To configure a Cisco ASA firewall Security Context, you'll need a Security Context License applied on the ASA. The maximum number of Security Contexts supported would depend on the ASA platform.
In order to remove a Security Context, go under the System Context and simply issue a no context <CONTEXT NAME> and make sure to delete the context config in flash memory (disk0).
ciscoasa# configure terminal
ciscoasa(config)# activation-key 0x4a3ec071
0x0d86fbf6 0x7cb1bc48 0x8b48b8b0 0x8b48b8b0 0xf317c0b5
Validating
activation key. This may take a few minutes...
Failed to
retrieve permanent activation key.
Failover
is different.
running permanent activation key:
Restricted(R)
new permanent activation key:
Unrestricted(UR)
WARNING:
The running activation key was not updated with the requested key.
Proceed
with update flash activation key? [confirm]
The flash
permanent activation key was updated with the requested key,
and will
become active after the next reload.
ciscoasa(config)#
ciscoasa(config)#
show version
Cisco
Adaptive Security Appliance Software Version 8.4(2)
Compiled
on Wed 15-Jun-11 18:17 by builders
System
image file is "Unknown, monitor mode tftp booted image"
Config
file at boot was "startup-config"
ciscoasa
up 5 mins 16 secs
Hardware: ASA 5520, 1024 MB RAM, CPU Pentium II 1000
MHz
Internal
ATA Compact Flash, 256MB
BIOS
Flash unknown @ 0x0, 0KB
0: Ext: GigabitEthernet0 : address is 0000.ab5a.d200, irq 0
1: Ext: GigabitEthernet1 : address is 0000.ab5a.d201, irq 0
2: Ext: GigabitEthernet2 : address is 0000.ab5a.d202, irq 0
3: Ext: GigabitEthernet3 : address is 0000.ab5a.d203, irq 0
Licensed
features for this platform:
Maximum
Physical Interfaces :
Unlimited perpetual
Maximum
VLANs : 100 perpetual
Inside
Hosts :
Unlimited perpetual
Failover : Disabled perpetual
VPN-DES : Disabled perpetual
VPN-3DES-AES : Disabled perpetual
Security Contexts : 0 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect
Premium Peers : 5000 perpetual
AnyConnect
Essentials : Disabled perpetual
Other VPN
Peers : 5000 perpetual
Total VPN
Peers : 0 perpetual
Shared
License :
Disabled perpetual
AnyConnect
for Mobile : Disabled perpetual
AnyConnect
for Cisco VPN Phone : Disabled perpetual
Advanced
Endpoint Assessment : Disabled perpetual
UC Phone
Proxy Sessions : 2 perpetual
Total UC
Proxy Sessions : 2 perpetual
Botnet
Traffic Filter :
Disabled perpetual
Intercompany
Media Engine : Disabled perpetual
This
platform has an ASA 5520 VPN Plus license.
Serial
Number: 123456789AB
Running Permanent Activation Key: 0x00000000
0x00000000 0x00000000 0x00000000 0x00000000
Configuration
register is 0x0
Configuration
last modified by enable_15 at 03:16:54.199 UTC Wed Sep 19 2018
ciscoasa(config)#
ciscoasa(config)#
reload // REBOOT THE ASA FOR SECURITY CONTEXT LICENSE TO TAKE EFFECT
System
config has been modified. Save? [Y]es/[N]o:
Cryptochecksum:
98cf2135 92873d13 a11da19a cf9d6707
1995
bytes copied in 1.650 secs (1995 bytes/sec)
Proceed
with reload? [confirm]
ciscoasa(config)#
***
*** ---
START GRACEFUL SHUTDOWN ---
Shutting
down isakmp
Shutting
down File system
***
*** ---
SHUTDOWN NOW ---
REBOOT:
open message queue fail: No such file or directory/2
REBOOT:
enforce reboot...
Restarting
system.
