A single Cisco ASA or a cluster of two ASAs can be partition into multiple virtual firewalls known as security contexts. Each context has it’s own independent firewall, with its own security policy, interfaces, and administrators. These contexts are similar to having multiple standalone ASA devices. In combination with failover groups you can run a ASA cluster in active/active state andĀ utilize both devices. Don’t forget when a failover happens that both failover groups need to run on a single device, keep enough ressources free on both devices and do not oversubscribe too much.
You have to look because there are limitation what features are supported in context mode. In version 8 is unsupport to use dynamic routing protocols, VPN, Threat Detection and Quality of Service. In version 9 are some changes and now dynamic routing protocols (not RIP or OSPFv3) and site-to-site IPsec VPNs are supported.
Here the configuration example how to set-up an Cisco ASA 5580 with 10 Gigabit Ethernet interfaces.
Enabling the context mode
mode noconfirm multiple
Physical interface configuration
interface GigabitEthernet4/2
description Failover
no shutdown
exit
interface GigabitEthernet4/3
description Stateful
no shutdown
exit
interface TenGigabitEthernet5/0
description TeTrunk-1st
no shutdown
exit
interface TenGigabitEthernet5/1
description TeTrunk-2nd
no shutdown
exit
Redundant interface configuration
interface Redundant 1
description Redundant-Trunk
member-interface TenGigabitEthernet5/0
member-interface TenGigabitEthernet5/1
exit
interface Redundant 1.800
vlan 800
description Link-Outside1
exit
interface Redundant 1.801
vlan 801
description Link-Outside2
exit
interface Redundant 1.100
vlan 100
description Link-Inside1
exit
interface Redundant 1.101
vlan 101
description Link-Inside2
exit
interface Redundant 1.500
vlan 500
description Link-Management
exit
Here you need to start configuring the ASA failover settings. Like you see in the failover group configuration that I put group 1 to the primary device and group 2 to the seconday device for active/active set-up, when I create the virtual security context I join them to the different failover groups.
failover group 1
primary
polltime interface 1 holdtime 5
exit
failover group 2
secondary
polltime interface 1 holdtime 5
exit
failover
failover lan unit primary
failover lan interface failover GigabitEthernet4/2
failover interface ip failover 169.254.0.1 255.255.255.0 standby 169.254.0.2
failover link stateful GigabitEthernet4/3
failover interface ip stateful 169.254.1.1 255.255.255.0 standby 169.254.1.2
failover polltime unit 2 holdtime 6
failover polltime interface 1 holdtime 5
failover timeout 0:00:00
failover active
Failover configuration on the seconday device
interface GigabitEthernet4/2
description Failover
no shutdown
exit
failover lan unit secondary
failover lan interface failover GigabitEthernet4/2
failover interface ip failover 169.254.0.1 255.255.255.0 standby 169.254.0.2
failover
copy running-config startup-config
Now you start to set-up the virtual contexts and add the interfaces I configured before
admin-context admin-asa-01
context admin-asa-01
allocate-interface Redundant1.500 Link-Management
config-url disk0:/admin-asa-01.conf
join-failover-group 1
exit
context virtual-asa-02
allocate-interface Redundant1.800 Link-Outside1
allocate-interface Redundant1.100 Link-Inside1
config-url disk0:/virtual-asa-02.conf
join-failover-group 1
exit
context virtual-asa-03
allocate-interface Redundant1.801 Link-Outside2
allocate-interface Redundant1.101 Link-Inside2
config-url disk0:/virtual-asa-03.conf
join-failover-group 2
exit
In the end save the configuration
write memory all
Afterwards you can change to the configured contexts with the command
changeto context virtual-asa-02
and start configuring your virtual firewalls.
