Sunday, February 3, 2019

Removing Cisco ASA Firewall Security Context

To configure a Cisco ASA firewall Security Context, you'll need a Security Context License applied on the ASA. The maximum number of Security Contexts supported would depend on the ASA platform.

ciscoasa# configure terminal
ciscoasa(config)# activation-key 0x4a3ec071 0x0d86fbf6 0x7cb1bc48 0x8b48b8b0 0x8b48b8b0 0xf317c0b5
Validating activation key. This may take a few minutes...
Failed to retrieve permanent activation key.
Failover is different.
   running permanent activation key: Restricted(R)
   new permanent activation key: Unrestricted(UR)
WARNING: The running activation key was not updated with the requested key.
Proceed with update flash activation key? [confirm]
The flash permanent activation key was updated with the requested key,
and will become active after the next reload.
ciscoasa(config)#
ciscoasa(config)# show version

Cisco Adaptive Security Appliance Software Version 8.4(2)

Compiled on Wed 15-Jun-11 18:17 by builders
System image file is "Unknown, monitor mode tftp booted image"
Config file at boot was "startup-config"

ciscoasa up 5 mins 16 secs

Hardware:   ASA 5520, 1024 MB RAM, CPU Pentium II 1000 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash unknown @ 0x0, 0KB


 0: Ext: GigabitEthernet0    : address is 0000.ab5a.d200, irq 0
 1: Ext: GigabitEthernet1    : address is 0000.ab5a.d201, irq 0
 2: Ext: GigabitEthernet2    : address is 0000.ab5a.d202, irq 0
 3: Ext: GigabitEthernet3    : address is 0000.ab5a.d203, irq 0

Licensed features for this platform:
Maximum Physical Interfaces       : Unlimited      perpetual
Maximum VLANs                     : 100            perpetual
Inside Hosts                      : Unlimited      perpetual
Failover                          : Disabled       perpetual
VPN-DES                           : Disabled       perpetual
VPN-3DES-AES                      : Disabled       perpetual
Security Contexts                 : 0              perpetual
GTP/GPRS                          : Disabled       perpetual
AnyConnect Premium Peers          : 5000           perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 5000           perpetual
Total VPN Peers                   : 0              perpetual
Shared License                    : Disabled       perpetual
AnyConnect for Mobile             : Disabled       perpetual
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Disabled       perpetual
UC Phone Proxy Sessions           : 2              perpetual
Total UC Proxy Sessions           : 2              perpetual
Botnet Traffic Filter             : Disabled       perpetual
Intercompany Media Engine         : Disabled       perpetual

This platform has an ASA 5520 VPN Plus license.

Serial Number: 123456789AB
Running Permanent Activation Key: 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000
Configuration register is 0x0
Configuration last modified by enable_15 at 03:16:54.199 UTC Wed Sep 19 2018
ciscoasa(config)#
ciscoasa(config)# reload     // REBOOT THE ASA FOR SECURITY CONTEXT LICENSE TO TAKE EFFECT
System config has been modified. Save? [Y]es/[N]o: 
Cryptochecksum: 98cf2135 92873d13 a11da19a cf9d6707

1995 bytes copied in 1.650 secs (1995 bytes/sec)
Proceed with reload? [confirm]
ciscoasa(config)#


***
*** --- START GRACEFUL SHUTDOWN ---
Shutting down isakmp
Shutting down File system



***
*** --- SHUTDOWN NOW ---
REBOOT: open message queue fail: No such file or directory/2
REBOOT: enforce reboot...
Restarting system.
machine restart


ciscoasa# show version

Cisco Adaptive Security Appliance Software Version 8.4(2)

Compiled on Wed 15-Jun-11 18:17 by builders
System image file is "Unknown, monitor mode tftp booted image"
Config file at boot was "startup-config"

ciscoasa up 59 secs

Hardware:   ASA 5520, 1024 MB RAM, CPU Pentium II 1000 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash unknown @ 0x0, 0KB


