Multiple Context Mode

This chapter describes how to configure multiple security contexts on the ASA.

About Security Contexts

You can partition a single ASA into multiple virtual devices, known as security contexts. Each context acts as an independent device, with its own security policy, interfaces, and administrators. Multiple contexts are similar to having multiple standalone devices. For unsupported features in multiple context mode, see Guidelines for Multiple Context Mode.

This section provides an overview of security contexts.

Common Uses for Security Contexts

You might want to use multiple security contexts in the following situations:

  • You are a service provider and want to sell security services to many customers. By enabling multiple security contexts on the ASA, you can implement a cost-effective, space-saving solution that keeps all customer traffic separate and secure, and also eases configuration.

  • You are a large enterprise or a college campus and want to keep departments completely separate.

  • You are an enterprise that wants to provide distinct security policies to different departments.

  • You have any network that requires more than one ASA.

Context Configuration Files

This section describes how the ASA implements multiple context mode configurations.

Context Configurations

For each context, the ASA includes a configuration that identifies the security policy, interfaces, and all the options you can configure on a standalone device. You can store context configurations in flash memory, or you can download them from a TFTP, FTP, or HTTP(S) server.

System Configuration

The system administrator adds and manages contexts by configuring each context configuration location, allocated interfaces, and other context operating parameters in the system configuration, which, like a single mode configuration, is the startup configuration. The system configuration identifies basic settings for the ASA. The system configuration does not include any network interfaces or network settings for itself; rather, when the system needs to access network resources (such as downloading the contexts from the server), it uses one of the contexts that is designated as the admin context. The system configuration does include a specialized failover interface for failover traffic only.

Admin Context Configuration

The admin context is just like any other context, except that when a user logs in to the admin context, then that user has system administrator rights and can access the system and all other contexts. The admin context is not restricted in any way, and can be used as a regular context. However, because logging into the admin context grants you administrator privileges over all contexts, you might need to restrict access to the admin context to appropriate users. The admin context must reside on flash memory, and not remotely.

If your system is already in multiple context mode, or if you convert from single mode, the admin context is created automatically as a file on the internal flash memory called admin.cfg. This context is named “admin.” If you do not want to use admin.cfg as the admin context, you can change the admin context.

How the ASA Classifies Packets

Each packet that enters the ASA must be classified, so that the ASA can determine to which context to send a packet.


Note


If the destination MAC address is a multicast or broadcast MAC address, the packet is duplicated and delivered to each context.


Valid Classifier Criteria

This section describes the criteria used by the classifier.


Note


For management traffic destined for an interface, the interface IP address is used for classification.

The routing table is not used for packet classification.


Unique Interfaces

If only one context is associated with the ingress interface, the ASA classifies the packet into that context. In transparent firewall mode, unique interfaces for contexts are required, so this method is used to classify packets at all times.

Unique MAC Addresses

If multiple contexts share an interface, then the classifier uses unique MAC addresses assigned to the interface in each context. An upstream router cannot route directly to a context without unique MAC addresses. You can enable auto-generation of MAC addresses. You can also set the MAC addresses manually when you configure each interface.

NAT Configuration

If you do not enable use of unique MAC addresses, then the ASA uses the mapped addresses in your NAT configuration to classify packets. We recommend using MAC addresses instead of NAT, so that traffic classification can occur regardless of the completeness of the NAT configuration.

Classification Examples

The following figure shows multiple contexts sharing an outside interface. The classifier assigns the packet to Context B because Context B includes the MAC address to which the router sends the packet.

Figure 1. Packet Classification with a Shared Interface Using MAC Addresses

Note that all new incoming traffic must be classified, even from inside networks. The following figure shows a host on the Context B inside network accessing the Internet. The classifier assigns the packet to Context B because the ingress interface is Gigabit Ethernet 0/1.3, which is assigned to Context B.

Figure 2. Incoming Traffic from Inside Networks

For transparent firewalls, you must use unique interfaces. The following figure shows a packet destined to a host on the Context B inside network from the Internet. The classifier assigns the packet to Context B because the ingress interface is Gigabit Ethernet 1/0.3, which is assigned to Context B.

Figure 3. Transparent Firewall Contexts

Cascading Security Contexts

Placing a context directly in front of another context is called cascading contexts; the outside interface of one context is the same interface as the inside interface of another context. You might want to cascade contexts if you want to simplify the configuration of some contexts by configuring shared parameters in the top context.


Note


Cascading contexts requires unique MAC addresses for each context interface. Because of the limitations of classifying packets on shared interfaces without MAC addresses, we do not recommend using cascading contexts without unique MAC addresses.


The following figure shows a gateway context with two contexts behind the gateway.

Figure 4. Cascading Contexts

Management Access to Security Contexts

The ASA provides system administrator access in multiple context mode as well as access for individual context administrators.

System Administrator Access

You can access the ASA as a system administrator in two ways:

  • Access the ASA console.

    From the console, you access the system execution space, which means that any commands you enter affect only the system configuration or the running of the system (for run-time commands).

  • Access the admin context using Telnet, SSH, or ASDM.

As the system administrator, you can access all contexts.

The system execution space does not support any AAA commands, but you can configure its own enable password, as well as usernames in the local database to provide individual logins.

Context Administrator Access

You can access a context using Telnet, SSH, or ASDM. If you log in to a non-admin context, you can only access the configuration for that context. You can provide individual logins to the context.

Management Interface Usage

The Management interface is a separate interface just for management traffic.

In routed firewall mode, you can share the Management interface across all contexts.

In transparent firewall mode, the Management interface is special. In addition to the maximum allowed through-traffic interfaces, you can also use the Management interface as a separate management-only interface. However, in multiple context mode, you cannot share any interfaces across transparent contexts. You can instead use subinterfaces of the Management interface, and assign one to each context. However, only Firepower device models allow subinterfaces on the Management interface. For ASA models, you must use a data interface or a subinterface of a data interface, and add it to a bridge group within the context.

For the Firepower 4100/9300 chassis transparent context, neither the Management interface nor subinterface retains its special status. In this case, you must treat it as a data interface, and add it to a bridge group. (Note that in single context mode, the Management interface does retain its special status.)

Another consideration about transparent mode: when you enable multiple context mode, all configured interfaces are automatically assigned to the Admin context. For example, if your default configuration includes the Management interface, then that interface will be assigned to the Admin context. One option is to leave the main interface allocated to the Admin context and manage it using the native VLAN, and then use subinterfaces to manage each context. Keep in mind that if you make the Admin context transparent, its IP address will be removed; you have to assign it to a bridge group and assign the IP address to the BVI.

About Resource Management

By default, all security contexts have unlimited access to the resources of the ASA, except where maximum limits per context are enforced; the only exception is VPN resources, which are disabled by default. If you find that one or more contexts use too many resources, and they cause other contexts to be denied connections, for example, then you can configure resource management to limit the use of resources per context. For VPN resources, you must configure resource management to allow any VPN tunnels.

Resource Classes

The ASA manages resources by assigning contexts to resource classes. Each context uses the resource limits set by the class. To use the settings of a class, assign the context to the class when you define the context. All contexts belong to the default class if they are not assigned to another class; you do not have to actively assign a context to default. You can only assign a context to one resource class. The exception to this rule is that limits that are undefined in the member class are inherited from the default class; so in effect, a context could be a member of default plus another class.

Resource Limits

You can set the limit for individual resources as a percentage (if there is a hard system limit) or as an absolute value.

For most resources, the ASA does not set aside a portion of the resources for each context assigned to the class; rather, the ASA sets the maximum limit for a context. If you oversubscribe resources, or allow some resources to be unlimited, a few contexts can “use up” those resources, potentially affecting service to other contexts. The exception is VPN resource types, which you cannot oversubscribe, so the resources assigned to each context are guaranteed. To accommodate temporary bursts of VPN sessions beyond the amount assigned, the ASA supports a “burst” VPN resource type, which is equal to the remaining unassigned VPN sessions. The burst sessions can be oversubscribed, and are available to contexts on a first-come, first-served basis.

Default Class

All contexts belong to the default class if they are not assigned to another class; you do not have to actively assign a context to the default class.

If a context belongs to a class other than the default class, those class settings always override the default class settings. However, if the other class has any settings that are not defined, then the member context uses the default class for those limits. For example, if you create a class with a 2 percent limit for all concurrent connections, but no other limits, then all other limits are inherited from the default class. Conversely, if you create a class with a limit for all resources, the class uses no settings from the default class.

For most resources, the default class provides unlimited access to resources for all contexts, except for the following limits:

  • Telnet sessions—5 sessions. (The maximum per context.)

  • SSH sessions—5 sessions. (The maximum per context.)

  • ASDM sessions—5 sessions. (The maximum per context.)

  • IPsec sessions—5 sessions. (The maximum per context.)

  • MAC addresses—65,535 entries. (The maximum for the system.)

  • AnyConnect Client peers—0 sessions. (You must manually configure the class to allow any AnyConnect Client peers.)

  • VPN site-to-site tunnels—0 sessions. (You must manually configure the class to allow any VPN sessions.)

