adaptive Security Appliance runs with Software Version 7.x and later.

    Note: The multiple context feature is not supported on the ASA 5505 Series Adaptive Security Appliance.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Related Products

This configuration can also be used with Cisco PIX 500 Series Security Appliance Version 7.x and later.

Conventions

Refer to the Cisco Technical Tips Conventions for more information on document conventions.

Background Information

Context Configuration Files

Context Configurations

The security appliance includes a configuration for each context that identifies the security policy, interfaces, and almost all the options you can configure on a standalone device. You can store context configurations on the internal Flash memory or the external Flash memory card, or you can download them from a TFTP, FTP, or HTTP(S) server.

System Configuration

The system administrator adds and manages contexts by the configuration of each context configuration location, allocated interfaces, and other context operational parameters in the system configuration, which, like a single mode configuration, is the startup configuration. The system configuration identifies basic settings for the security appliance. The system configuration does not include any network interfaces or network settings for itself; rather, when the system needs to access network resources (such as context downloads from the server), it uses one of the contexts that is designated as the admin context. The system configuration does include a specialized failover interface for failover traffic only.

Admin Context Configuration

The admin context is just like any other context, except that when a user logs in to the admin context, that user has system administrator rights and can access the system and all other contexts. The admin context is not restricted in any way, and can be used as a regular context, but, because logging into the admin context grants you administrator privileges over all contexts, you need to restrict access to the admin context to appropriate users. The admin context must reside on Flash memory, and not remotely.

If your system is already in multiple context mode, or if you convert from single mode, the admin context is created automatically as a file on the internal Flash memory called admin.cfg. This context is named "admin." If you do not want to use admin.cfg as the admin context, you can change the admin context.

Note: Admin context is not counted in the context license. For example, if you get the license for two contexts, you are allowed to have the admin context and two other contexts.

Management Access to Security Contexts

The security appliance provides system administrator access in multiple context mode, as well as access for individual context administrators. These sections describe logging in as a system administrator or as a a context administrator:

System Administrator Access

You can access the security appliance as a system administrator in two ways:

  • Access the security appliance console.

    From the console, you access the system execution space.

  • Access the admin context with Telnet, SSH, or ASDM.

    See "Managing System Access," to enable Telnet, SSH, and SDM access.

As the system administrator, you can access all contexts.

When you change to a context from admin or the system, your username changes to the default "enable_15" username. If you configured command authorization in that context, you need to either configure authorization privileges for the "enable_15" user, or you can log in as a different name for which you provide sufficient privileges in the command authorization configuration for the context. In order to log in with a username, enter the login command. For example, you log in to the admin context with the username "admin." The admin context does not have any command authorization configuration, but all other contexts include command authorization. For convenience, each context configuration includes a user "admin" with maximum privileges. When you change from the admin context to context A, your username is altered, so you must log in again as "admin" with the login command. When you change to context B, you must again enter the login command to log in as "admin."

The system execution space does not support any AAA commands, but you can configure its own enable password, as well as usernames in the local database to provide individual logins.

Context Administrator Access

You can access a context with Telnet, SSH, or ASDM. If you log in to a non-admin context, you can only access the configuration for that context. You can provide individual logins to the context.

Configure

In this section, you are presented with the information to configure the features described in this document.

Note: Use the Command Lookup Tool (registered customers only) to obtain more information on the commands used in this section.

Network Diagram

This document uses this network setup:

multiple-context1.gif

Note: The ports on the switch that are connected to ASA must be in trunk mode since multiple VLAN traffic has to travel through it once the ASA interfaces are broken into sub-interfaces.

Enable or Disable Multiple Context Mode

Your security appliance is possibly already configured for multiple security contexts dependent upon how you ordered it from Cisco, but if you upgrade, you might need to convert from single mode to multiple mode. This section explains the procedures to upgrade. ASDM does not support changing modes, so you need to change modes with the CLI.

When you convert from single mode to multiple mode, the security appliance converts the running configuration into two files. The original startup configuration is not saved, so, if it differs from the running configuration, you must back it up before you proceed.

Enable Multiple Context Mode

The context mode (single or multiple) is not stored in the configuration file, even though it does endure reboots. If you need to copy your configuration to another device, set the mode on the new device to match with the mode command.

When you convert from single mode to multiple mode, the security appliance converts the running configuration into two files: a new startup configuration that comprises the system configuration, and admin.cfg that comprises the admin context (in the root directory of the internal Flash memory). The original running configuration is saved as old_running.cfg (in the root directory of the internal Flash memory). The original startup configuration is not saved. The security appliance automatically adds an entry for the admin context to the system configuration with the name "admin."

