A single Cisco ASA appliance can be partitioned into multiple virtual firewalls known also as “Security Contexts”. Each security context acts as a separate firewall with its own security policy, interfaces and configuration. However, some features are not available for virtual firewalls, such as IPSEC and SSL VPN, Dynamic Routing Protocols, Multicast and Threat Detection.

All firewall models (except ASA 5505) support multiple security contexts. By default, all models support 2 security contexts without a license upgrade (except the ASA 5510 which requires the security plus license).

When you convert the appliance from single context mode to multiple context mode (using the command “mode multiple“) the firewall converts the current running configuration into two files: a new startup configuration that comprises the system configuration, and “admin.cfg” that comprises the admin context (stored in the root directory of the internal Flash memory). The original running configuration is saved as “old_running.cfg” (in the root directory of the internal Flash memory).

Configuring Security Contexts

! Enable multiple context mode
ASA(config)# mode multiple

! Then reboot the appliance.

! Configure the administrator context
ASA(config)# admin-context administrator
ASA(config)# context administrator
ASA(config-ctx)# allocate-interface gigabitethernet0/1.10
ASA(config-ctx)# allocate-interface gigabitethernet0/1.11
ASA(config-ctx)# config-url flash:/admin.cfg

! Configure other contexts as required
ASA(config)# context customerA
ASA(config-ctx)# allocate-interface gigabitethernet0/2.100
ASA(config-ctx)# allocate-interface gigabitethernet0/2.200
ASA(config-ctx)# config-url flash:/customerA.cfg

! Configure other contexts as required
ASA(config)# context customerB
ASA(config-ctx)# allocate-interface gigabitethernet0/2.111
ASA(config-ctx)# allocate-interface gigabitethernet0/2.222
ASA(config-ctx)# config-url flash:/customerB.cfg

Changing between contexts and the system execution space:

When you connect with a console cable on the appliance, you will log in the system configuration (or the system execution space). The “system execution space” is the global appliance space from where you can then enter into specific security contexts. If you are logged in the “system execution space” and issue a “show run” command, this will ONLY show you the global system configuration and NOT the various security contexts configurations. You will need to log into a specific security context in order to change or see its configuration.

To change between the system execution space and a context, or between contexts, see the following commands:

! To change to a context named CustomerA, enter the following command:
ASA# changeto context CustomerA

! The prompt changes to the following:
ASA/CustomerA#

! To change back to the system execution space, enter the following command:
ASA/CustomerA# changeto system

! The prompt changes to the following:
ASA#

In addition to device-level failover, you can also configure interface redundancy on the same chassis of a Cisco ASA firewall. Basically you create a logical interface pair bundle (called “interface redundant“) in which you include two physical interfaces. If one of the interfaces fail, the second one in the redundancy pair takes over and starts passing traffic. You can configure up to 8 redundant interface pairs. After you configure the redundant interface pair, all security appliance configuration refers to this logical redundant pair instead of the member physical interfaces.
 
The following guidelines should be followed for redundant interface and its members:
 

• You must first remove the name of the physical interface (using the no nameif command) before adding it to the logical redundant interface.
• Both member interfaces must be of the same physical type. That is they must be both GigabitEthernet or both Ethernet.
• The only configuration available to physical interfaces that are part of a redundant interface pair are physical parameters (i.e the shutdown command and the description command).

Configuration Example:
 
ASA(config)# interface redundant 1
ASA(config-if)# member-interface gigabitethernet 0/0
ASA(config-if)# member-interface gigabitethernet 0/1

From now on, all interface related commands must refer to “interface redundant 1“.

Although the Cisco ASA appliance does not act as a router in the network, it still has a routing table and it is essential to configure static or dynamic routing in order for the appliance to know where to send packets. When a packet arrives to a network interface on the ASA firewall, the packet undergoes several security controls, such as ACL filtering, NAT, deep-packet inspection etc. After the packet passes all firewall controls, the security appliance needs to send the packet to its destination address. It therefore checks its routing table to determine the outgoing interface where the packet will be sent.

Cisco ASA firewalls support both static and dynamic routing. For dynamic routing, the ASA supports RIPv2 and OSPF. I recommend not to use dynamic routing though and stick with just static routes. The reason is that one of the purposes of a firewall is to hide your internal trusted network addressing and topology. By configuring dynamic routing support, you might be advertising routes to untrusted networks thus exposing your network to threats.

The scenario in the diagram above will help us understand how to configure static routing. The ASA connects to the internet on the outside and also has a DMZ and Internal zones. The default gateway towards the ISP is 200.1.1.1. The DMZ network is 10.0.0.0/24 and the internal LAN1 network is 192.168.1.0/24. LAN1 is directly connected to the Inside interface of the firewall. Additionally, there is another internal network, namely LAN2, with network 192.168.2.0/24. LAN2 is not directly connected to the firewall. Rather, there is an internal router with address 192.168.1.1 through which we can reach LAN2. Therefore, in order for the ASA to reach network LAN2, we need to configure a static route to tell the firewall that network 192.168.2.0/24 can be reached via 192.168.1.1.

