CCIE Security Notes: ASA Context Notes (9.6.1)

Multicontext Mode

  • Failover - Active/Active failover only supported 
  • Cross-Context IPv6 routing not supported
  • Other features not supported:
    • RIP
    • OSPFv3
    • Multicast routing
    • Threat Detection
    • Unified Communications
    • QoS
  • VPN features not supported for RA VPN in multicontext mode:
    • IKEv1 & IKEv2
    • Stateful failover
    • AnyConnect image configuration per context
    • WebLaunch
    • Client profile download
    • CSD/HostScan
    • VPN load balancing
    • Customization/Localization
  • Context mode not stored in config file

 

System Configuration:

  • Configure each context configuration location
  • Allocate interfaces 
  • Configure context operating parameters
  • Note: System configuration does not include network interfaces or settings for itself. When it needs network resources, it uses up a context for the admin context. The system configuration does include a specialized failover interface for failover traffic

Admin Context:

  • User that logs into this context has system admin rights and can access the system and all other contexts
  • Not restricted and can be used as a regular context
  • Can't reside remotely. Has to reside in flash in file called admin.cfg
  • After putting the ASA into multiple mode, you can connect to the admin context using the default management IP address

Cascading Security Contexts: 

  • Placing a context directly in front of another context
  • Outside interface of one context is the same interface as the inside interface of another context
  • Requires unique MAC address for each context interface

    
ASA Packet Classification & Contexts: 

  • If destination MAC address is multicast or broadcast MAC, packet is delivered to each context
  • For management traffic, interface IP address is the classifier and routing table isn't used 
  • Unique Interfaces - If only one context with the ingress interface, ASA will associate it with that context. 
  • Unique MAC Address - If it's a shared interface that has a unique MAC address for each context, the ASA will use that to classify the context. Can be configured automatically with the mac-address auto in the system context or manually on each interface. 
  • NAT Configuration - If MAC addresses aren't unique, ASA will use the mapped address of the NAT configuration to classify the context. MAC addresses are the recommended best practice before this
  • For transparent firewalls, you must use unique interfaces

 

Management Access to Contexts

System Administrator Access:

  • ASA console
  • Admin context using Telnet, SSH, or ASDM

Context Administrator Access:

  • Telnet, SSH or ASDM

 

MAC Addresses

  • Auto MAC generation is disabled by default so you should enable it if you can. When enabled, it will auto-generate the MAC prefix based on the last two bytes of the interface of backplane MAC address. Can customize the prefix as well. 
  • When using failover, ASA generates both active and standby MAC addresses for each interface. 
  • MAC address format: A2xx.yyzz.zzzz
    • Xx.yy = User-defined prefix or autogenerated prefix
    • Zz.zzzz = Internal counter generated by the ASA.
  • Standby MAC is identical to the above format but the counter is increased by one.

 

Resource Management

  • By default, all security contexts have unlimited access to the resources of the ASA with the exception of VPN resources which are disabled by default.
  • Can deny a context resources using resource management
  • ASA lets you assign unlimited access to one or more resources in a class instead of a percentage or number.
  • Configuration is done in the system execution space

Resource Classes:

  • ASA assigns contexts to resource classes. By default, all the contexts belong to the default class if not assigned to a new one by the admin. 
  • Context uses resource limits set by the class 
  • Assign the context to the class when defining the context
  • A context can only be assigned to one resource class with the exception being that limits are undefined in that resource class and in that case, they are inherited from the default class

Resource Limits:

  • Can set resources as a percentage if there's a hard system limit or absolute value 
  • ASA doesn't set aside a portion of the resources for each context assigned to the class. It sets the maximum limit for the context
  • You can oversubscribe the contexts or allow some resources to be unlimited. The exception is VPN resources which can't be oversubscribed so the resource limits that are assigned are absolute for each context. 
  • ASA supports a burst VPN resource type which is equal to the remaining unassigned VPN sessions and the burst sessions can be oversubscribed 
  • Resources without a system limit cannot have a percentage set to them 

Default Class:

  • Default class provides unlimited resources to all contexts except the following:
    • Telnet sessions - 5 sessions per context
    • SSH sessions - 5 sessions per context
    • IPsec sessions - 5 sessions per context
    • MAC address - 65,535 entries per context
    • Anyconnect Peers - 0 sessions as this has to be manually configured to allow
    • VPN site-to-site tunnels - 0 sessions as this must be manually configured to allow 

 

Configuration

  • To enable multicontext mode, use the command mode multiple. The ASA will reboot and once it does, it'll convert the running config into two files - one is a startup config that has the system configuration and the other is admin.cfg which has the admin context. The original running config is saved to the old_running.cfg file. 
  • Changing the mode back to single mode is easy enough, you can copy the old running config to the startup config and then use the mode single command. 
  • Configure auto mac address creation using mac-address auto [prefix prefix] command
  • If there is no admin context, you have to first create that using the admin-context name command and then context name to continue configuring it from there.
  • Create a class if you want: class name
    • Set the resource limit for the resource type:
      limit-resource [rate] resource-name number [%]
    • Specifying all means that all resources are configured with the same value. Specifying a limit overrides all
    • Command rate only used for certain resources to set the rate per second
    • 0 = unlimited
  • To create a complete new context:
    context name
  • Can add a description of the context if you want:
    description description
  • Allocate an interface: You can give it a mapped name which would essentially be an alias as well. The invisible/visible commands are if the users get to see the real interface ID when they issue a show interface:
    allocate-interface interface [mapped-name] [visible|invisible]
  • Configure  the URL where the context configuration is downloaded:
    config-url url
  • You can allow a context to use flash memory to store VPN packages or other things. Using a context label is so the admin won't see the file system:
    storage-url {private | shared} path [context-label]
  • You can optionally assign a resource class to the context:
    member class
  • You can join the context to a failover group using the following command:
    join-failover-group {1 | 2}
    Note: there can only be 2 failover groups
  • Changing between contexts: changeto context name
  • Removing a single context: no context name
  • Removing all contexts: clear context
  • Reload a security context: 
    • Clear the running config and import startup
      • clear configuration all
      • copy startup-config running-config
    • Remove context from system configuration

Show Commands

  • show mode
  • show resource types
  • show context [name | detail | count]
  • show resource allocation [detail]
  • show resource usage [context name | all | summary | system] [resource name | all] | detail]
  • show perfmon
  • To view all the system assigned MAC addresses from the system space:
    show running-config all context [name]
  • MAC address in a context:
    show interface | include (Interface)|(MAC)