Cisco Security Appliance Command Line Configuration Guide, Version 7.0
Adding and Managing Security Contexts
Downloads: This chapterpdf (PDF - 239.0KB) The complete bookPDF (PDF - 15.34MB) | Feedback

Adding and Managing Security Contexts

Table Of Contents

Adding and Managing Security Contexts

Configuring a Security Context

Removing a Security Context

Changing the Admin Context

Changing Between Contexts and the System Execution Space

Changing the Security Context URL

Reloading a Security Context

Reloading by Clearing the Configuration

Reloading by Removing and Re-adding the Context

Monitoring Security Contexts

Viewing Context Information

Viewing Resource Usage


Adding and Managing Security Contexts


This chapter describes how to configure multiple security contexts on the security appliance, and includes the following sections:

Configuring a Security Context

Removing a Security Context

Changing the Admin Context

Changing Between Contexts and the System Execution Space

Changing the Security Context URL

Reloading a Security Context

Monitoring Security Contexts

For information about how contexts work and how to enable multiple context mode, see Chapter 3, "Enabling Multiple Context Mode."

Configuring a Security Context

The security context definition in the system configuration identifies the context name, configuration file URL, and interfaces that a context can use.


Note If you do not have an admin context (for example, if you clear the configuration) then you must first specify the admin context name by entering the following command:

hostname(config)# admin-context name

Although this context name does not exist yet in your configuration, you can subsequently enter the context name command to match the specified name to continue the admin context configuration.


To add or change a context in the system configuration, perform the following steps:


Step 1 To add or modify a context, enter the following command in the system execution space:

hostname(config)# context name

The name is a string up to 32 characters long. This name is case sensitive, so you can have two contexts named "customerA" and "CustomerA," for example. You can use letters, digits, or hyphens, but you cannot start or end the name with a hyphen.

"System" or "Null" (in upper or lower case letters) are reserved names, and cannot be used.

Step 2 (Optional) To add a description for this context, enter the following command:

hostname(config-ctx)# description text

Step 3 To specify the interfaces you can use in the context, enter the command appropriate for a physical interface or for one or more subinterfaces.

To allocate a physical interface, enter the following command:

hostname(config-ctx)# allocate-interface physical_interface [map_name] 
[visible | invisible]

To allocate one or more subinterfaces, enter the following command:

hostname(config-ctx)# allocate-interface 
physical_interface.subinterface[-physical_interface.subinterface] 
[map_name[-map_name]] [visible | invisible]

You can enter these commands multiple times to specify different ranges.

Transparent firewall mode allows only two interfaces to pass through traffic; however, on the ASA adaptive security appliance, you can use the dedicated management interface, Management 0/0, (either the physical interface or a subinterface) as a third interface for management traffic.


Note The management interface for transparent mode does not flood a packet out the interface when that packet is not in the MAC address table.


You can assign the same interfaces to multiple contexts in routed mode, if desired. Transparent mode does not allow shared interfaces.

The map_name is an alphanumeric alias for the interface that can be used within the context instead of the interface ID. If you do not specify a mapped name, the interface ID is used within the context. For security purposes, you might not want the context administrator to know which interfaces are being used by the context.

A mapped name must start with a letter, end with a letter or digit, and have as interior characters only letters, digits, or an underscore. For example, you can use the following names:

int0

inta

int_0

For subinterfaces, you can specify a range of mapped names.

If you specify a range of subinterfaces, you can specify a matching range of mapped names. Follow these guidelines for ranges:

The mapped name must consist of an alphabetic portion followed by a numeric portion. The alphabetic portion of the mapped name must match for both ends of the range. For example, enter the following range:

int0-int10

If you enter gigabitethernet0/1.1-gigabitethernet0/1.5 happy1-sad5, for example, the command fails.

The numeric portion of the mapped name must include the same quantity of numbers as the subinterface range. For example, both ranges include 100 interfaces:

gigabitethernet0/0.100-gigabitethernet0/0.199 int1-int100

If you enter gigabitethernet0/0.100-gigabitethernet0/0.199 int1-int15, for example, the command fails.

Specify visible to see physical interface properties in the show interface command even if you set a mapped name. The default invisible keyword specifies to only show the mapped name.

The following example shows gigabitethernet0/1.100, gigabitethernet0/1.200, and gigabitethernet0/2.300 through gigabitethernet0/1.305 assigned to the context. The mapped names are int1 through int8.

hostname(config-ctx)# allocate-interface gigabitethernet0/1.100 int1
hostname(config-ctx)# allocate-interface gigabitethernet0/1.200 int2
hostname(config-ctx)# allocate-interface gigabitethernet0/2.300-gigabitethernet0/2.305 
int3-int8

Step 4 To identify the URL from which the system downloads the context configuration, enter the following command:

hostname(config-ctx)# config-url url

When you add a context URL, the system immediately loads the context so that it is running.