In order to enable multiple mode, enter this command:

hostname(config)# mode multiple

You are prompted to reboot the security appliance.

CiscoASA(config)# mode multiple
WARNING: This command will change the behavior of the device
WARNING: This command will initiate a Reboot
Proceed with change mode? [confirm]
Convert the system configuration? [confirm]
!
The old running configuration file will be written to flash

The admin context configuration will be written to flash

The new running configuration file was written to flash
Security context mode: multiple

***
*** --- SHUTDOWN NOW ---
***
*** Message to all terminals:
***
***   change mode

Rebooting....

Booting system, please wait...
*
*
!--- output suppressed

*
*
INFO: Admin context is required to get the interfaces
*** Output from config line 20, "arp timeout 14400"
Creating context 'admin'... Done. (1)
*** Output from config line 23, "admin-context admin"

Cryptochecksum (changed): a219baf3 037b31b4 09289829 1ab9790a

*** Output from config line 25, "  config-url flash:/admi..."

Cryptochecksum (changed): d4f0451b 405720e1 bbccf404 86be061c
Type help or '?' for a list of available commands.
CiscoASA>

After reboot, this is the default configuration of the ASA:

ASA 8.x Default Configuration

CiscoASA# show running-config
: Saved
:
ASA Version 8.0(2) <system>
!
hostname CiscoASA
enable password 8Ry2YjIyt7RRXU24 encrypted
no mac-address auto
!
interface Ethernet0/0
shutdown
!
interface Ethernet0/1
shutdown
!
interface Ethernet0/2
 shutdown
!
interface Ethernet0/3
 shutdown
!
interface Management0/0
 shutdown
!
class default
  limit-resource All 0
  limit-resource ASDM 5
  limit-resource SSH 5
  limit-resource Telnet 5
!

ftp mode passive
pager lines 24
no failover
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
console timeout 0

admin-context admin
context admin
   config-url disk0:/admin.cfg
!
!--- admin context is created
!--- by default once you enable 
!--- multiple mode


prompt hostname context
Cryptochecksum:410be16e875b7302990a831a5d91aefd
: end

 

Configure a Security Context

The security context definition in the system configuration identifies the context name, configuration file URL, and interfaces that a context can use.

Note: If you do not have an admin context (for example, if you clear the configuration), you must first specify the admin context name when you enter this command:

hostname(config)# admin-context <name>

Note: Although this context name does not exist yet in your configuration, you can subsequently enter the context name command to match the specified name to continue the admin context configuration.

In order to add or change a context in the system configuration, perform these steps:

  1. In order to add or modify a context, enter this command in the system execution space:

    hostname(config)# context <name>
    

    The name is a string up to 32 characters long. This name is case sensitive, so you can have two contexts named "customerA" and "CustomerA," for example. You can use letters, digits, or hyphens, but you cannot start or end the name with a hyphen.

    "System" or "Null" (in upper or lower case letters) are reserved names, and cannot be used.

  2. (Optional) In order to add a description for this context, enter this command:

    hostname(config-ctx)# description text
    
    
  3. In order to specify the interfaces that you can use in the context, enter the command appropriate for a physical interface or for one or more subinterfaces.

    • In order to allocate a physical interface, enter this command:

      hostname(config-ctx)# allocate-interface 
      <physical_interface> [mapped_name] 
      [visible | invisible]
      
    • In order to allocate one or more subinterfaces, enter this command:

      hostname(config-ctx)# allocate-interface 
      <physical_interface.subinterface[-physical_interface.subinterface]>
      [mapped_name[-mapped_name]] [visible | invisible]
      

      You can enter these commands multiple times to specify different ranges. If you remove an allocation with the no form of this command, any context commands that include this interface are removed from the running configuration.

  4. In order to identify the URL from which the system downloads the context configuration, enter this command:

    hostname(config-ctx)# config-url url
    
    

    Note: Enter the allocate-interface command(s) before you enter the config-url command. The security appliance must assign interfaces to the context before it loads the context configuration; the context configuration can include commands that refer to interfaces (interface, nat, global...). If you enter the config-url command first, the security appliance loads the context configuration immediately. If the context contains any commands that refer to interfaces, those commands fail.

In this scenario, follow the steps in the table to configure the multiple context.

There are two customers, Customer A and Customer B. Create three multiple contexts (virtually three ASAs ) in a single ASA box such as Context1 for Customer A , Context2 for Customer B, and Admin Context to administrate the ASA contexts.

Create two subinterfaces for each context for inside and outside connection. Assign the different VLANs for each subinterface.