  • HTTPS sessions—6 sessions. (The maximum per context.)

The following figure shows the relationship between the default class and other classes. Contexts A and C belong to classes with some limits set; other limits are inherited from the default class. Context B inherits no limits from default because all limits are set in its class, the Gold class. Context D was not assigned to a class, and is by default a member of the default class.

Figure 5. Resource Classes

Use Oversubscribed Resources

You can oversubscribe the ASA by assigning more than 100 percent of a resource across all contexts (with the exception of non-burst VPN resources). For example, you can set the Bronze class to limit connections to 20 percent per context, and then assign 10 contexts to the class for a total of 200 percent. If contexts concurrently use more than the system limit, then each context gets less than the 20 percent you intended.

Figure 6. Resource Oversubscription

Use Unlimited Resources

The ASA lets you assign unlimited access to one or more resources in a class, instead of a percentage or absolute number. When a resource is unlimited, contexts can use as much of the resource as the system has available. For example, Context A, B, and C are in the Silver Class, which limits each class member to 1 percent of the connections, for a total of 3 percent; but the three contexts are currently only using 2 percent combined. Gold Class has unlimited access to connections. The contexts in the Gold Class can use more than the 97 percent of “unassigned” connections; they can also use the 1 percent of connections not currently in use by Context A, B, and C, even if that means that Context A, B, and C are unable to reach their 3 percent combined limit. Setting unlimited access is similar to oversubscribing the ASA, except that you have less control over how much you oversubscribe the system.

Figure 7. Unlimited Resources

About MAC Addresses

You can manually assign MAC addresses to override the default. For multiple context mode, you can automatically generate unique MAC addresses (for all interfaces assigned to a context) and single context mode (for subinterfaces)..


Note


You might want to assign unique MAC addresses to subinterfaces defined on the ASA, because they use the same burned-in MAC address of the parent interface. For example, your service provider might perform access control based on the MAC address. Also, because IPv6 link-local addresses are generated based on the MAC address, assigning unique MAC addresses to subinterfaces allows for unique IPv6 link-local addresses, which can avoid traffic disruption in certain instances on the ASA device.


MAC Addresses in Multiple Context Mode

The MAC address is used to classify packets within a context. If you share an interface, but do not have unique MAC addresses for the interface in each context, then other classification methods are attempted that might not provide full coverage.

To allow contexts to share interfaces, you should enable auto-generation of virtual MAC addresses to each shared context interface.

Automatic MAC Addresses

In multiple context mode, auto-generation assigns unique MAC addresses to all interfaces assigned to a context.

If you manually assign a MAC address and also enable auto-generation, then the manually assigned MAC address is used. If you later remove the manual MAC address, the auto-generated address is used, if enabled.

In the rare circumstance that the generated MAC address conflicts with another private MAC address in your network, you can manually set the MAC address for the interface.

Because auto-generated addresses (when using a prefix) start with A2, you cannot start manual MAC addresses with A2 if you also want to use auto-generation.

The ASA generates the MAC address using the following format:

A2xx.yyzz.zzzz

Where xx.yy is a user-defined prefix or an autogenerated prefix based on the last two bytes of the interface MAC address, and zz.zzzz is an internal counter generated by the ASA. For the standby MAC address, the address is identical except that the internal counter is increased by 1.

For an example of how the prefix is used, if you set a prefix of 77, then the ASA converts 77 into the hexadecimal value 004D (yyxx). When used in the MAC address, the prefix is reversed (xxyy) to match the ASA native form:

A24D.00zz.zzzz

For a prefix of 1009 (03F1), the MAC address is:

A2F1.03zz.zzzz


Note


The MAC address format without a prefix is a legacy version. See the mac-address auto command in the command reference for more information about the legacy format.


VPN Support

For VPN resources, you must configure resource management to allow any VPN tunnels.

You can use site-to-site VPN in multiple context mode.

For remote access VPN, you must use AnyConnect 3.x and later for SSL VPN and IKEv2 protocol. You can customize flash storage per context for AnyConnect Client images and customizations, as well as using shared flash memory across all contexts. For unsupported features, see Guidelines for Multiple Context Mode. For a detailed list of supported VPN features per ASA release, see History for Multiple Context Mode.


Note


The AnyConnect Apex license is required for multiple context mode; you cannot use the default or legacy license.


Licensing for Multiple Context Mode

Model

License Requirement

Firepower 1010

No support.

Firepower 1100

Standard License: 2 contexts.

Optional License, Maximum:

Firepower 1120: 5

Firepower 1140: 10

Firepower 1150: 25

Firepower 2100

Standard License: 2 contexts.

Optional License, Maximum:

Firepower 2110: 25

Firepower 2120: 25

Firepower 2130: 30

Firepower 2140: 40

Secure Firewall 3100

Standard License: 2 contexts.

Optional License, Maximum:

Secure Firewall 3110: 100

Secure Firewall 3120: 100

Secure Firewall 3130: 100

Secure Firewall 3140: 100

Firepower 4100

Standard License: 10 contexts.

Optional License: up to 250 contexts.

Firepower 9300

Standard License: 10 contexts.

Optional License: up to 250 contexts.

ISA 3000

No support.

ASAv

No support.


Note


If the Admin context only contains management-only interfaces, and does not include any data interfaces for through traffic, then it does not count against the limit.



Note


The AnyConnect Apex license is required for multiple context mode; you cannot use the default or legacy license.


Prerequisites for Multiple Context Mode

After you are in multiple context mode, connect to the system or the admin context to access the system configuration. You cannot configure the system from a non-admin context. By default, after you enable multiple context mode, you can connect to the admin context by using the default management IP address.

Guidelines for Multiple Context Mode

Failover

Active/Active mode failover is only supported in multiple context mode.

IPv6

Cross-context IPv6 routing is not supported.

Unsupported Features

Multiple context mode does not support the following features:

  • RIP

  • OSPFv3. (OSPFv2 is supported.)

  • Multicast routing

  • Threat Detection

  • Unified Communications

  • QoS

  • Virtual Tunnel Interfaces (VTIs)

  • Static route tracking

Multiple context mode does not currently support the following features for remote access VPN:

  • AnyConnect 2.x and earlier

  • IKEv1

  • SAML

  • WebLaunch

  • VLAN Mapping

  • HostScan

  • VPN load balancing

  • Customization

  • L2TP

Additional Guidelines

  • The context mode (single or multiple) is not stored in the configuration file, even though it does endure reboots. If you need to copy your configuration to another device, set the mode on the new device to match.

  • If you store context configurations in the root directory of flash memory, on some models you might run out of room in that directory, even though there is available memory. In this case, create a subdirectory for your configuration files. Background: some models use the FAT 16 file system for internal flash memory, and if you do not use 8.3-compliant short names, or use uppercase characters, then fewer than 512 files and folders can be stored because the file system uses up slots to store long file names (see http://support.microsoft.com/kb/120138/en-us).

  • In ACI, Policy Based Redirect (PBR) health check is executed (L2 pings) using the same MAC address on all the leaves. This results in a MAC flap. To resolve the MAC flap, you can configure the tap-mode option on the inline set. However, if the FTD high availability is configured, you must enable MAC learning for connection handling during a failover. Thus, in an ACI environment with FTD in HA pair using inline-set interfaces, to avoid packet losses, deploy the FTD in standalone or in a cluster.

Defaults for Multiple Context Mode

  • By default, the ASA is in single context mode.

  • See Default Class.

Configure Multiple Contexts

Procedure


Step 1

Enable or Disable Multiple Context Mode.

Step 2

(Optional) Configure a Class for Resource Management.

Note

 

For VPN support, you must configure VPN resources in a resource class; the default class does not allow VPN.

Step 3

Configure interfaces in the system execution space.

Step 4

Configure a Security Context.

Step 5

(Optional) Assign MAC Addresses to Context Interfaces Automatically.

Step 6

Complete interface configuration in the context. See Routed and Transparent Mode Interfaces.


Enable or Disable Multiple Context Mode

Your ASA might already be configured for multiple security contexts depending on how you ordered it from Cisco. If you need to convert from single mode to multiple mode, follow the procedures in this section.

Enable Multiple Context Mode

When you convert from single mode to multiple mode, the ASA converts the running configuration into two files: a new startup configuration that comprises the system configuration, and admin.cfg that comprises the admin context (in the root directory of the internal flash memory). The original running configuration is saved as old_running.cfg (in the root directory of the internal flash memory). The original startup configuration is not saved. The ASA automatically adds an entry for the admin context to the system configuration with the name “admin.”

Before you begin

Back up your startup configuration if it differs from the running configuration. When you convert from single mode to multiple mode, the ASA converts the running configuration into two files. The original startup configuration is not saved. See Back Up and Restore Configurations or Other Files.

Procedure

Change to multiple context mode.

mode multiple

Example:

You are prompted to change the mode and convert the configuration, and then the system reloads.

Note

 

You will have to regenerate the RSA key pair in the Admin context before you can reestablish an SSH connection. From the console, enter the crypto key generate rsa modulus command. See Configure SSH Access for more information.

