ASA - Contexts
- dale warner
- Aug 22, 2024
- 2 min read
Configuration example of setting up ASA contexts
mode multiple
!
mac-address auto
!
interface g0/1
no shut
interface g0/2
no shut
interface g0/3
no shut
interface g0/4
no shut
interface g0/5
no shut
interface m0/0
no shut
!
!
interface g0/1.1
vlan 501
interface g0/1.2
vlan 502
interface g0/2.1
vlan 503
interface g0/2.2
vlan 504
interface g0/3.1
vlan 505
interface g0/3.2
vlan 506
!
!
admin-context admin
context admin
config-url disk0:/admin.cfg
allocate-interface management 0/0
!
context C1
allocate-interface g0/1.1 INSIDE_C1
allocate-interface g0/2.1 DMZ_C1
allocate-interface g0/3.1 OUTSIDE_C1
config-url disk0:/C1.cfg
!
context C2
allocate-interface g0/1.2 INSIDE_C2
allocate-interface g0/2.2 DMZ_C2
allocate-interface g0/3.2 OUTSIDE_C2
config-url disk0:/C2.cfg
After the inital setup, you can drop into the context to begin it's configuration
changeto context C1
!
interface INSIDE_C1
ip address x.x.x.x
nameif INSIDE
security-level 100
!
interface DMZ_C1
ip address x.x.x.x
nameif DMZ
security-level 50
!
interface OUTSIDE_C1
ip address x.x.x.x
nameif OUTSIDE
security-level 0
!
monitor-interface INSIDE
monitor-interface DMZ
monitor-interface OUTSIDEdropping out of the Context and back into the system setup, you can assign specific resource limits to a context. Below is an example
changeto system
!
class default
limit-resource conns 20%
limit-resource routes 500
limit-resource vpn other 5
!
class GOLD
limit-resource mac-addresses 10000
limit-resource conns 15%
limit-resource rate conns 1000
limit-resource rate inspects 500
limit-resource hosts 9000
limit-resource asdm 5
limit-resource ssh 5
limit-resource rate syslogs 5000
limit-resource telnet 5
limit-resource xlates 36000
!
!
context C1
member GOLD
!
context C2
member defaultyou can also veiw a context's resource allocation with the following command
show resource allocation detailResource Name | Rate or Concurrent | Min/Max | System Limit | Description |
mac-addresses | concurrent | N/A | 65,535 | For transparent firewall mode, the number of MAC addresses allowed in the MAC address table |
conns | concurrent or rate | N/A | n/a | TCP or UDP connections between any two hosts, including connections between one host and multiple other hosts |
inspects | rate | N/A | N/A | Application inspections |
hosts | concurrent | N/A | N/A | hosts that can connect through the security appliance |
asdm | concurrent | 1/5 | 32 | ASDM management sessions |
ssh | concurrent | 1/5 | 100 | SSH sessions |
syslogs | rate | N/A | N/A | System log messages |
telnet | concurrent | 1/5 | 100 | Telnet sessions |
xlates | concurrent | N/A | N/A | Address Translations |