Cisco ASA Multiple Context mode considerations
The Cisco ASA supports firewall Multiple Contexts, also called Firewall Multimode, but there are pros and cons to be considered before implementing this configuration.
Multiple Context Mode can be viewed as having multiple separate (virtual) firewalls on the same hardware. Each context is its own security entity with its own security policy and interfaces. While most features are supported while using Multiple Contexts, some are not.
When would you want to use multiple security contexts?
- If you want to use the active/active failover feature. Keep in mind that with active/active failover, you should not use more than half of the available bandwidth.
- If you are an ISP and need to offer a different security context for each customer.
- If you need to provide different security policies for various departments, users, or vendors and need to create a separate context for each one.
- If you’d like to reduce hardware requirements by combining the functionality of multiple firewalls into one.
When should you not use multiple security contexts?
- If you need to provide VPN services such as remote access or site-to-site VPN tunnels.
- If you need to use dynamic routing protocols. With multiple context mode, you can use only static routes.
- If you need to use QoS.
- If you need to support multicast routing.
- If you need to provide Threat Detection.
It may seem that it would be easier to manage one firewall than several firewalls. This is true once you understand that there are some major differences between single-mode and multimode firewall configurations.
In multiple security context mode, there are three types of configuration files rather than one:
- The System Configuration is the startup configuration and is similar to a standard single-mode configuration except no network interfaces are defined other than a specialized failover interface. This system configuration is where the network administrator adds and manages the security contexts.
- The Admin Context is not restricted and can be used as any other security context. When logged in as admin, all other security contexts can be seen and administered including the system configuration. The Admin context must reside on flash memory.
- The Context Configurations are created for each separate security context. These configurations contain the security policies, interface configurations, etc., specific only to that context.
Another difference is how packets are classified. With a multimode configuration, interfaces can be shared between contexts so the ASA has to determine which packets should be sent to which contexts. The ASA can classify packets based on a variety of information such as MAC address, destination address, or NAT mapping. Depending on your situation, you may need to assign a unique MAC address to shared interfaces to alleviate routing issues, which makes your firewall management a bit more complicated.
A few other things to keep in mind
When changing from single mode to multiple mode or back, the commands must be done from the command line (CLI) and cannot be done via the ASDM GUI interface. When going from single to multimode, the ASA converts the running configuration into two files, creating a new startup configuration (system configuration) file and an admin context file (admin.cfg). The original startup configuration is not saved, but the original running configuration is saved as old_running.cfg.
By default, all security contexts have unlimited access to the ASA resources. Depending on your particular environment, you may find that you need to configure resource management to limit some contexts that may be starving other contexts. This is done by configuring resource classes and assigning them to the contexts.
Multimode offers some distinct advantages in certain situations, but you need to carefully consider your requirements before implementing a solution. There are limitations, and while the number of devices you manage may go down, the complication of those device configurations may go way up.