When we have 1 physical ASA and want to use it for two or more separate offices(or companies),
we can use the function of virtual firewall.
Multiple mode doesn't support VPN and dynamic routing.
First firewall:
- context: admin
Second firewalll:
- context: ctx-2
allocate interface e0 and e5 to admin context
allocate interface e2 and e5 to ctx-2 context
The ASA becomes 3 separate systems, one is system(top of the firewall), second is admin context and the last one is ctx-2 context. system context has the right of managing the physical firewall, it can make more context(virtual firewalls) or delete contexts, and allocate system resources to contexts.
each context doesn't have the right of deleting or adding context because system context only have that right.
One context(like admin context) has to have system right to manage physical firewall.
1. Check what the ASA is in mode: show mode
change to multiple mode: mode multiple
pre-configured system will become admin context.
2. add context ctx-2 and allocate interfaces to ctx-2
configure Resource Assignment
Rest of config are just same.
configure ip address, nameif, security-level on inside and outside interfaces.
When you connect to 192.168.10.1, you can access to system context.
When you connect to 192.168.20.1, you only can access to ctx-2.
access to ctx-2 context below: It doesn't show the system and admin context.
Change the admin context name to ctx-1
1. give admin right go ctx-2
2. remove admin context
3. create context ctx-1 and allocate interfaces
4. assign configuration url
5. give ctx-1 admin right
admin-context ctx-1
No comments:
Post a Comment