Note Enter the allocate-interface command(s) before you enter the config-url command. The security appliance must assign interfaces to the context before it loads the context configuration; the context configuration might include commands that refer to interfaces (interface, nat, global...). If you enter the config-url command first, the security appliance loads the context configuration immediately. If the context contains any commands that refer to interfaces, those commands fail.


See the following URL syntax:

disk0:/[path/]filename

For the ASA 5500 series adaptive security appliance, this URL indicates the internal Flash memory. You can also use flash instead of disk0; they are aliased.

disk1:/[path/]filename

For the ASA 5500 series adaptive security appliance, this URL indicates the external Flash memory card.

flash:/[path/]filename

This URL indicates the internal Flash memory.

ftp://[user[:password]@]server[:port]/[path/]filename[;type=xx]

The type can be one of the following keywords:

ap—ASCII passive mode

an—ASCII normal mode

ip—(Default) Binary passive mode

in—Binary normal mode

http[s]://[user[:password]@]server[:port]/[path/]filename

tftp://[user[:password]@]server[:port]/[path/]filename[;int=interface_name]

Specify the interface name if you want to override the route to the server address.

The filename does not require a file extension, although we recommend using ".cfg".

The admin context file must be stored on the internal Flash memory.

If you download a context configuration from an HTTP or HTTPS server, you cannot save changes back to these servers using the copy running-config startup-config command. You can, however, use the copy tftp command to copy the running configuration to a TFTP server.

If the system cannot retrieve the context configuration file because the server is unavailable, or the file does not yet exist, the system creates a blank context that is ready for you to configure with the command-line interface.

To change the URL, reenter the config-url command with a new URL.

See the "Changing the Security Context URL" section for more information about changing the URL.

For example, enter the following command:

hostname(config-ctx)# config-url ftp://joe:passw0rd1@10.1.1.1/configlets/test.cfg

Step 5 To view context information, see the show context command in the Cisco Security Appliance Command Reference.


The following example sets the admin context to be "administrator," creates a context called "administrator" on the internal Flash memory, and then adds two contexts from an FTP server:

hostname(config)# admin-context administrator
hostname(config)# context administrator
hostname(config-ctx)# allocate-interface gigabitethernet0/0.1
hostname(config-ctx)# allocate-interface gigabitethernet0/1.1
hostname(config-ctx)# config-url flash:/admin.cfg

hostname(config-ctx)# context test
hostname(config-ctx)# allocate-interface gigabitethernet0/0.100 int1
hostname(config-ctx)# allocate-interface gigabitethernet0/0.102 int2
hostname(config-ctx)# allocate-interface gigabitethernet0/0.110-gigabitethernet0/0.115 
int3-int8
hostname(config-ctx)# config-url ftp://user1:passw0rd@10.1.1.1/configlets/test.cfg

hostname(config-ctx)# context sample
hostname(config-ctx)# allocate-interface gigabitethernet0/1.200 int1
hostname(config-ctx)# allocate-interface gigabitethernet0/1.212 int2
hostname(config-ctx)# allocate-interface gigabitethernet0/1.230-gigabitethernet0/1.235 
int3-int8
hostname(config-ctx)# config-url ftp://user1:passw0rd@10.1.1.1/configlets/sample.cfg

Removing a Security Context

You can only remove a context by editing the system configuration. You cannot remove the current admin context, unless you remove all contexts using the clear context command.


Note If you use failover, there is a delay between when you remove the context on the active unit and when the context is removed on the standby unit. You might see an error message indicating that the number of interfaces on the active and standby units are not consistent; this error is temporary and can be ignored.


Use the following commands for removing contexts:

To remove a single context, enter the following command in the system execution space:

hostname(config)# no context name

All context commands are also removed.

To remove all contexts (including the admin context), enter the following command in the system execution space:

hostname(config)# clear context

Changing the Admin Context

You can set any context to be the admin context, as long as the configuration file is stored in the internal Flash memory. To set the admin context, enter the following command in the system execution space:

hostname(config)# admin-context context_name

Any remote management sessions, such as Telnet, SSH, or HTTPS, that are connected to the admin context are terminated. You must reconnect to the new admin context.


Note A few system commands, including ntp server, identify an interface name that belongs to the admin context. If you change the admin context, and that interface name does not exist in the new admin context, be sure to update any system commands that refer to the interface.