Create the two subinterfaces in ethernet 0/0 as ethernet 0/0.1, ethernet 0/0.2 for outside connection of context1 and context2, respectively. Similarly, create two subinterfaces in ethernet 0/1 as ethernet 0/1.1, ethernet 0/1.2 for inside connection of context1 and context2, respectively.

Assign vlan for each subinterface such as vlan 2 for ethernet 0/0.1, vlan3 for ethernet 0/1.1,vlan 4 for ethernet 0/0.2, vlan5 for ethernet 0/1.2.

ASA Multiple Context Configuration Steps

:

!--- Outside interface for context1 and context2.
!--- Create the sub interface in 
!--- outside interface for context1 and context2.


ciscoasa(config)# interface Ethernet0/0
ciscoasa(config-if)# no shutdown

!--- Inside interface for context1 and context2.
!--- Create the sub interface in 
!--- inside interface for context1 and context2.


ciscoasa(config)# interface Ethernet0/1
ciscoasa(config-if)# no shutdown


!--- Outside interface for admin context 
!--- to access the ASA from outside network
!--- using telnet or SSH.


ciscoasa(config-if)# interface Ethernet0/2
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# vlan 6


!--- Inside interface for admin context 
!--- to access the ASA from inside network
!--- using telnet or SSH.


ciscoasa(config-if)# interface Ethernet0/3
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# vlan 7


!--- Context1 outside subinterface

ciscoasa(config-subif)# interface Ethernet0/0.1
ciscoasa(config-subif)# vlan 2

!--- !--- Context1 inside subinterface

ciscoasa(config-subif)# interface ethernet 0/1.1
ciscoasa(config-subif)# vlan 3

!--- !--- Context2 outside subinterface

ciscoasa(config-subif)# interface ethernet 0/0.2
ciscoasa(config-subif)# vlan 4

!--- !--- Context2 inside subinterface

ciscoasa(config-subif)# interface ethernet 0/1.2
ciscoasa(config-subif)# vlan 5

!--- Customer A Context as Context1


ciscoasa(config)# context context1
Creating context 'context1'... Done. (3)
ciscoasa(config-ctx)# allocate-interface 
   Ethernet0/0.1 outside-context1
ciscoasa(config-ctx)# allocate-interface 
   Ethernet0/1.1 inside-context1

!--- To specify the interfaces 
!--- used for the context1

ciscoasa(config-ctx)# config-url disk0:/context1.cfg

!--- To identify the URL from which the 
!--- system downloads the context configuration.


ciscoasa(config-ctx)# exit

!--- Customer B Context as Context2


ciscoasa(config)# context context2
Creating context 'context2'... Done. (3)
ciscoasa(config-ctx)# allocate-interface 
   Ethernet0/0.2 outside-context2
ciscoasa(config-ctx)# allocate-interface 
   Ethernet0/1.2 inside-context2
ciscoasa(config-ctx)# config-url 
   disk0:/context2.cfg

ciscoasa(config)# context admin
ciscoasa(config-ctx)# allocate-interface Ethernet0/2 outside
ciscoasa(config-ctx)# allocate-interface Ethernet0/3 inside


 

ASA 8.x - System Execution Space Configuration

ASA 8.x - System Execution Space Configuration

ciscoasa# sh run


ASA Version 8.0(2) <system>
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
mac-address auto
!
interface Ethernet0/0
!
interface Ethernet0/0.1
 vlan 2
!
interface Ethernet0/0.2
 vlan 4
!
interface Ethernet0/1
!
interface Ethernet0/1.1
 vlan 3
!
interface Ethernet0/1.2
 vlan 5
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Management0/0
 shutdown
!
class default
  limit-resource All 0
  limit-resource ASDM 5
  limit-resource SSH 5
  limit-resource Telnet 5
!

ftp mode passive
pager lines 24
no failover
no asdm history enable
arp timeout 14400
console timeout 0


admin-context admin
context admin
  allocate-interface Ethernet0/2 outside
  allocate-interface Ethernet0/3 inside
  config-url disk0:/admin.cfg
!


context context1
  allocate-interface Ethernet0/0.1 outside-context1
  allocate-interface Ethernet0/1.1 inside-context1
  config-url disk0:/context1.cfg
!

context context2
  allocate-interface Ethernet0/0.2 outside-context2
  allocate-interface Ethernet0/1.2 inside-context2
  config-url disk0:/context2.cfg
!

prompt hostname context
Cryptochecksum:9e8bc648b240917631fa5716a007458f
: end

 

Change Between Contexts and the System Execution Space

If you log in to the system execution space (or the admin context with Telnet or SSH), you can change between contexts, as well as perform configuration and monitoring tasks within each context. The running configuration that you edit in a configuration mode, or that is used in the copy or write commands, depends on your location. When you are in the system execution space, the running configuration consists only of the system configuration; when you are in a context, the running configuration consists only of that context. For example, you cannot view all running configurations (system plus all contexts) when you enter the show running-config command. Only the current configuration displays.