Example:

ciscoasa(config)# mode multiple
WARNING: This command will change the behavior of the device
WARNING: This command will initiate a Reboot
Proceed with change mode? [confirm]
Convert the system configuration? [confirm]
!
The old running configuration file will be written to flash

Converting the configuration - this may take several minutes for a large configuration

The admin context configuration will be written to flash

The new running configuration file was written to flash
Security context mode: multiple
ciscoasa(config)#


***
*** --- START GRACEFUL SHUTDOWN ---
***
*** Message to all terminals:
***
***   change mode
Shutting down isakmp
Shutting down webvpn
Shutting down License Controller
Shutting down File system



***
*** --- SHUTDOWN NOW ---
***
*** Message to all terminals:
***
***   change mode
                                                                          

Restore Single Context Mode

To copy the old running configuration to the startup configuration and to change the mode to single mode, perform the following steps.

Before you begin

Perform this procedure in the system execution space.

Procedure

Step 1

Copy the backup version of your original running configuration to the current startup configuration:

copy disk0:old_running.cfg startup-config

Example:

ciscoasa(config)# copy disk0:old_running.cfg startup-config

Step 2

Set the mode to single mode:

mode single

Example:

ciscoasa(config)# mode single

You are prompted to reboot the ASA.


Configure a Class for Resource Management

To configure a class in the system configuration, perform the following steps. You can change the value of a particular resource limit by reentering the command with a new value.

Before you begin

  • Perform this procedure in the system execution space.

  • The following table lists the resource types and the limits. See also the show resource types command.


    Note


    If the System Limit is N/A, then you cannot set a percentage of the resource because there is no hard system limit for the resource.


    Table 1. Resource Names and Limits

    Resource Name

    Rate or Concurrent

    Minimum and Maximum Number per Context

    System Limit

    Description

    asdm

    Concurrent

    1 minimum

    5 maximum

    200

    ASDM management sessions.

    ASDM sessions use two HTTPS connections: one for monitoring that is always present, and one for making configuration changes that is present only when you make changes. For example, the system limit of 200 ASDM sessions represents a limit of 400 HTTPS sessions.

    conns

    Concurrent or Rate

    N/A

    Concurrent connections: See Supported Feature Licenses Per Model for the connection limit available for your model.

    Rate: N/A

    TCP or UDP connections between any two hosts, including connections between one host and multiple other hosts.

    Note

     

    Syslog messages are generated for whichever limit is lower, xlates or conns. For example, if you set the xlates limit to 7 and the conns to 9, then the ASA only generates syslog message 321001 (“Resource 'xlates' limit of 7 reached for context 'ctx1'”) and not 321002 (“Resource 'conn rate' limit of 5 reached for context 'ctx1'”).

    hosts

    Concurrent

    N/A

    N/A

    Hosts that can connect through the ASA.

    http

    Concurrent

    1 minimum

    6 maximum

    100

    Non-ASDM HTTPS sessions

    inspects

    Rate

    N/A

    N/A

    Application inspections per second.

    mac-addresses

    Concurrent

    N/A

    65,535

    For transparent firewall mode, the number of MAC addresses allowed in the MAC address table.

    routes

    Concurrent

    N/A

    N/A

    Dynamic routes.

    vpn burst anyconnect

    Concurrent

    N/A

    The AnyConnect Client Premium Peers for your model minus the sum of the sessions assigned to all contexts for vpn anyconnect.

    The number of AnyConnect Client sessions allowed beyond the amount assigned to a context with vpn anyconnect. For example, if your model supports 5000 peers, and you assign 4000 peers across all contexts with vpn anyconnect, then the remaining 1000 sessions are available for vpn burst anyconnect. Unlike vpn anyconnect, which guarantees the sessions to the context, vpn burst anyconnect can be oversubscribed; the burst pool is available to all contexts on a first-come, first-served basis.

    vpn anyconnect

    Concurrent

    N/A

    See Supported Feature Licenses Per Model for the AnyConnect Client Premium Peers available for your model.

    AnyConnect Client peers. You cannot oversubscribe this resource; all context assignments combined cannot exceed the model limit. The peers you assign for this resource are guaranteed to the context.

    vpn burst other

    Concurrent

    N/A

    The Other VPN session amount for your model minus the sum of the sessions assigned to all contexts for vpn other.

    The number of site-to-site VPN sessions allowed beyond the amount assigned to a context with vpn other. For example, if your model supports 5000 sessions, and you assign 4000 sessions across all contexts with vpn other, then the remaining 1000 sessions are available for vpn burst other. Unlike vpn other, which guarantees the sessions to the context, vpn burst other can be oversubscribed; the burst pool is available to all contexts on a first-come, first-served basis.

    vpn other

    Concurrent

    N/A

    See Supported Feature Licenses Per Model for the Other VPN sessions available for your model.

    Site-to-site VPN sessions. You cannot oversubscribe this resource; all context assignments combined cannot exceed the model limit. The sessions you assign for this resource are guaranteed to the context.

    ikev1 in-negotiation

    Concurrent (percentage only)

    N/A

    A percentage of the Other VPN sessions assigned to this context. See the vpn other resources to assign sessions to the context.

    Incoming IKEv1 SA negotiations, as a percentage of the context Other VPN limit.

    ssh

    Concurrent

    1 minimum

    5 maximum

    100

    SSH sessions.

    storage

    MB

    The maximum depends on your specified flash memory drive

    The maximum depends on your specified flash memory drive

    Storage limit of context directory in MB. Specify the drive using the storage-url command.

    syslogs

    Rate

    N/A

    N/A

    Syslog messages per second.

    telnet

    Concurrent

    1 minimum

    5 maximum

    100

    Telnet sessions.

    xlates

    Concurrent

    N/A

    N/A

    Network address translations.

Procedure


Step 1

Specify the class name and enter the class configuration mode:

class name

Example:


ciscoasa(config)# class gold

The name is a string up to 20 characters long. To set the limits for the default class, enter default for the name.

Step 2

Set the resource limit for a resource type:

limit-resource [rate] resource_name number[%]

Example:


ciscoasa(config-class)# limit-resource rate inspects 10

  • See the preceding table for a list of resource types. If you specify all, then all resources are configured with the same value. If you also specify a value for a particular resource, the limit overrides the limit set for all.

  • Enter the rate argument to set the rate per second for certain resources.

  • For most resources, specify 0 for the number to set the resource to be unlimited or to be the system limit, if available. For VPN resources, 0 sets the limit to none.

  • For resources that do not have a system limit, you cannot set the percentage (%); you can only set an absolute value.

  • If you also set the quota management-session command within a context to set the maximum administrative sessions (SSH, etc.), then the lower value will be used.


Example

For example, to set the default class limit for conns to 10 percent instead of unlimited, and to allow 5 site-to-site VPN tunnels with 2 tunnels allowed for VPN burst, enter the following commands:


ciscoasa(config)# class default
ciscoasa(config-class)# limit-resource conns 10%
ciscoasa(config-class)# limit-resource vpn other 5
ciscoasa(config-class)# limit-resource vpn burst other 2

All other resources remain at unlimited.

To add a class called gold, enter the following commands:


ciscoasa(config)# class gold
ciscoasa(config-class)# limit-resource mac-addresses 10000
ciscoasa(config-class)# limit-resource conns 15%
ciscoasa(config-class)# limit-resource rate conns 1000
ciscoasa(config-class)# limit-resource rate inspects 500
ciscoasa(config-class)# limit-resource hosts 9000
ciscoasa(config-class)# limit-resource asdm 5
ciscoasa(config-class)# limit-resource ssh 5
ciscoasa(config-class)# limit-resource rate syslogs 5000
ciscoasa(config-class)# limit-resource telnet 5
ciscoasa(config-class)# limit-resource xlates 36000
ciscoasa(config-class)# limit-resource routes 5000
ciscoasa(config-class)# limit-resource vpn other 10
ciscoasa(config-class)# limit-resource vpn burst other 5

When a context is configured with a resource class, a check is made. A warning is generated if the proper licenses were not installed prior to attempting VPN remote-access connections. The administrator must then obtain an AnyConnect Apex license. For example, a warning like the following may appear:

ciscoasa(config)# class vpn
ciscoasa(config-class)# limit-resource vpn anyconnect 10.0%
ciscoasa(config-class)# context test
Creating context 'text'...Done. (3)
ciscoasa(config-ctx)# member vpn
WARNING: Multi-mode remote access VPN support requires an AnyConnect Apex license.
Warning: An Access Context license is required for remote-access VPN support in multi-mode.
ciscoasa(config-ctx)#

Configure a Security Context

The security context definition in the system configuration identifies the context name, configuration file URL, interfaces that a context can use, and other settings.

Before you begin

  • Perform this procedure in the system execution space.

  • Configure interfaces. For transparent mode contexts, you cannot share interfaces between contexts, so you might want to use subinterfaces. To plan for Management interface usage, see Management Interface Usage.