machine
restart
ciscoasa#
show version
Cisco
Adaptive Security Appliance Software Version 8.4(2)
Compiled
on Wed 15-Jun-11 18:17 by builders
System
image file is "Unknown, monitor mode tftp booted image"
Config
file at boot was "startup-config"
ciscoasa
up 59 secs
Hardware: ASA 5520, 1024 MB RAM, CPU Pentium II 1000
MHz
Internal
ATA Compact Flash, 256MB
BIOS
Flash unknown @ 0x0, 0KB
0: Ext: GigabitEthernet0 : address is 0000.ab5a.d200, irq 0
1: Ext: GigabitEthernet1 : address is 0000.ab5a.d201, irq 0
2: Ext: GigabitEthernet2 : address is 0000.ab5a.d202, irq 0
3: Ext: GigabitEthernet3 : address is 0000.ab5a.d203, irq 0
Licensed
features for this platform:
Maximum
Physical Interfaces :
Unlimited perpetual
Maximum
VLANs : 100 perpetual
Inside
Hosts :
Unlimited perpetual
Failover : Active/Active perpetual
VPN-DES : Enabled perpetual
VPN-3DES-AES : Enabled perpetual
Security Contexts : 2 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect
Premium Peers : 5000 perpetual
AnyConnect
Essentials : Disabled perpetual
Other VPN
Peers : 5000 perpetual
Total VPN
Peers : 0 perpetual
Shared
License :
Disabled perpetual
AnyConnect
for Mobile : Disabled perpetual
AnyConnect
for Cisco VPN Phone : Disabled perpetual
Advanced
Endpoint Assessment : Disabled perpetual
UC Phone
Proxy Sessions : 2 perpetual
Total UC
Proxy Sessions : 2 perpetual
Botnet
Traffic Filter :
Disabled perpetual
Intercompany
Media Engine : Disabled perpetual
This
platform has an ASA 5520 VPN Plus license.
Serial
Number: 123456789AB
Running Permanent Activation Key: 0x4a3ec071
0x0d86fbf6 0x7cb1bc48 0x8b48b8b0 0xf317c0b5
Configuration
register is 0x0
Configuration
has not been modified since last system restart.
ciscoasa#
ciscoasa#
configure terminal
ciscoasa(config)#
*****************************
NOTICE *****************************
Help to
improve the ASA platform by enabling anonymous reporting,
which
allows Cisco to securely receive minimal error and health
information
from the device. To learn more about this feature,
please
visit: http://www.cisco.com/go/smartcall
Would you
like to enable anonymous error reporting to help improve
the
product? [Y]es, [N]o, [A]sk later:
ciscoasa(config)#
ciscoasa(config)#
mode ?
configure
mode commands/options:
multiple
Multiple mode; mode with security contexts
noconfirm
Do not prompt for confirmation
single
Single mode; mode without security contexts
ciscoasa(config)# mode multiple
WARNING:
This command will change the behavior of the device
WARNING:
This command will initiate a Reboot
Proceed
with change mode? [confirm]
Convert
the system configuration? [confirm]
!
The old
running configuration file will be written to flash
Converting
the configuration - this may take several minutes for a large configuration
The admin
context configuration will be written to flash
The new
running configuration file was written to flash
Security
context mode: multiple
***
*** ---
SHUTDOWN NOW ---
***
***
Message to all terminals:
***
*** change mode
REBOOT:
open message queue fail: No such file or directory/2
REBOOT:
enforce reboot...
Restarting
system.
machine
restart
ciscoasa#
changeto system
ciscoasa#
configure terminal
ciscoasa(config)#
*****************************
NOTICE *****************************
Help to
improve the ASA platform by enabling anonymous reporting,
which
allows Cisco to securely receive minimal error and health
information
from the device. To learn more about this feature,
please
visit: http://www.cisco.com/go/smartcall
Would you
like to enable anonymous error reporting to help improve
the
product? [Y]es, [N]o, [A]sk later:
ciscoasa(config)#
ciscoasa(config)#
hostname ?
configure
mode commands/options:
WORD < 64 char Host name for this system. A hostname must
start and end with
a letter or digit and have as
interior characters only
letters, digits, or a hyphen.
ciscoasa(config)#
prompt ?
configure
mode commands/options:
context
Display the context in the session prompt (multimode only)
domain
Display the domain in the session prompt
hostname
Display the hostname in the session prompt
priority
Display the priority in the session prompt
state
Display the traffic passing state in the session prompt
ciscoasa(config)#
prompt hostname context
ciscoasa(config)#
ciscoasa(config)#
show run
: Saved
:
ASA
Version 8.4(2) <system>
!
hostname
ciscoasa
enable
password 8Ry2YjIyt7RRXU24 encrypted
no
mac-address auto
!
interface
GigabitEthernet0
shutdown
!
interface
GigabitEthernet1
shutdown
!
interface
GigabitEthernet2
shutdown
!
interface
GigabitEthernet3
shutdown
!
class
default
limit-resource All 0
limit-resource ASDM 5
limit-resource SSH 5
limit-resource Telnet 5
!
ftp mode
passive
pager
lines 24
no
failover
no asdm
history enable
arp
timeout 14400
console
timeout 0
admin-context
admin
context
admin
config-url disk0:/admin.cfg
!
prompt
hostname context
no
call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic
monthly
subscribe-to-alert-group configuration
periodic monthly
subscribe-to-alert-group telemetry periodic
daily
crashinfo
save disable
Cryptochecksum:2812193d036302b9b304ad8b1772c974
: end
Ensure the ASA interfaces are unshut (no shutdown) in System Context.