In order to change between the system execution space and a context, or between contexts, see these commands:

  • In order to change to a context, enter this command:

    hostname# changeto context <context name>
    

    The prompt changes to this:

    hostname/name#
    
  • In order to change to the system execution space, enter this command

    hostname/admin# changeto system
    

    The prompt changes to this:

    hostname#
    

ASA - Context1 Configuration

In order to configure the context1, change to the context1 and follow the procedure:


!--- From the system execution space, 
!--- enter the command
!--- "changeto context context1 
!--- to configure the context1 configuration"

ciscoasa(config)# changeto context context1
ciscoasa/context1(config)#

ASA 8.x - Context1 Default Configuration

ciscoasa/context1(config)# show run


!--- Default configuration of the context1



ASA Version 8.0(2) <context>
!
hostname context1
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface outside-contex1
 no nameif
 no security-level
 no ip address
!
interface inside-contex1
 no nameif
 no security-level
 no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
pager lines 24
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 
   0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 
   1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 
   0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
Cryptochecksum:00000000000000000000000000000000
: end

 

Customer A Configuration for Internet connectivity.

ASA 8.x - Configuration of Context1


!--- Configuring Context1 for customer A


ciscoasa/context1# conf t
ciscoasa/context1(config)# int outside-context1
ciscoasa/context1(config-if)# ip add 10.1.1.1 255.255.255.0
ciscoasa/context1(config-if)# no shutdown
ciscoasa/context1(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.

ciscoasa/context1(config-if)# int inside-context1
ciscoasa/context1(config-if)# ip add 172.16.1.1 255.255.255.0
ciscoasa/context1(config-if)# no shutdown
ciscoasa/context1(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
ciscoasa/context1(config-if)# exit

ciscoasa/context1(config)# access-list outbound permit ip any any
ciscoasa/context1(config)# nat (inside-context1) 1 access-list outbound
ciscoasa/context1(config)# global (outside-context1) 1 interface
INFO: outside interface address added to PAT pool
ciscoasa/context1(config)# route outside-context1 0.0.0.0 0.0.0.0 10.1.1.2
ciscoasa/context1(config)# exit

 

ASA 8.x - Context1 Configuration

ciscoasa/context1(config)# show run

ciscoasa/context1# sh run
: Saved
:
ASA Version 8.0(2) <context>
!
hostname context1
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface outside-context1
 nameif outside
 security-level 0
 ip address 10.1.1.1 255.255.255.0
!
interface inside-context1
 nameif inside
 security-level 100
 ip address 172.16.1.1 255.255.255.0
!
passwd 2KFQnbNIdI.2KYOU encrypted
access-list outbound extended permit ip any any
pager lines 24
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400

global (outside-context1) 1 interface
nat (inside-context1) 1 access-list outbound
route outside-context1 0.0.0.0 0.0.0.0 10.1.1.2 1


!--- Output Suppressed

!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
Cryptochecksum:00000000000000000000000000000000
: end
ciscoasa/context1#

 

ASA - Context2 Configuration

Customer B Configuration for Internet connectivity.

In order to configure the context2, change to context2 from context1:


!--- From the system execution space, enter the command
!--- "changeto context context2
---to configure the context2 configuration"

ciscoasa/context1(config)# changeto context context2
ciscoasa/context2(config)#

ASA 8.x - Context2 Configuration

ciscoasa/context2(config)# show run
ASA Version 8.0(2) <context>
!
hostname context2
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface inside-context2
 nameif inside
 security-level 100
 ip address 172.17.1.1 255.255.255.0
!
interface outside-context2
 nameif outside
 security-level 0
 ip address 10.2.2.1 255.255.255.0
!

!--- Output Suppressed

!
access-list outbound extended permit ip any any
pager lines 24
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400

global (outside-context2) 1 interface
nat (inside-context2) 1 access-list outbound
route outside-context2 0.0.0.0 0.0.0.0 10.2.2.2 1


!--- Output Suppressed

!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
Cryptochecksum:00000000000000000000000000000000
: end

 

Similarly configure the admin context to administrate the ASA and its contexts from the inside and outside interface.

Save Configuration Changes in Multiple Context Mode

You can save each context (and system) configuration separately, or you can save all context configurations at the same time. This section includes these topics:

Save Each Context and System Separately

In order to save the system or context configuration, enter this command within the system or context:

hostname# write memory

Note: The copy running-config startup-config command is equivalent to the write memory command.