  • If you do not have an admin context (for example, if you clear the configuration) then you must first specify the admin context name by entering the following command:

    
    ciscoasa(config)# admin-context name
    

    Although this context does not exist yet in your configuration, you can subsequently enter the context name command to continue the admin context configuration.

Procedure


Step 1

Add or modify a context:

context name

Example:


ciscoasa(config)# context admin

The name is a string up to 32 characters long. This name is case sensitive, so you can have two contexts named “customerA” and “CustomerA,” for example. You can use letters, digits, or hyphens, but you cannot start or end the name with a hyphen.

Note

 

“System” or “Null” (in upper or lower case letters) are reserved names, and cannot be used.

Step 2

(Optional) Add a description for this context:

description text

Example:


ciscoasa(config-ctx)# description Admin Context

Step 3

Specify the interfaces you can use in the context:

To allocate an interface:

allocate-interface interface_id [mapped_name] [visible | invisible]

To allocate one or more subinterfaces:

allocate-interface interface_id.subinterface [-interface_id.subinterface] [mapped_name[-mapped_name]] [visible | invisible]

Example:


ciscoasa(config-ctx)# allocate-interface gigabitethernet0/1.100 int1
ciscoasa(config-ctx)# allocate-interface gigabitethernet0/1.200 int2
ciscoasa(config-ctx)# allocate-interface gigabitethernet0/2.300-gigabitethernet0/2.305 int3-int8

Note

 
Do not include a space between the interface type and the port number.
  • Enter these commands multiple times to specify different ranges. If you remove an allocation with the no form of this command, then any context commands that include this interface are removed from the running configuration.

  • You can assign the same interfaces to multiple contexts in routed mode, if desired. Transparent mode does not allow shared interfaces.

  • The mapped_name is an alphanumeric alias for the interface that can be used within the context instead of the interface ID. If you do not specify a mapped name, the interface ID is used within the context. For security purposes, you might not want the context administrator to know which interfaces the context is using. A mapped name must start with a letter, end with a letter or digit, and have as interior characters only letters, digits, or an underscore. For example, you can use the following names: int0 , inta , int_0 .

  • If you specify a range of subinterfaces, you can specify a matching range of mapped names. Follow these guidelines for ranges:

    • The mapped name must consist of an alphabetic portion followed by a numeric portion. The alphabetic portion of the mapped name must match for both ends of the range. For example, enter the following range: int0-int10 . If you enter gig0/1.1-gig0/1.5 happy1-sad5 , for example, the command fails.

    • The numeric portion of the mapped name must include the same quantity of numbers as the subinterface range. For example, both ranges include 100 interfaces:gigabitethernet0/0.100-gigabitethernet0/0.199 int1-int100 . If you enter gig0/0.100-gig0/0.199 int1-int15 , for example, the command fails.

  • Specify visible to see the real interface ID in the show interface command if you set a mapped name. The default invisible keyword shows only the mapped name.

Step 4

Identify the URL from which the system downloads the context configuration:

config-url url

Example:


ciscoasa(config-ctx)# config-url ftp://user1:passw0rd@10.1.1.1/configlets/test.cfg

Step 5

(Optional) Allow each context to use flash memory to store VPN packages, such as AnyConnect Client, as well as providing storage for AnyConnect Client and clientless SSL VPN portal customizations. For example, if you are using multiple context mode to configure an AnyConnect Client profile with Dynamic Access Policies, you must plan for context specific private storage. Each context can use a private storage space as well as a shared read-only storage space. Note: Make sure the target directory is already present on the specified disk using the mkdir command.

storage-url {private | shared} [diskn:/]path [context_label]

Example:


ciscoasa(config)# mkdir disk1:/private-storage
ciscoasa(config)# mkdir disk1:/shared-storage
ciscoasa(config)# context admin
ciscoasa(config-ctx)# storage-url private disk1:/private-storage context
ciscoasa(config-ctx)# storage-url shared disk1:/shared-storage shared

You can specify one private storage space per context. You can read/write/delete from this directory within the context (as well as from the system execution space). If you do not specify the disk number, the default is disk0. Under the specified path , the ASA creates a sub-directory named after the context. For example, for contextA if you specify disk1:/private-storage for the path, then the ASA creates a sub-directory for this context at disk1:/private-storage/contextA/ . You can also optionally name the path within the context with a context_label , so that the file system is not exposed to context administrators. For example, if you specify the context_label as context , then from within the context, this directory is called context: . To control how much disk space is allowed per context, see Configure a Class for Resource Management.

You can specify one read-only shared storage space per context, but you can create multiple shared directories. To reduce duplication of common large files that can be shared among all contexts, such as AnyConnect Client packages, you can use the shared storage space. The ASA does not create context sub-directories for this storage space because it is a shared space for multiple contexts. Only the system execution space can write and delete from the shared directory.

Step 6

(Optional) Assign the context to a resource class:

member class_name

Example:


ciscoasa(config-ctx)# member gold

If you do not specify a class, the context belongs to the default class. You can only assign a context to one resource class.

Step 7

(Optional) Assign a context to a failover group in Active/Active failover:

join-failover-group {1 | 2}

Example:


ciscoasa(config-ctx)# join-failover-group 2

By default, contexts are in group 1. The admin context must always be in group 1.

Step 8

(Optional) Enable Cloud Web Security for this context:

scansafe [license key]

Example:


ciscoasa(config-ctx)# scansafe

If you do not specify a license , the context uses the license configured in the system configuration. The ASA sends the authentication key to the Cloud Web Security proxy servers to indicate from which organization the request comes. The authentication key is a 16-byte hexidecimal number.

See the firewall configuration guide for detailed information about ScanSafe.


Example

The following example sets the admin context to be “administrator,” creates a context called “administrator” on the internal flash memory, and then adds two contexts from an FTP server:


ciscoasa(config)# admin-context admin
ciscoasa(config)# context admin
ciscoasa(config-ctx)# allocate-interface gigabitethernet0/0.1
ciscoasa(config-ctx)# allocate-interface gigabitethernet0/1.1
ciscoasa(config-ctx)# config-url disk0:/admin.cfg

ciscoasa(config-ctx)# context test
ciscoasa(config-ctx)# allocate-interface gigabitethernet0/0.100 int1
ciscoasa(config-ctx)# allocate-interface gigabitethernet0/0.102 int2
ciscoasa(config-ctx)# allocate-interface gigabitethernet0/0.110-gigabitethernet0/0.115 int3-int8
ciscoasa(config-ctx)# config-url ftp://user1:passw0rd@10.1.1.1/configlets/test.cfg
ciscoasa(config-ctx)# member gold


ciscoasa(config-ctx)# context sample
ciscoasa(config-ctx)# allocate-interface gigabitethernet0/1.200 int1
ciscoasa(config-ctx)# allocate-interface gigabitethernet0/1.212 int2
ciscoasa(config-ctx)# allocate-interface gigabitethernet0/1.230-gigabitethernet0/1.235 int3-int8
ciscoasa(config-ctx)# config-url ftp://user1:passw0rd@10.1.1.1/configlets/sample.cfg
ciscoasa(config-ctx)# member silver

Assign MAC Addresses to Context Interfaces Automatically

This section describes how to configure auto-generation of MAC addresses. The MAC address is used to classify packets within a context.

Before you begin

  • When you configure a nameif command for the interface in a context, the new MAC address is generated immediately. If you enable this feature after you configure context interfaces, then MAC addresses are generated for all interfaces immediately after you enable it. If you disable this feature, the MAC address for each interface reverts to the default MAC address. For example, subinterfaces of GigabitEthernet 0/1 revert to using the MAC address of GigabitEthernet 0/1.

  • In the rare circumstance that the generated MAC address conflicts with another private MAC address in your network, you can manually set the MAC address for the interface within the context.

Procedure


Automatically assign private MAC addresses to each context interface:

mac-address auto [prefix prefix]

Example:


ciscoasa(config)# mac-address auto prefix 19

If you do not enter a prefix, then the ASA autogenerates the prefix based on the last two bytes of the interface.

If you manually enter a prefix, then the prefix is a decimal value between 0 and 65535. This prefix is converted to a four-digit hexadecimal number, and used as part of the MAC address.


Change Between Contexts and the System Execution Space

If you log in to the system execution space (or the admin context), you can change between contexts and perform configuration and monitoring tasks within each context. The running configuration that you edit in a configuration mode, or that is used in the copy or write commands, depends on your location. When you are in the system execution space, the running configuration consists only of the system configuration; when you are in a context, the running configuration consists only of that context. For example, you cannot view all running configurations (system plus all contexts) by entering the show running-config command. Only the current configuration displays.

Procedure


Step 1

Change to a context:

changeto context name

The prompt changes to ciscoasa/name#

Step 2

Change to the system execution space:

changeto system

The prompt changes to ciscoasa#


Manage Security Contexts

This section describes how to manage security contexts.

Remove a Security Context

You cannot remove the current admin context, unless you remove all contexts using the clear context command.


Note


If you use failover, there is a delay between when you remove the context on the active unit and when the context is removed on the standby unit. You might see an error message indicating that the number of interfaces on the active and standby units are not consistent; this error is temporary and can be ignored.