So we need to configure two static routes. One Default Static route for Internet access, and one internal static route to reach network LAN2. For directly connected networks (DMZ and LAN1) we don’t need to configure a static route since the firewall already knows about these networks as they are directly connected to its interfaces.

Configuration:

The format of the static route command is:

ASA(config)# route [interface name] [destination address] [netmask] [gateway]

! First configure a default static route towards the default gateway
ASA(config)# route outside 0.0.0.0 0.0.0.0 200.1.1.1

! Then configure an internal static route to reach network LAN2
ASA(config)# route inside 192.168.2.0 255.255.255.0 192.168.1.1

Question:

Hello,

I want to enable access to server on ip address: 192.168.100.30 on port 22 located in inside interface from internet (outside)

We have ASA 5520 Cisco Adaptive Security Appliance Software Version 8.0(2)

My config (only relevant lines):

interface GigabitEthernet0/0
nameif Outside
security-level 0
ip address 172.146.147.13 255.255.255.248 standby 172.146.147.12
!
interface GigabitEthernet0/1
nameif DMZ
security-level 50
ip address 172.146.147.1 255.255.255.248 standby 172.146.147.2
!
interface GigabitEthernet0/3
nameif Inside
security-level 100
ip address 192.168.200.3 255.255.255.0 standby 192.168.200.2
.
.
access-list Inside_access_in extended permit ip 192.168.100.30 any
access-list Inside_access_in extended deny ip any any
.
.
access-list Outside_access_in extended permit tcp any host 172.146.147.15 eq ssh
access-list Outside_access_in extended deny ip any any
.
.
global (Outside) 1 172.146.147.11 netmask 255.255.255.0
nat (Inside) 0 access-list Inside_nat0_outbound
nat (Inside) 1 10.1.33.0 255.255.255.0
nat (Inside) 1 10.1.34.0 255.255.255.0
nat (Inside) 1 10.1.35.0 255.255.255.0
nat (Inside) 1 10.1.36.0 255.255.255.0
nat (Inside) 1 10.1.39.0 255.255.255.0
nat (Inside) 1 10.1.41.0 255.255.255.0
nat (Inside) 1 10.1.42.0 255.255.255.0
nat (Inside) 1 10.1.44.0 255.255.255.0
nat (Inside) 1 10.1.99.0 255.255.255.0
nat (Inside) 1 10.40.2.0 255.255.255.0
nat (Inside) 1 10.40.24.0 255.255.255.0
nat (Inside) 1 192.168.100.0 255.255.255.0
nat (Inside) 1 192.168.250.0 255.255.255.0
nat (Inside) 1 192.168.96.0 255.255.248.0
static (Inside,Outside) tcp 172.146.147.15 ssh 192.168.100.30 ssh netmask 255.255.255.255
access-group Outside_access_in in interface Outside
access-group DMZ_access_in in interface DMZ
access-group Inside_access_in in interface Inside
route Outside 0.0.0.0 0.0.0.0 172.146.147.14 1
route Inside 10.0.0.0 255.0.0.0 192.168.200.1 1
route Outside 172.16.101.72 255.255.255.252 195.146.147.14 1
route Inside 192.168.0.0 255.255.0.0 192.168.200.1 1
.
.

When i type telnet 172.146.147.15 22 from public internet i cant open port 22….so i dont know – is something missing or wrong?

Thanks.

Solution:

below is your outside interface config

interface GigabitEthernet0/0
nameif Outside
security-level 0
ip address 172.146.147.13 255.255.255.248 standby 172.146.147.12

you are using 255.255.255.248 as the subnet which makes 172.146.147.15 as your broadcast address. That being said, you won’t be able to access it. You need to use a different address in that range. the available addresses are 172.146.147.9 to 172.146.147.14.

regards,

With the older Cisco PIX firewall appliances, there was no way for traffic to enter a specific interface and then exit back from the same interface again. With the new Cisco ASA models, this is also not supported by default, but you can enable this functionality with the same-security-traffic permit intra-interface command.

The schematic above shows a possible scenario where this functionality can be used. All internal hosts in network 10.0.0.0/24 have the ASA as default gateway (10.0.0.254) in order to access the Internet. However, there is another internal network range (Branch Office: 192.168.10.0/24) which is accessible via a cisco router at 10.0.0.253. In order for the internal hosts to access this subnet, a static route must be configured on the ASA together with the “permit intra-interface” command, as shown below:

ciscoasa(config)# route inside 192.168.10.0 255.255.255.0 10.0.0.253 1
ciscoasa(config)# same-security-traffic permit intra-interface

All traffic from internal hosts destined to subnet 192.168.10.0 will be redirected by the ASA firewall through the Cisco router. The feature above is supported in versions 7.2(1) and later.