For multiple context mode, context startup configurations can reside on external servers. In this case, the security appliance saves the configuration back to the server that you identified in the context URL, except for an HTTP or HTTPS URL, which does not let you save the configuration to the server.

Save All Context Configurations at the Same Time

In order to save all context configurations at the same time, as well as the system configuration, enter this command in the system execution space:

hostname# write memory all [/noconfirm]

If you do not enter the /noconfirm keyword, you see this prompt:

Are you sure [Y/N]:

Verify

Use this section to confirm that your configuration works properly.

The Output Interpreter Tool (registered customers only) (OIT) supports certain show commands. Use the OIT to view an analysis of show command output.

  • show flash—Verify that the context configuration file is stored in flash.

  • show mode—Verify that the ASA is configured as a single or multiple mode.

ciscoasa# sh flash
--#--  --length--  -----date/time------  path
   71  14524416    Jul 23 2007 23:11:22  asa802-k8.bin
   75  6889764     Jul 23 2007 23:32:16  asdm-602.bin
    2  4096        Jul 23 2007 23:51:36  log
    6  4096        Jul 23 2007 23:51:48  crypto_archive
   76  2635734     Aug 12 2007 22:44:50  anyconnect-win-2.0.0343-k9.pkg
   77  1841        Sep 20 2007 04:21:38  old_running.cfg
   78  1220        Sep 20 2007 04:21:38  admin.cfg

ciscoasa/context2# sh mode
Security context mode: multiple

Troubleshoot

Restore Single Context Mode

If you convert from multiple mode to single mode, it is possible to first copy a full startup configuration (if available) to the security appliance; the system configuration inherited from multiple mode is not a completely functional configuration for a single mode device. Because the system configuration does not have any network interfaces as part of its configuration, you must access the security appliance from the console to perform the copy.

In order to copy the old running configuration to the startup configuration and to change the mode to single mode, perform these steps in the system execution space:

  1. In order to copy the backup version of your original running configuration to the current startup configuration, enter this command in the system execution space:

    hostname(config)# copy flash:old_running.cfg startup-config
    
    
  2. In order to set the mode to single mode, enter this command in the system execution space:

    hostname(config)# mode single
    

The security appliance reboots.

Assigning the Same IP Address for Multiple Interfaces in Multiple Context Mode

You can assign the same IP address to multiple interfaces in a different context. Although this is possible, a separate MAC address must be assigned for this interface in each context in order to classify the traffic into the context as shown.

Note: If the admin does not wish to assign the MAC address with the manual method, you can use the mac-address auto command. This command assigns the MAC address automatically to all interfaces, inclusive of subinterfaces.

This is an example configuration:

context test1

   allocate-interface Ethernet0/2

   allocate-interface Ethernet0/2.1

   config-url disk0:/test1

!
!

context test2

   allocate-interface Ethernet0/2

   allocate-interface Ethernet0/2.200

   config-url disk0:/test2


ciscoasa(config)# change context test1

ciscoasa/test1(config)# int e0/2.1

ciscoasa/test1(config-if)# ip address 4.4.4.4

ciscoasa/test1(config-if)# change context test2

ciscoasa/test2(config)# int e0/2.200

ciscoasa/test2(config-if)# ip address 4.4.4.4

ciscoasa/test2(config-if)# exit

Note: When a packet is sent with a destination as 4.4.4.4, the firewall will follow the Classifier Rule to route that packet to the concerned context. For more information on the how the firewall classifies the packets, refer to Classifier Rule for Packet flow.

Assign the Same IP Address to the Shared Interfaces in the Multiple Context Mode

Assigning the same IP address to the shared interface is not possible. A shared interface over multiple contexts allows us to simulate virtual firewalls over the same LAN segment. When the same IP address is assigned to the shared interface, for example shared over multiple contexts, it gives an IP address conflict error. The ASA will not allow this configuration because of the ARP issue between the contexts for the same IP address.

The error is shown here for your reference: ERROR: This address conflicts with another address on net.

Rename the Context

In multiple context mode, to rename a context without changing the configuration is not supported.

You can save the configuration as a firewall configuration, but you need to copy the entire configuration to a new context name and delete the old context configuration.

Delete Context

From the system space, issue this command to delete the context:

  
no context contA 

Also make sure to remove the correspondent configuration file for the context.

dir disk:
 
delete disk:/contA.cfg
 

 

 

注:本人能力有限,如遇不足之处,还请指正!

China-CCIE  QQ交流群:106155045   点击与作者QQ交谈