Before you begin

Perform this procedure in the system execution space.

Procedure


Step 1

Remove a single context:

no context name

All context commands are also removed. The context configuration file is not removed from the config URL location.

Step 2

Remove all contexts (including the admin context):

clear context

The context configuration files are not removed from the config URL locations.


Change the Admin Context

The system configuration does not include any network interfaces or network settings for itself; rather, when the system needs to access network resources (such as downloading the contexts from the server), it uses one of the contexts that is designated as the admin context.

The admin context is just like any other context, except that when a user logs in to the admin context, then that user has system administrator rights and can access the system and all other contexts. The admin context is not restricted in any way, and can be used as a regular context. However, because logging into the admin context grants you administrator privileges over all contexts, you might need to restrict access to the admin context to appropriate users.

Before you begin

  • You can set any context to be the admin context, as long as the configuration file is stored in the internal flash memory.

  • Perform this procedure in the system execution space.

Procedure


Set the admin context:

admin-context context_name

Example:


ciscoasa(config)# admin-context administrator

Any remote management sessions, such as Telnet, SSH, or HTTPS, that are connected to the admin context are terminated. You must reconnect to the new admin context.

A few system configuration commands, including ntp server, identify an interface name that belongs to the admin context. If you change the admin context, and that interface name does not exist in the new admin context, be sure to update any system commands that refer to the interface.


Change the Security Context URL

This section describes how to change the context URL.

Before you begin

  • You cannot change the security context URL without reloading the configuration from the new URL. The ASA merges the new configuration with the current running configuration.

  • Reentering the same URL also merges the saved configuration with the running configuration.

  • A merge adds any new commands from the new configuration to the running configuration.

    • If the configurations are the same, no changes occur.

    • If commands conflict or if commands affect the running of the context, then the effect of the merge depends on the command. You might get errors, or you might have unexpected results. If the running configuration is blank (for example, if the server was unavailable and the configuration was never downloaded), then the new configuration is used.

  • If you do not want to merge the configurations, you can clear the running configuration, which disrupts any communications through the context, and then reload the configuration from the new URL.

  • Perform this procedure in the system execution space.

Procedure


Step 1

(Optional, if you do not want to perform a merge) Change to the context and clear configuration:

changeto context name

clear configure all

Example:


ciscoasa(config)# changeto context ctx1
ciscoasa/ctx1(config)# clear configure all

If you want to perform a merge, skip to Step 2.

Step 2

Change to the system execution space:

changeto system

Example:


ciscoasa/ctx1(config)# changeto system
ciscoasa(config)#

Step 3

Enter the context configuration mode for the context you want to change.

context name

Example:


ciscoasa(config)# context ctx1

Step 4

Enter the new URL. The system immediately loads the context so that it is running.

config-url new_url

Example:


ciscoasa(config)# config-url ftp://user1:passw0rd@10.1.1.1/configlets/ctx1.cfg


Reload a Security Context

You can reload the context in two ways:

  • Clear the running configuration and then import the startup configuration.

    This action clears most attributes associated with the context, such as connections and NAT tables.

  • Remove the context from the system configuration.

    This action clears additional attributes, such as memory allocation, which might be useful for troubleshooting. However, to add the context back to the system requires you to respecify the URL and interfaces.

Reload by Clearing the Configuration

Procedure

Step 1

Change to the context that you want to reload:

changeto context name

Example:

ciscoasa(config)# changeto context ctx1
ciscoasa/ctx1(comfig)#

Step 2

Clear the running configuration:

clear configure all

This command clears all connections.

Step 3

Reload the configuration:

copy startup-config running-config

Example:

ciscoasa/ctx1(config)# copy startup-config running-config

The ASA copies the configuration from the URL specified in the system configuration. You cannot change the URL from within a context.


Monitoring Security Contexts

This section describes how to view and monitor context information.

View Context Information

From the system execution space, you can view a list of contexts including the name, allocated interfaces, and configuration file URL.

Procedure


Show all contexts:

show context [name | detailcount]

If you want to show information for a particular context, specify the name.

The detail option shows additional information. See the following sample outputs below for more information.

The count option shows the total number of contexts.


Example

The following is sample output from the show context command. The following sample output shows three contexts:


ciscoasa# show context

Context Name      Interfaces                    URL
*admin            GigabitEthernet0/1.100        disk0:/admin.cfg
                  GigabitEthernet0/1.101
contexta          GigabitEthernet0/1.200        disk0:/contexta.cfg
                  GigabitEthernet0/1.201
contextb          GigabitEthernet0/1.300        disk0:/contextb.cfg
                  GigabitEthernet0/1.301
Total active Security Contexts: 3

The following table shows each field description.

Table 2. show context Fields

Field

Description

Context Name

Lists all context names. The context name with the asterisk (*) is the admin context.

Interfaces

The interfaces assigned to the context.

URL

The URL from which the ASA loads the context configuration.

The following is sample output from the show context detail command:


ciscoasa# show context detail

Context "admin", has been created, but initial ACL rules not complete
  Config URL: disk0:/admin.cfg
  Real Interfaces: Management0/0
  Mapped Interfaces: Management0/0
  Flags: 0x00000013, ID: 1

Context "ctx", has been created, but initial ACL rules not complete
  Config URL: ctx.cfg
  Real Interfaces: GigabitEthernet0/0.10, GigabitEthernet0/1.20,
     GigabitEthernet0/2.30
  Mapped Interfaces: int1, int2, int3
  Flags: 0x00000011, ID: 2

Context "system", is a system resource
  Config URL: startup-config
  Real Interfaces:
  Mapped Interfaces: Control0/0, GigabitEthernet0/0,
     GigabitEthernet0/0.10, GigabitEthernet0/1, GigabitEthernet0/1.10,
     GigabitEthernet0/1.20, GigabitEthernet0/2, GigabitEthernet0/2.30,
     GigabitEthernet0/3, Management0/0, Management0/0.1
  Flags: 0x00000019, ID: 257

Context "null", is a system resource
  Config URL: ... null ...
  Real Interfaces:
  Mapped Interfaces:
  Flags: 0x00000009, ID: 258

See the command reference for more information about the detail output.

The following is sample output from the show context count command:


ciscoasa# show context count
Total active contexts: 2

View Resource Allocation

From the system execution space, you can view the allocation for each resource across all classes and class members.

Procedure


Show the resource allocation:

show resource allocation [detail]

This command shows the resource allocation, but does not show the actual resources being used. See View Resource Usage for more information about actual resource usage.

The detail argument shows additional information. See the following sample outputs for more information.


Example

The following sample output shows the total allocation of each resource as an absolute value and as a percentage of the available system resources:


ciscoasa# show resource allocation
Resource                    Total       % of Avail
 Conns [rate]               35000           N/A
 Inspects [rate]            35000           N/A
 Syslogs [rate]             10500           N/A
 Conns                     305000           30.50%
 Hosts                      78842           N/A
 SSH                           35           35.00%
 Routes                      5000           N/A
 Telnet                        35           35.00%
 Xlates                     91749           N/A
 AnyConnect                  1000           10%
 AnyConnectBurst              200           2%
 Other VPN Sessions            20           2.66%
 Other VPN Burst               20           2.66%
 All                    unlimited

The following table shows each field description.

Table 3. show resource allocation Fields

Field

Description

Resource

The name of the resource that you can limit.

Total

The total amount of the resource that is allocated across all contexts. The amount is an absolute number of concurrent instances or instances per second. If you specified a percentage in the class definition, the ASA converts the percentage to an absolute number for this display.

% of Avail

The percentage of the total system resources that is allocated across all contexts, if the resource has a hard system limit. If a resource does not have a system limit, this column shows N/A.

The following is sample output from the show resource allocation detail command:


ciscoasa# show resource allocation detail
Resource Origin:
    A    Value was derived from the resource 'all'
    C    Value set in the definition of this class
    D    Value set in default class
Resource         Class          Mmbrs  Origin      Limit      Total    Total %
Conns [rate]     default          all      CA  unlimited
                 gold               1       C      34000      34000     N/A
                 silver             1      CA      17000      17000     N/A
                 bronze             0      CA       8500
                 All Contexts:      3                         51000     N/A

Inspects [rate]  default          all      CA  unlimited
                 gold               1      DA  unlimited
                 silver             1      CA      10000      10000     N/A
                 bronze             0      CA       5000
                 All Contexts:      3                         10000     N/A

Syslogs [rate]   default          all      CA  unlimited
                 gold               1       C       6000       6000     N/A
                 silver             1      CA       3000       3000     N/A
                 bronze             0      CA       1500
                 All Contexts:      3                          9000     N/A

Conns            default          all      CA  unlimited
                 gold               1       C     200000     200000     20.00%
                 silver             1      CA     100000     100000     10.00%
                 bronze             0      CA      50000
                 All Contexts:      3                        300000     30.00%

Hosts            default          all      CA  unlimited
                 gold               1      DA  unlimited
                 silver             1      CA      26214      26214      N/A
                 bronze             0      CA      13107
                 All Contexts:      3                         26214      N/A

SSH              default          all       C          5
                 gold               1       D          5          5      5.00%
                 silver             1      CA         10         10     10.00%
                 bronze             0      CA          5
                 All Contexts:      3                            20     20.00%

Telnet           default          all       C          5
                 gold               1       D          5          5      5.00%
                 silver             1      CA         10         10     10.00%
                 bronze             0      CA          5
                 All Contexts:      3                            20     20.00%

Routes           default          all       C  unlimited                 N/A
                 gold               1       D  unlimited          5      N/A
                 silver             1      CA         10         10      N/A
                 bronze             0      CA          5                 N/A
                 All Contexts:      3                            20      N/A

Xlates           default          all      CA  unlimited
                 gold               1      DA  unlimited
                 silver             1      CA      23040      23040     N/A
                 bronze             0      CA      11520
                 All Contexts:      3                         23040     N/A

mac-addresses    default          all       C      65535
                 gold               1       D      65535      65535    100.00%
                 silver             1      CA       6553       6553      9.99%
                 bronze             0      CA       3276
                 All Contexts:      3                        137623    209.99%

The following table shows each field description.

