For clarification ASA can be configured in two modes single and multiple.
*Single:* Single is same as PIX with additional ASA capabilities and
functionalities.
*Multiple: *Multiple again can be configured as a Active/Standby or
Active/Active
Mr. Ashwin first of all I need some clarification for your question.
Is the requirement to configure two contexts for two different customers?
Now it�s must to be configured in multiple context mode now you need to
decide in Active/standby or Active/Active.
A single Cisco ASA appliance can be partitioned into multiple virtual
firewalls known also as �Security Contexts�. Each security context acts as a
separate firewall with its own security policy, interfaces and
configuration. However, some features are not available for virtual
firewalls, such as IPSEC and SSL VPN, Dynamic Routing Protocols, Multicast
and Threat Detection.
All firewall models (except ASA 5505) support multiple security contexts. By
default, all models support 2 security contexts without a license upgrade
(except the ASA 5510 which requires the security plus license).
Each security context that you create on the appliance includes its own
configuration file (filename.cfg) stored on local flash memory. This
configuration file contains the security policy, the included interfaces and
the virtual firewall configuration of the specific security context. By
default, an admin context is always created having a configuration file �*
admin.cfg*�. This is just like any other security context except that when a
user logs in the admin context then he has full administrator access to all
other security contexts. Admin context is default create as many as customer
context you need depending on your license.
By entering into system or admin context you will allocate resources
(interfaces or sub-interfaces) to the customer context you want to create.
Ex: C1 for Customer1 and C2 for Customer2. So admin context is as
administrator account on your windows machine and customer contest is user
accounts. Logging into the administrator account you can create a user,
delete a user modify a user� you can do anything.
Please correct me if iam wrong.
HTH
Casim
On Wed, Jun 17, 2009 at 11:29 AM, Shahid Ansari <shahid1357_at_gmail.com>wrote:
> Two Security Context for Customers on One firewall means TWO Virtual
> firewall on One Physical Box.
> so every Customer context has its own configuration, interfaces, security
> policies(ACLs), etc.
> means every customer context acts as a virtual firewall with its own
> configuration that contains almost all the options that are available in a
> standalone firewall.
> In Active/Active Failover, both units can pass network traffic which works
> in only multiple context mode for load balancing .
> On Firewall 1 - CustA(Active),CustB(Stand)---- Firewall 2 -
> CustA(Stand),CustB(Active)
> Please correct me If I am missing something .
>
> Thanks
> Shahid Ansari
>
>
>
> On Wed, Jun 17, 2009 at 10:33 AM, Muhammad Nasim
> <muhammad.nasim_at_gmail.com>wrote:
>
> > Also you can have Different zones (Secutiry levels in Cisco ASA language)
> > INSIDE EACH SECURITY CONTEXT as well
> >
> > 2009/6/17 Muhammad Nasim <muhammad.nasim_at_gmail.com>
> >
> > > Also you can have Different zones (Secutiry levels in Cisco ASA
> language)
> > > as well
> > >
> > >
> > >
> > > 2009/6/17 Muhammad Nasim <muhammad.nasim_at_gmail.com>
> > >
> > > Access-lists has nothing to do with Security Contexts creation and
> > >> deletion,
> > >>
> > >> You can have two security contexts in both firewalls for Active-Active
> > >> fine,
> > >>
> > >> And inside one security contexts you can have access-lists (or
> security
> > >> policies)
> > >>
> > >> HTH
> > >>
> > >>
> > >> 2009/6/17 Ashwin Iyer <ash.iyer_at_gmail.com>
> > >>
> > >> Hi Experts
> > >>> I have a question regarding configuring cisco ASA firewall.Customer
> has
> > a
> > >>> pix firewall and now he is moving to cisco ASA 5520-with AIP
> SSM-20.Now
> > >>> inside pix you have many zones or segments created.I wont call it
> > >>> zones,but
> > >>> traffic classifcations.Like *www,XTR* ,all different access-list.Now
> > >>> customer wants multiple contexts between the two ASA's.As i
> understand
> > by
> > >>> default u can *have two cust and one admin context.*
> > >>> **
> > >>> So is it as simple as adding *all the differnt access-lists into ASA
> on
> > >>> both
> > >>> the ASA's* and doing active-active configs?
> > >>> kindly help me out here
> > >>>
> > >>> cheers
> > >>> Ashwin
> > >>>
> > >>>
> > >>> Blogs and organic groups at http://www.ccie.net
> > >>>
> > >>>
> _______________________________________________________________________
> > >>> Subscription information may be found at:
> > >>> http://www.groupstudy.com/list/CCIELab.html
> > >>>
> > >>>
> > >>>
> > >>>
> > >>>
> > >>>
> > >>>
> > >>>
> > >>
> > >>
> > >> --
> > >> Muhammad Nasim
> > >> Network Engineer
> > >> Saudi Arabia
> > >>
> > >
> > >
> > >
> > > --
> > > Muhammad Nasim
> > > Network Engineer
> > > Saudi Arabia
> > >
> >
> >
> >
> > --
> > Muhammad Nasim
> > Network Engineer
> > Saudi Arabia
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Wed Jun 17 2009 - 12:41:02 ART