ciscoasa(config)#
interface g0
ciscoasa(config-if)#
no shutdown
ciscoasa(config-if)#
interface g1
ciscoasa(config-if)#
no shutdown
ciscoasa(config-if)#
int g1.444
ciscoasa(config-subif)#
vlan 444
ciscoasa(config-subif)#
no shut
ciscoasa(config-subif)#
ciscoasa(config-subif)#
context TEST-1
Creating
context 'TEST-1'... Done. (2)
ciscoasa(config-ctx)#
allocate-interface g0
ciscoasa(config-ctx)#
allocate-interface g1.444
ciscoasa(config-ctx)#
config-url disk0:/TEST-1.cfg
WARNING:
Could not fetch the URL disk0:/TEST-1.cfg
INFO:
Creating context with default config
ciscoasa(config-ctx)#
exit
ciscoasa(config)#
end
ciscoasa#
show run
: Saved
:
ASA
Version 8.4(2) <system>
!
hostname
ciscoasa
enable
password 8Ry2YjIyt7RRXU24 encrypted
no
mac-address auto
!
interface
GigabitEthernet0
!
interface
GigabitEthernet1
!
interface
GigabitEthernet1.444
vlan 444
!
interface
GigabitEthernet2
shutdown
!
interface
GigabitEthernet3
shutdown
!
class
default
limit-resource All 0
limit-resource ASDM 5
limit-resource SSH 5
limit-resource Telnet 5
!
ftp mode
passive
pager
lines 24
no
failover
no asdm
history enable
arp
timeout 14400
console
timeout 0
admin-context
admin
context
admin
config-url disk0:/admin.cfg
!
context TEST-1
allocate-interface GigabitEthernet0
allocate-interface GigabitEthernet1.444
config-url
disk0:/TEST-1.cfg
!
prompt
hostname context
no
call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic
monthly
subscribe-to-alert-group configuration
periodic monthly
subscribe-to-alert-group telemetry periodic
daily
crashinfo
save disable
Cryptochecksum:e0ee857ea073cb0043c19d47245179da
: end
ciscoasa#
changeto context TEST-1
ciscoasa/TEST-1#
ciscoasa/TEST-1#
show run
: Saved
:
ASA
Version 8.4(2) <context>
!
hostname
TEST-1
enable
password 8Ry2YjIyt7RRXU24 encrypted
passwd
2KFQnbNIdI.2KYOU encrypted
names
!
interface
GigabitEthernet0
no nameif
no security-level
no ip address
!
interface
GigabitEthernet1.444
no nameif
no security-level
no ip address
!
pager
lines 24
icmp
unreachable rate-limit 1 burst-size 1
no asdm
history enable
arp
timeout 14400
timeout
xlate 3:00:00
timeout
conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout
sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout
sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout
sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout
tcp-proxy-reassembly 0:01:00
timeout
floating-conn 0:00:00
user-identity
default-domain LOCAL
no
snmp-server location
no
snmp-server contact
telnet
timeout 5
ssh
timeout 5
no
threat-detection statistics tcp-intercept
!
class-map
inspection_default
match default-inspection-traffic
!
!
policy-map
type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map
global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy
global_policy global
Cryptochecksum:2cb2107b9725b16aaf94ceb8f71ea75b
: end
In order to remove a Security Context, go under the System Context and simply issue a no context <CONTEXT NAME> and make sure to delete the context config in flash memory (disk0).
ciscoasa(config)# no context TEST-1
WARNING:
Removing context 'TEST-1'
Proceed
with removing the context? [confirm]
Removing
context 'TEST-1' (2)... Done
ciscoasa(config)# delete config-url disk0:/TEST-1.cfg
ciscoasa(config)#
show run
: Saved
:
ASA
Version 8.4(2) <system>
!
hostname
ciscoasa
enable
password 8Ry2YjIyt7RRXU24 encrypted
no
mac-address auto
!
interface
GigabitEthernet0
!
interface
GigabitEthernet1
!
interface
GigabitEthernet1.444
vlan 444
!
interface
GigabitEthernet2
shutdown
!
interface
GigabitEthernet3
shutdown
!
class
default
limit-resource All 0
limit-resource ASDM 5
limit-resource SSH 5
limit-resource Telnet 5
!
ftp mode
passive
pager
lines 24
no
failover
no asdm
history enable
arp
timeout 14400
console
timeout 0
admin-context
admin
context
admin
config-url disk0:/admin.cfg
!
prompt
hostname context
no
call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic
monthly
subscribe-to-alert-group configuration
periodic monthly
subscribe-to-alert-group telemetry periodic
daily
crashinfo
save disable
Cryptochecksum:f3ea19991e889c8988eef5380a4c345c
: end