Table 4. show resource allocation detail Fields

Field

Description

Resource

The name of the resource that you can limit.

Class

The name of each class, including the default class.

The All contexts field shows the total values across all classes.

Mmbrs

The number of contexts assigned to each class.

Origin

The origin of the resource limit, as follows:

  • A—You set this limit with the all option, instead of as an individual resource.

  • C—This limit is derived from the member class.

  • D—This limit was not defined in the member class, but was derived from the default class. For a context assigned to the default class, the value will be “C” instead of “D.”

The ASA can combine “A” with “C” or “D.”

Limit

The limit of the resource per context, as an absolute number. If you specified a percentage in the class definition, the ASA converts the percentage to an absolute number for this display.

Total

The total amount of the resource that is allocated across all contexts in the class. The amount is an absolute number of concurrent instances or instances per second. If the resource is unlimited, this display is blank.

% of Avail

The percentage of the total system resources that is allocated across all contexts in the class. If the resource is unlimited, this display is blank. If the resource does not have a system limit, then this column shows N/A.

View Resource Usage

From the system execution space, you can view the resource usage for each context and display the system resource usage.

Procedure


View resource usage for each context:

show resource usage [context context_name | top n | all | summary | system] [resource {resource_name | all} | detail] [counter counter_name [count_threshold]]

  • By default, all context usage is displayed; each context is listed separately.

  • Enter the top n keyword to show the contexts that are the top n users of the specified resource. You must specify a single resource type, and not resource all, with this option.

  • The summary option shows all context usage combined.

  • The system option shows all context usage combined, but shows the system limits for resources instead of the combined context limits.

  • For the resource resource_name, see Configure a Class for Resource Management for available resource names. See also the show resource type command. Specify all (the default) for all types.

  • The detail option shows the resource usage of all resources, including those you cannot manage. For example, you can view the number of TCP intercepts.

  • The counter counter_name is one of the following keywords:

    • current—Shows the active concurrent instances or the current rate of the resource.

    • denied—Shows the number of instances that were denied because they exceeded the resource limit shown in the Limit column.

    • peak—Shows the peak concurrent instances, or the peak rate of the resource since the statistics were last cleared, either using the clear resource usage command or because the device rebooted.

    • all—(Default) Shows all statistics.

  • The count_threshold sets the number above which resources are shown. The default is 1. If the usage of the resource is below the number you set, then the resource is not shown. If you specify all for the counter name, then the count_threshold applies to the current usage.

  • To show all resources, set the count_threshold to 0.


Examples

The following is sample output from the show resource usage context command, which shows the resource usage for the admin context:


ciscoasa# show resource usage context admin

Resource              Current         Peak      Limit    Denied  Context
Telnet                      1            1          5         0  admin
Conns                      44           55        N/A         0  admin
Hosts                      45           56        N/A         0  admin

The following is sample output from the show resource usage summary command, which shows the resource usage for all contexts and all resources. This sample shows the limits for six contexts.


ciscoasa# show resource usage summary

Resource              Current         Peak      Limit     Denied Context
Syslogs [rate]           1743         2132      N/A            0 Summary
Conns                     584          763      280000(S)      0 Summary
Xlates                   8526         8966      N/A            0 Summary
Hosts                     254          254      N/A            0 Summary
Conns [rate]              270          535      N/A         1704 Summary
Inspects [rate]           270          535      N/A            0 Summary
AnyConnect                2             25      1000           0 Summary
AnyConnectBurst           0              0      200            0 Summary
Other VPN Sessions        0             10      10           740 Summary
Other VPN Burst           0             10      10           730 Summary

S = System: Combined context limits exceed the system limit; the system limit is shown.

The following is sample output from the show resource usage summary command, which shows the limits for 25 contexts. Because the context limit for Telnet and SSH connections is 5 per context, then the combined limit is 125. The system limit is only 100, so the system limit is shown.


ciscoasa# show resource usage summary

Resource              Current         Peak      Limit    Denied   Context
Telnet                      1            1        100[S]      0   Summary
SSH                         2            2        100[S]      0   Summary
Conns                      56           90        130000(S)   0   Summary
Hosts                      89          102        N/A         0   Summary
S = System: Combined context limits exceed the system limit; the system limit is shown.

The following is sample output from the show resource usage system command, which shows the resource usage for all contexts, but it shows the system limit instead of the combined context limits. The counter all 0 option is used to show resources that are not currently in use. The Denied statistics indicate how many times the resource was denied due to the system limit, if available.


ciscoasa# show resource usage system counter all 0

Resource              Current         Peak      Limit        Denied    Context
Telnet                      0            0        100             0    System
SSH                         0            0        100             0    System
ASDM                        0            0         32             0    System
Routes                      0            0        N/A             0    System
IPSec                       0            0          5             0    System
Syslogs [rate]              1           18        N/A             0    System
Conns                       0            1     280000             0    System
Xlates                      0            0        N/A             0    System
Hosts                       0            2        N/A             0    System
Conns [rate]                1            1        N/A             0    System
Inspects [rate]             0            0        N/A             0    System
AnyConnect                  2           25      10000             0    System
AnyConnectBurst             0            0        200             0    System
Other VPN Sessions          0           10        750           740    System
Other VPN Burst             0           10        750           730    System

Monitor SYN Attacks in Contexts

The ASA prevents SYN attacks using TCP Intercept. TCP Intercept uses the SYN cookies algorithm to prevent TCP SYN-flooding attacks. A SYN-flooding attack consists of a series of SYN packets usually originating from spoofed IP addresses. The constant flood of SYN packets keeps the server SYN queue full, which prevents it from servicing connection requests. When the embryonic connection threshold of a connection is crossed, the ASA acts as a proxy for the server and generates a SYN-ACK response to the client SYN request. When the ASA receives an ACK back from the client, it can then authenticate the client and allow the connection to the server.

Procedure


Step 1

Monitor the rate of attacks for individual contexts:

show perfmon

Step 2

Monitor the amount of resources being used by TCP intercept for individual contexts:

show resource usage detail

Step 3

Monitor the resources being used by TCP intercept for the entire system:

show resource usage summary detail


Examples

The following is sample output from the show perfmon command that shows the rate of TCP intercepts for a context called admin.


ciscoasa/admin# show perfmon

Context:admin
PERFMON STATS:   Current      Average
Xlates               0/s          0/s
Connections          0/s          0/s
TCP Conns            0/s          0/s
UDP Conns            0/s          0/s
URL Access           0/s          0/s
URL Server Req       0/s          0/s
WebSns Req           0/s          0/s
TCP Fixup            0/s          0/s
HTTP Fixup           0/s          0/s
FTP Fixup            0/s          0/s
AAA Authen           0/s          0/s
AAA Author           0/s          0/s
AAA Account          0/s          0/s
TCP Intercept    322779/s      322779/s

The following is sample output from the show resource usage detail command that shows the amount of resources being used by TCP Intercept for individual contexts. (Sample text in bold shows the TCP intercept information.)