Changing Between Contexts and the System Execution Space

If you log in to the system execution space (or the admin context using Telnet or SSH), you can change between contexts and perform configuration and monitoring tasks within each context. The running configuration that you edit in a configuration mode, or that is used in the copy or write commands, depends on your location. When you are in the system execution space, the running configuration consists only of the system configuration; when you are in a context, the running configuration consists only of that context. For example, you cannot view all running configurations (system plus all contexts) by entering the show running-config command. Only the current configuration displays.

To change between the system execution space and a context, or between contexts, see the following commands:

To change to a context, enter the following command:

hostname# changeto context name

The prompt changes to the following:

hostname/name#

To change to the system execution space, enter the following command:

hostname/admin# changeto system

The prompt changes to the following:

hostname#

Changing the Security Context URL

You cannot change the security context URL without reloading the configuration from the new URL.

The security appliance merges the new configuration with the current running configuration. Reentering the same URL also merges the saved configuration with the running configuration. A merge adds any new commands from the new configuration to the running configuration. If the configurations are the same, no changes occur. If commands conflict or if commands affect the running of the context, then the effect of the merge depends on the command. You might get errors, or you might have unexpected results. If the running configuration is blank (for example, if the server was unavailable and the configuration was never downloaded), then the new configuration is used. If you do not want to merge the configurations, you can clear the running configuration, which disrupts any communications through the context, and then reload the configuration from the new URL.

To change the URL for a context, perform the following steps:


Step 1 If you do not want to merge the configuration, change to the context and clear its configuration by entering the following commands. If you want to perform a merge, skip to Step 2.

hostname# changeto context name
hostname/name# configure terminal
hostname/name(config)# clear configure all

Step 2 If required, change to the system execution space by entering the following command:

hostname/name(config)# changeto system

Step 3 To enter the context configuration mode for the context you want to change, enter the following command:

hostname(config)# context name

Step 4 To enter the new URL, enter the following command:

hostname(config)# config-url new_url

The system immediately loads the context so that it is running.


Reloading a Security Context

You can reload the context in two ways:

Clear the running configuration and then import the startup configuration.

This action clears most attributes associated with the context, such as connections and NAT tables.

Remove the context from the system configuration.

This action clears additional attributes, such as memory allocation, which might be useful for troubleshooting. However, to add the context back to the system requires you to respecify the URL and interfaces.

This section includes the following topics:

Reloading by Clearing the Configuration

Reloading by Removing and Re-adding the Context

Reloading by Clearing the Configuration

To reload the context by clearing the context configuration, and reloading the configuration from the URL, perform the following steps:


Step 1 To change to the context that you want to reload, enter the following command:

hostname# changeto context name

Step 2 To access configuration mode, enter the following command:

hostname/name# configure terminal

Step 3 To clear the running configuration, enter the following command:

hostname/name(config)# clear configure all

This command clears all connections.

Step 4 To reload the configuration, enter the following command:

hostname/name(config)# copy startup-config running-config

The security appliance copies the configuration from the URL specified in the system configuration. You cannot change the URL from within a context.


Reloading by Removing and Re-adding the Context

To reload the context by removing the context and then re-adding it, perform the steps in the following sections:

1. "Removing a Security Context" section

2. "Configuring a Security Context" section

Monitoring Security Contexts

This section describes how to view and monitor context information, and includes the following topics:

Viewing Context Information

Viewing Resource Usage

Viewing Context Information

From the system execution space, you can view a list of contexts including the name, allocated interfaces, and configuration file URL.

From the system execution space, view all contexts by entering the following command:

hostname# show context [name | detailcount]

The detail option shows additional information. See the following sample displays below for more information.

If you want to show information for a particular context, specify the name.

The count option shows the total number of contexts.

The following is sample output from the show context command. The following sample display shows three contexts:

hostname# show context

Context Name      Interfaces                    URL
*admin            GigabitEthernet0/1.100        flash:/admin.cfg
                  GigabitEthernet0/1.101
contexta          GigabitEthernet0/1.200        flash:/contexta.cfg
                  GigabitEthernet0/1.201
contextb          GigabitEthernet0/1.300        flash:/contextb.cfg
                  GigabitEthernet0/1.301
Total active Security Contexts: 3

Table 5-1 shows each field description.

Table 5-1 show context Fields

Field
Description

Context Name

Lists all context names. The context name with the asterisk (*) is the admin context.

Interfaces

The interfaces assigned to the context.

URL

The URL from which the security appliance loads the context configuration.


