A single Cisco ASA or a cluster of two ASAs can be partition into multiple virtual firewalls known as security contexts. Each context has it’s own independent firewall, with its own security policy, interfaces, and administrators. These contexts are similar to having multiple standalone ASA devices. In combination with failover groups you can run a ASA cluster in active/active state andĀ utilize both devices. Don’t forget when a failover happens that both failover groups need to run on a single device, keep enough ressources free on both devices and do not oversubscribe too much.
You have to look because there are limitation what features are supported in context mode. In version 8 is unsupport to use dynamic routing protocols, VPN, Threat Detection and Quality of Service. In version 9 are some changes and now dynamic routing protocols (not RIP or OSPFv3) and site-to-site IPsec VPNs are supported.
Here the configuration example how to set-up an Cisco ASA 5580 with 10 Gigabit Ethernet interfaces.
Enabling the context mode
mode noconfirm multiple
Physical interface configuration
interface GigabitEthernet4/2 description Failover no shutdown exit interface GigabitEthernet4/3 description Stateful no shutdown exit interface TenGigabitEthernet5/0 description TeTrunk-1st no shutdown exit interface TenGigabitEthernet5/1 description TeTrunk-2nd no shutdown exit
Redundant interface configuration
interface Redundant 1 description Redundant-Trunk member-interface TenGigabitEthernet5/0 member-interface TenGigabitEthernet5/1 exit interface Redundant 1.800 vlan 800 description Link-Outside1 exit interface Redundant 1.801 vlan 801 description Link-Outside2 exit interface Redundant 1.100 vlan 100 description Link-Inside1 exit interface Redundant 1.101 vlan 101 description Link-Inside2 exit interface Redundant 1.500 vlan 500 description Link-Management exit
Here you need to start configuring the ASA failover settings. Like you see in the failover group configuration that I put group 1 to the primary device and group 2 to the seconday device for active/active set-up, when I create the virtual security context I join them to the different failover groups.
failover group 1 primary polltime interface 1 holdtime 5 exit failover group 2 secondary polltime interface 1 holdtime 5 exit failover failover lan unit primary failover lan interface failover GigabitEthernet4/2 failover interface ip failover 169.254.0.1 255.255.255.0 standby 169.254.0.2 failover link stateful GigabitEthernet4/3 failover interface ip stateful 169.254.1.1 255.255.255.0 standby 169.254.1.2 failover polltime unit 2 holdtime 6 failover polltime interface 1 holdtime 5 failover timeout 0:00:00 failover active
Failover configuration on the seconday device
interface GigabitEthernet4/2 description Failover no shutdown exit failover lan unit secondary failover lan interface failover GigabitEthernet4/2 failover interface ip failover 169.254.0.1 255.255.255.0 standby 169.254.0.2 failover copy running-config startup-config
Now you start to set-up the virtual contexts and add the interfaces I configured before
admin-context admin-asa-01 context admin-asa-01 allocate-interface Redundant1.500 Link-Management config-url disk0:/admin-asa-01.conf join-failover-group 1 exit context virtual-asa-02 allocate-interface Redundant1.800 Link-Outside1 allocate-interface Redundant1.100 Link-Inside1 config-url disk0:/virtual-asa-02.conf join-failover-group 1 exit context virtual-asa-03 allocate-interface Redundant1.801 Link-Outside2 allocate-interface Redundant1.101 Link-Inside2 config-url disk0:/virtual-asa-03.conf join-failover-group 2 exit
In the end save the configuration
write memory all
Afterwards you can change to the configured contexts with the command
changeto context virtual-asa-02
and start configuring your virtual firewalls.