ciscoasa(config)# show resource usage detail
Resource              Current         Peak      Limit        Denied Context
memory                 843732       847288  unlimited             0 admin
chunk:channels             14           15  unlimited             0 admin
chunk:fixup                15           15  unlimited             0 admin
chunk:hole                  1            1  unlimited             0 admin
chunk:ip-users             10           10  unlimited             0 admin
chunk:list-elem            21           21  unlimited             0 admin
chunk:list-hdr              3            4  unlimited             0 admin
chunk:route                 2            2  unlimited             0 admin
chunk:static                1            1  unlimited             0 admin
tcp-intercepts         328787       803610  unlimited             0 admin
np-statics                  3            3  unlimited             0 admin
statics                     1            1  unlimited             0 admin
ace-rules                   1            1  unlimited             0 admin
console-access-rul          2            2  unlimited             0 admin
fixup-rules                14           15  unlimited             0 admin
memory                 959872       960000  unlimited             0 c1
chunk:channels             15           16  unlimited             0 c1
chunk:dbgtrace              1            1  unlimited             0 c1
chunk:fixup                15           15  unlimited             0 c1
chunk:global                1            1  unlimited             0 c1
chunk:hole                  2            2  unlimited             0 c1
chunk:ip-users             10           10  unlimited             0 c1
chunk:udp-ctrl-blk          1            1  unlimited             0 c1
chunk:list-elem            24           24  unlimited             0 c1
chunk:list-hdr              5            6  unlimited             0 c1
chunk:nat                   1            1  unlimited             0 c1
chunk:route                 2            2  unlimited             0 c1
chunk:static                1            1  unlimited             0 c1
tcp-intercept-rate      16056        16254  unlimited             0 c1
globals                     1            1  unlimited             0 c1
np-statics                  3            3  unlimited             0 c1
statics                     1            1  unlimited             0 c1
nats                        1            1  unlimited             0 c1
ace-rules                   2            2  unlimited             0 c1
console-access-rul          2            2  unlimited             0 c1
fixup-rules                14           15  unlimited             0 c1
memory              232695716    232020648  unlimited             0 system
chunk:channels             17           20  unlimited             0 system
chunk:dbgtrace              3            3  unlimited             0 system
chunk:fixup                15           15  unlimited             0 system
chunk:ip-users              4            4  unlimited             0 system
chunk:list-elem          1014         1014  unlimited             0 system
chunk:list-hdr              1            1  unlimited             0 system
chunk:route                 1            1  unlimited             0 system
block:16384               510          885  unlimited             0 system
block:2048                 32           34  unlimited             0 system

The following sample output shows the resources being used by TCP intercept for the entire system. (Sample text in bold shows the TCP intercept information.)


ciscoasa(config)# show resource usage summary detail
Resource              Current         Peak      Limit        Denied Context
memory              238421312    238434336  unlimited             0 Summary
chunk:channels             46           48  unlimited             0 Summary
chunk:dbgtrace              4            4  unlimited             0 Summary
chunk:fixup                45           45  unlimited             0 Summary
chunk:global                1            1  unlimited             0 Summary
chunk:hole                  3            3  unlimited             0 Summary
chunk:ip-users             24           24  unlimited             0 Summary
chunk:udp-ctrl-blk          1            1  unlimited             0 Summary
chunk:list-elem          1059         1059  unlimited             0 Summary
chunk:list-hdr             10           11  unlimited             0 Summary
chunk:nat                   1            1  unlimited             0 Summary
chunk:route                 5            5  unlimited             0 Summary
chunk:static                2            2  unlimited             0 Summary
block:16384               510          885  unlimited             0 Summary
block:2048                 32           35  unlimited             0 Summary
tcp-intercept-rate     341306       811579  unlimited             0 Summary
globals                     1            1  unlimited             0 Summary
np-statics                  6            6  unlimited             0 Summary
statics                     2            2        N/A             0 Summary
nats                        1            1        N/A             0 Summary
ace-rules                   3            3        N/A             0 Summary
console-access-rul          4            4        N/A             0 Summary
fixup-rules                43           44        N/A             0 Summary

View Assigned MAC Addresses

You can view auto-generated MAC addresses within the system configuration or within the context.

View MAC Addresses in the System Configuration

This section describes how to view MAC addresses in the system configuration.

Before you begin

If you manually assign a MAC address to an interface, but also have auto-generation enabled, the auto-generated address continues to show in the configuration even though the manual MAC address is the one that is in use. If you later remove the manual MAC address, the auto-generated one shown will be used.

Procedure

Show the assigned MAC addresses from the system execution space:

show running-config all context [name]

The all option is required to view the assigned MAC addresses. Although the mac-address auto command is user-configurable in global configuration mode only, the command appears as a read-only entry in context configuration mode along with the assigned MAC address. Only allocated interfaces that are configured with a nameif command within the context have a MAC address assigned.


Examples

The following output from the show running-config all context admin command shows the primary and standby MAC address assigned to the Management0/0 interface:


ciscoasa# show running-config all context admin

context admin
  allocate-interface Management0/0
  mac-address auto Management0/0 a24d.0000.1440 a24d.0000.1441
  config-url disk0:/admin.cfg

The following output from the show running-config all context command shows all the MAC addresses (primary and standby) for all context interfaces. Note that because the GigabitEthernet0/0 and GigabitEthernet0/1 main interfaces are not configured with a nameif command inside the contexts, no MAC addresses have been generated for them.


ciscoasa# show running-config all context

admin-context admin
context admin
  allocate-interface Management0/0
  mac-address auto Management0/0 a2d2.0400.125a a2d2.0400.125b
  config-url disk0:/admin.cfg
!

context CTX1
  allocate-interface GigabitEthernet0/0
  allocate-interface GigabitEthernet0/0.1-GigabitEthernet0/0.5
  mac-address auto GigabitEthernet0/0.1 a2d2.0400.11bc a2d2.0400.11bd
  mac-address auto GigabitEthernet0/0.2 a2d2.0400.11c0 a2d2.0400.11c1
  mac-address auto GigabitEthernet0/0.3 a2d2.0400.11c4 a2d2.0400.11c5
  mac-address auto GigabitEthernet0/0.4 a2d2.0400.11c8 a2d2.0400.11c9
  mac-address auto GigabitEthernet0/0.5 a2d2.0400.11cc a2d2.0400.11cd
  allocate-interface GigabitEthernet0/1
  allocate-interface GigabitEthernet0/1.1-GigabitEthernet0/1.3
  mac-address auto GigabitEthernet0/1.1 a2d2.0400.120c a2d2.0400.120d
  mac-address auto GigabitEthernet0/1.2 a2d2.0400.1210 a2d2.0400.1211
  mac-address auto GigabitEthernet0/1.3 a2d2.0400.1214 a2d2.0400.1215
  config-url disk0:/CTX1.cfg
!

context CTX2
  allocate-interface GigabitEthernet0/0
  allocate-interface GigabitEthernet0/0.1-GigabitEthernet0/0.5
  mac-address auto GigabitEthernet0/0.1 a2d2.0400.11ba a2d2.0400.11bb
  mac-address auto GigabitEthernet0/0.2 a2d2.0400.11be a2d2.0400.11bf
  mac-address auto GigabitEthernet0/0.3 a2d2.0400.11c2 a2d2.0400.11c3
  mac-address auto GigabitEthernet0/0.4 a2d2.0400.11c6 a2d2.0400.11c7
  mac-address auto GigabitEthernet0/0.5 a2d2.0400.11ca a2d2.0400.11cb
  allocate-interface GigabitEthernet0/1
  allocate-interface GigabitEthernet0/1.1-GigabitEthernet0/1.3
  mac-address auto GigabitEthernet0/1.1 a2d2.0400.120a a2d2.0400.120b
  mac-address auto GigabitEthernet0/1.2 a2d2.0400.120e a2d2.0400.120f
  mac-address auto GigabitEthernet0/1.3 a2d2.0400.1212 a2d2.0400.1213
  config-url disk0:/CTX2.cfg
!

View MAC Addresses Within a Context

This section describes how to view MAC addresses within a context.

Procedure

Show the MAC address in use by each interface within the context:

show interface | include (Interface)|(MAC)


Example

For example:


ciscoasa/context# show interface | include (Interface)|(MAC)

Interface GigabitEthernet1/1.1 "g1/1.1", is down, line protocol is down
        MAC address a201.0101.0600, MTU 1500
Interface GigabitEthernet1/1.2 "g1/1.2", is down, line protocol is down
        MAC address a201.0102.0600, MTU 1500
Interface GigabitEthernet1/1.3 "g1/1.3", is down, line protocol is down
        MAC address a201.0103.0600, MTU 1500
...

Note


The show interface command shows the MAC address in use; if you manually assign a MAC address and also have auto-generation enabled, then you can only view the unused auto-generated address from within the system configuration.


Examples for Multiple Context Mode

The following example:

  • Automatically sets the MAC addresses in contexts with a custom prefix.

  • Sets the default class limit for conns to 10 percent instead of unlimited, and sets the VPN other sessions to 10, with a burst of 5.

  • Creates a gold resource class.

  • Sets the admin context to be “administrator.”

  • Creates a context called “administrator” on the internal flash memory to be part of the default resource class.