The following is sample output from the show context detail command:

hostname# show context detail

Context "admin", has been created, but initial ACL rules not complete
  Config URL: flash:/admin.cfg
  Real Interfaces: Management0/0
  Mapped Interfaces: Management0/0
  Flags: 0x00000013, ID: 1

Context "ctx", has been created, but initial ACL rules not complete
  Config URL: ctx.cfg
  Real Interfaces: GigabitEthernet0/0.10, GigabitEthernet0/1.20,
     GigabitEthernet0/2.30
  Mapped Interfaces: int1, int2, int3
  Flags: 0x00000011, ID: 2

Context "system", is a system resource
  Config URL: startup-config
  Real Interfaces:
  Mapped Interfaces: Control0/0, GigabitEthernet0/0,
     GigabitEthernet0/0.10, GigabitEthernet0/1, GigabitEthernet0/1.10,
     GigabitEthernet0/1.20, GigabitEthernet0/2, GigabitEthernet0/2.30,
     GigabitEthernet0/3, Management0/0, Management0/0.1
  Flags: 0x00000019, ID: 257

Context "null", is a system resource
  Config URL: ... null ...
  Real Interfaces:
  Mapped Interfaces:
  Flags: 0x00000009, ID: 258

See the Cisco Security Appliance Command Reference for more information about the detail output.

The following is sample output from the show context count command:

hostname# show context count
Total active contexts: 2

Viewing Resource Usage

From the system execution space, you can view the resource usage for each context and display the system resource usage. Resources include concurrent connections, Telnet sessions, SSH sessions, hosts, NAT translations, and for single mode, IPSec sessions.

From the system execution space, view the resource usage for each context by entering the following command:

hostname# show resource usage [context context_name | top n | all | summary | system] 
[resource {resource_name | all}] [counter counter_name [count_threshold]]

By default, all context usage is displayed; each context is listed separately.

Enter the top n keyword to show the contexts that are the top n users of the specified resource. You must specify a single resource type, and not resource all, with this option.

The summary option shows all context usage combined.

The system option shows all context usage combined, but shows the system limits for resources instead of the combined context limits.

The resource names include the following values. See also the show resource type command for a complete list. Specify all (the default) for all types.

conns—TCP or UDP connections between any two hosts, including connections between one host and multiple other hosts.

hosts—Hosts that can connect through the security appliance.

ipsec—(Single mode only) IPSec sessions.

ssh—SSH sessions.

telnet—Telnet sessions.

xlates—NAT translations.

The counter counter_name is one of the following keywords:

current—Shows the active concurrent instances or the current rate of the resource.

peak—Shows the peak concurrent instances, or the peak rate of the resource since the statistics were last cleared, either using the clear resource usage command or because the device rebooted.

all—(Default) Shows all statistics.

The count_threshold sets the number above which resources are shown. The default is 1. If the usage of the resource is below the number you set, then the resource is not shown. If you specify all for the counter name, then the count_threshold applies to the current usage.


Note To show all resources, set the count_threshold to 0.


The following is sample output from the show resource usage context command, which shows the resource usage for the admin context:

hostname# show resource usage context admin

Resource              Current         Peak      Limit    Context
Telnet                      1            1          5    admin
Conns                      44           55        N/A    admin
Hosts                      45           56        N/A    admin

The following is sample output from the show resource usage summary command, which shows the resource usage for all contexts and all resources. This sample shows the limits for 6 contexts.

hostname# show resource usage summary

Resource              Current         Peak      Limit    Context
Telnet                      3            5        30     Summary
SSH                         5            7        30     Summary
Conns                      40           55        N/A    Summary
Hosts                      44           56        N/A    Summary

The following is sample output from the show resource usage summary command, which shows the limits for 25 contexts. Because the context limit for Telnet and SSH connections is 5 per context, then the combined limit is 125. The system limit is only 100, so the system limit is shown.

hostname# show resource usage summary

Resource              Current         Peak      Limit    Context
Telnet                      1            1        100[S] Summary
SSH                         2            2        100[S] Summary
Conns                      56           90        N/A    Summary
Hosts                      89          102        N/A    Summary
S = System limit: Combined context limits exceed the system limit; the system limit is 
shown.

The following is sample output from the show resource usage system command, which shows the resource usage for all contexts, but it shows the system limit instead of the combined context limits:

hostname# show resource usage system

Resource              Current         Peak      Limit    Context
Telnet                      3            5        100    System
SSH                         5            7        100    System
Conns                      40           55        N/A    System
Hosts                      44           56        N/A    System