Cisco ASA Firewall Virtualization

Cisco ASA firewall Virtualization is a concept where ASA is divided into multiple virtual standalone firewalls and each virtual standalone firewall acts and behaves as an independent firewall with its own configuration, interfaces, Security Policies, routing table and etc. Virtual ASA is also known as “Security Context”.  Cisco ASA firewall virtualization  is one of the most used technology to provide security services in networking world.

eg. Two virtual firewall (Security Context)- Apple and Orange are created in Physical firewall.

Cisco ASA Firewall Virtualization

Overview of security context and includes the following topics.

  1. Scenarios in which security context are useful in network deployment.
  2. Single mode VS Multiple mode.
  3. Types of Security context in multiple mode.
  4. How packets are forwarded in Security Context.
  5. Configuring Security context in ASA firewall.
  6. Troubleshooting Security Context.

Scenarios in which security context are useful in network deployment

You might want to use multiple security contexts in the following situations:

  • You are a service provider and you want to provide firewall services to customer. Implementing firewall for each client will be expensive so you choose firewall virtualization and creates separate security context for each customers which is a cost-effective, space-saving solution that keeps all customer traffic separate and secure, and also eases configuration.
  • To keep multiple departments separate from each other. Let’s say you manage a large enterprise and you want to keep  HR department  completely separate from Technical Network for improve security by creating security context for each department in single firewall.
  • Your organisation has taken over small entity and you have overlapping network with your current organisation and you want to provide firewall services without changing the IP address scheme.
  • You have any network that requires more than one ASA.

Single Mode VS Multiple Mode

Single mode is set by default in Cisco ASA firewall. To create security context in ASA, we need to enable muliptle-context mode globally. Changing mode in cisco ASA from single to mulitple also brings some Benefits and limitation of using Cisco ASA multiple context mode. 

You can check the mode for Firewall by using below Command

ciscoasa# show mode
Security context mode: single

To change from Single mode to multiple mode

ciscoasa# ciscoasa# config t
ciscoasa(config)# mode multiple
WARNING: This command will change the behavior of the device
WARNING: This command will initiate a Reboot
Proceed with change mode? [confirm]
Convert the system configuration? [confirm]

Once you enter mode multiple, ASA will ask for the confirmation and initiate for reboot.

Leave a Comment