  • Adds two contexts from an FTP server as part of the gold resource class.


ciscoasa(config)# mac-address auto prefix 19

ciscoasa(config)# class default
ciscoasa(config-class)# limit-resource conns 10%
ciscoasa(config-class)# limit-resource vpn other 10
ciscoasa(config-class)# limit-resource vpn burst other 5

ciscoasa(config)# class gold
ciscoasa(config-class)# limit-resource mac-addresses 10000
ciscoasa(config-class)# limit-resource conns 15%
ciscoasa(config-class)# limit-resource rate conns 1000
ciscoasa(config-class)# limit-resource rate inspects 500
ciscoasa(config-class)# limit-resource hosts 9000
ciscoasa(config-class)# limit-resource asdm 5
ciscoasa(config-class)# limit-resource ssh 5
ciscoasa(config-class)# limit-resource rate syslogs 5000
ciscoasa(config-class)# limit-resource telnet 5
ciscoasa(config-class)# limit-resource xlates 36000
ciscoasa(config-class)# limit-resource routes 700
ciscoasa(config-class)# limit-resource vpn other 100
ciscoasa(config-class)# limit-resource vpn burst other 50

ciscoasa(config)# admin-context administrator
ciscoasa(config)# context administrator
ciscoasa(config-ctx)# allocate-interface gigabitethernet0/0.1
ciscoasa(config-ctx)# allocate-interface gigabitethernet0/1.1
ciscoasa(config-ctx)# config-url disk0:/admin.cfg

ciscoasa(config-ctx)# context test
ciscoasa(config-ctx)# allocate-interface gigabitethernet0/0.100 int1
ciscoasa(config-ctx)# allocate-interface gigabitethernet0/0.102 int2
ciscoasa(config-ctx)# allocate-interface gigabitethernet0/0.110-gigabitethernet0/0.115 int3-int8
ciscoasa(config-ctx)# config-url ftp://user1:passw0rd@10.1.1.1/configlets/test.cfg
ciscoasa(config-ctx)# member gold

ciscoasa(config-ctx)# context sample
ciscoasa(config-ctx)# allocate-interface gigabitethernet0/1.200 int1
ciscoasa(config-ctx)# allocate-interface gigabitethernet0/1.212 int2
ciscoasa(config-ctx)# allocate-interface gigabitethernet0/1.230-gigabitethernet0/1.235 int3-int8
ciscoasa(config-ctx)# config-url ftp://user1:passw0rd@10.1.1.1/configlets/sample.cfg
ciscoasa(config-ctx)# member gold

History for Multiple Context Mode

Table 5. History for Multiple Context Mode

Feature Name

Platform Releases

Feature Information

Multiple security contexts

7.0(1)

Multiple context mode was introduced.

We introduced the following commands: context, mode, and class.

Automatic MAC address assignment

7.2(1)

Automatic assignment of MAC address to context interfaces was introduced.

We introduced the following command: mac-address auto.

Resource management

7.2(1)

Resource management was introduced.

We introduced the following commands: class, limit-resource, and member.

Virtual sensors for IPS

8.0(2)

The AIP SSM running IPS software Version 6.0 and above can run multiple virtual sensors, which means you can configure multiple security policies on the AIP SSM. You can assign each context or single mode ASA to one or more virtual sensors, or you can assign multiple security contexts to the same virtual sensor.

We introduced the following command: allocate-ips.

Automatic MAC address assignment enhancements

8.0(5)/8.2(2)

The MAC address format was changed to use a prefix, to use a fixed starting value (A2), and to use a different scheme for the primary and secondary unit MAC addresses in a failover pair. The MAC addresses are also now persistent across reloads. The command parser now checks if auto-generation is enabled; if you want to also manually assign a MAC address, you cannot start the manual MAC address with A2.

We modified the following command: mac-address auto prefix.

Maximum contexts increased for the ASA 5550 and 5580

8.4(1)

The maximum security contexts for the ASA 5550 was increased from 50 to 100. The maximum for the ASA 5580 was increased from 50 to 250.

Automatic MAC address assignment enabled by default

8.5(1)

Automatic MAC address assignment is now enabled by default.

We modified the following command: mac-address auto.

Automatic generation of a MAC address prefix

8.6(1)

In multiple context mode, the ASA now converts the automatic MAC address generation configuration to use a default prefix. The ASA auto-generates the prefix based on the last two bytes of the interface (ASA 5500-X) or backplane (ASASM) MAC address. This conversion happens automatically when you reload, or if you reenable MAC address generation. The prefix method of generation provides many benefits, including a better guarantee of unique MAC addresses on a segment. You can view the auto-generated prefix by entering the show running-config mac-address command. If you want to change the prefix, you can reconfigure the feature with a custom prefix. The legacy method of MAC address generation is no longer available.

Note

 

To maintain hitless upgrade for failover pairs, the ASA does not convert the MAC address method in an existing configuration upon a reload if failover is enabled. However, we strongly recommend that you manually change to the prefix method of generation when using failover, especially for the ASASM. Without the prefix method, ASASMs installed in different slot numbers experience a MAC address change upon failover, and can experience traffic interruption. After upgrading, to use the prefix method of MAC address generation, reenable MAC address generation to use the default prefix.

We modified the following command: mac-address auto.

Automatic MAC address assignment disabled by default on all models except for the ASASM

9.0(1)

Automatic MAC address assignment is now disabled by default except for the ASASM.

We modified the following command: mac-address auto.

Dynamic routing in Security Contexts

9.0(1)

EIGRP and OSPFv2 dynamic routing protocols are now supported in multiple context mode. OSPFv3, RIP, and multicast routing are not supported.

New resource type for routing table entries

9.0(1)

A new resource type, routes, was created to set the maximum number of routing table entries in each context.

We modified the following commands: limit-resource, show resource types, show resource usage, show resource allocation.

Site-to-Site VPN in multiple context mode

9.0(1)

Site-to-site VPN tunnels are now supported in multiple context mode.

New resource type for site-to-site VPN tunnels

9.0(1)

New resource types, vpn other and vpn burst other, were created to set the maximum number of site-to-site VPN tunnels in each context.

We modified the following commands: limit-resource, show resource types, show resource usage, show resource allocation.

New resource type for IKEv1 SA negotiations

9.1(2)

New resource type, ikev1 in-negotiation, was created to set the maximum percentage of IKEv1 SA negotiations in each context to prevent overwhelming the CPU and crypto engines. Under certain conditions (large certificates, CRL checking), you might want to restrict this resource.

We modified the following commands: limit-resource, show resource types, show resource usage, show resource allocation.

Support for Remote Access VPN in multiple context mode

9.5(2)

You can now use the following remote access features in multiple context mode:

  • AnyConnect 3.x and later (SSL VPN only; no IKEv2 support)

  • Centralized AnyConnect Client image configuration

  • AnyConnect Client image upgrade

  • Context Resource Management for AnyConnect Client connections

Note

 

The AnyConnect Apex license is required for multiple context mode; you cannot use the default or legacy license.

We introduced the following commands: limit-resource vpn anyconnect, limit-resource vpn burst anyconnect

Pre-fill/Username-from-cert feature for multiple context mode

9.6(2)

AnyConnect Client SSL support is extended, allowing pre-fill/username-from-certificate feature CLIs, previously available only in single mode, to be enabled in multiple context mode as well.

We did not modify any commands.

Flash Virtualization for Remote Access VPN

9.6(2)

Remote access VPN in multiple context mode now supports flash virtualization. Each context can have a private storage space and a shared storage place based on the total flash that is available:

  • Private storage—Store files associated only with that user and specific to the content that you want for that user.

  • Shared storage—Upload files to this space and have it accessible to any user context for read/write access once you enable it.

We introduced the following commands: limit-resource storage, storage-url

AnyConnect Clientprofiles supported in multi-context devices

9.6(2)

AnyConnect Client profiles are supported in multi-context devices. To add a new profile using ASDM, you must have the AnyConnect Client release 4.2.00748 or 4.3.03013 and later.

Stateful failover for AnyConnect Client connections in multiple context mode

9.6(2)

Stateful failover is now supported for AnyConnect Client connections in multiple context mode.

We did not modify any commands.

Remote Access VPN Dynamic Access Policy (DAP) is supported in multiple context mode

9.6(2)

You can now configure DAP per context in multiple context mode.

We did not modify any commands.

Remote Access VPN CoA (Change of Authorization) is supported in multiple context mode

9.6(2)

You can now configure CoA per context in multiple context mode.

We did not modify any commands.

Remote Access VPN localization is supported in multiple context mode

9.6(2)

Localization is supported globally. There is only one set of localization files that are shared across different contexts.

We did not modify any commands.

Remote Access VPN for IKEv2 is supported in multiple context mode

9.9(2)

You can configure Remote Access VPN in multiple context mode for IKEv2.

Configurable limitation of admin sessions

9.12(1)

You can configure the maximum number of aggregate, per user, and per-protocol administrative sessions. Formerly, you could configure only the aggregate number of sessions. This feature does not affect console sessions. Note that in multiple context mode, you cannot configure the number of HTTPS sessions, where the maximum is fixed at 5 sessions. The quota management-session command is also no longer accepted in the system configuration, and is instead available in the context configuration. The maximum aggregate sessions is now 15; if you configured 0 (unlimited) or 16+, then when you upgrade, the value is changed to 15.

New/Modified commands: quota management-session , show quota management-session

HTTPS resource management

9.12(1)

You can now set the maximum number of non-ASDM HTTPS sessions in a resource class. By default, the limit is set to 6 per context, the maximum. You can use up to 100 HTTPS sesssions across all contexts.

New/Modified commands: limit-resource http

No ASDM support.

Firepower 1140 maximum contexts increased from 5 to 10

9.16(1)

The Firepower 1140 now supports up to 10 contexts.