 0: Ext: GigabitEthernet0    : address is 0000.ab5a.d200, irq 0
 1: Ext: GigabitEthernet1    : address is 0000.ab5a.d201, irq 0
 2: Ext: GigabitEthernet2    : address is 0000.ab5a.d202, irq 0
 3: Ext: GigabitEthernet3    : address is 0000.ab5a.d203, irq 0

Licensed features for this platform:
Maximum Physical Interfaces       : Unlimited      perpetual
Maximum VLANs                     : 100            perpetual
Inside Hosts                      : Unlimited      perpetual
Failover                          : Active/Active  perpetual
VPN-DES                           : Enabled        perpetual
VPN-3DES-AES                      : Enabled        perpetual
Security Contexts                 : 2              perpetual
GTP/GPRS                          : Disabled       perpetual
AnyConnect Premium Peers          : 5000           perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 5000           perpetual
Total VPN Peers                   : 0              perpetual
Shared License                    : Disabled       perpetual
AnyConnect for Mobile             : Disabled       perpetual
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Disabled       perpetual
UC Phone Proxy Sessions           : 2              perpetual
Total UC Proxy Sessions           : 2              perpetual
Botnet Traffic Filter             : Disabled       perpetual
Intercompany Media Engine         : Disabled       perpetual

This platform has an ASA 5520 VPN Plus license.

Serial Number: 123456789AB
Running Permanent Activation Key: 0x4a3ec071 0x0d86fbf6 0x7cb1bc48 0x8b48b8b0 0xf317c0b5
Configuration register is 0x0
Configuration has not been modified since last system restart.
ciscoasa#
ciscoasa# configure terminal
ciscoasa(config)#

***************************** NOTICE *****************************

Help to improve the ASA platform by enabling anonymous reporting,
which allows Cisco to securely receive minimal error and health
information from the device. To learn more about this feature,

Would you like to enable anonymous error reporting to help improve
the product? [Y]es, [N]o, [A]sk later: 
ciscoasa(config)#
ciscoasa(config)# mode ?

configure mode commands/options:
  multiple   Multiple mode; mode with security contexts
  noconfirm  Do not prompt for confirmation
  single     Single mode; mode without security contexts
ciscoasa(config)# mode multiple
WARNING: This command will change the behavior of the device
WARNING: This command will initiate a Reboot
Proceed with change mode? [confirm]    
Convert the system configuration? [confirm]
!
The old running configuration file will be written to flash

Converting the configuration - this may take several minutes for a large configuration

The admin context configuration will be written to flash

The new running configuration file was written to flash
Security context mode: multiple



***
*** --- SHUTDOWN NOW ---
***
*** Message to all terminals:
***
***   change mode
REBOOT: open message queue fail: No such file or directory/2
REBOOT: enforce reboot...
Restarting system.
machine restart


ciscoasa# changeto system
ciscoasa# configure terminal
ciscoasa(config)#

***************************** NOTICE *****************************

Help to improve the ASA platform by enabling anonymous reporting,
which allows Cisco to securely receive minimal error and health
information from the device. To learn more about this feature,

Would you like to enable anonymous error reporting to help improve
the product? [Y]es, [N]o, [A]sk later:
ciscoasa(config)#
ciscoasa(config)# hostname ? 

configure mode commands/options:
  WORD < 64 char  Host name for this system. A hostname must start and end with
                  a letter or digit and have as interior characters only
                  letters, digits, or a hyphen.
ciscoasa(config)# prompt ?

configure mode commands/options:
  context   Display the context in the session prompt (multimode only)
  domain    Display the domain in the session prompt
  hostname  Display the hostname in the session prompt
  priority  Display the priority in the session prompt
  state     Display the traffic passing state in the session prompt
ciscoasa(config)# prompt hostname context
ciscoasa(config)#
ciscoasa(config)# show run
: Saved
:
ASA Version 8.4(2) <system>
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
no mac-address auto
!
interface GigabitEthernet0
 shutdown
!
interface GigabitEthernet1
 shutdown
!
interface GigabitEthernet2
 shutdown
!
interface GigabitEthernet3
 shutdown
!
class default
  limit-resource All 0
  limit-resource ASDM 5
  limit-resource SSH 5
  limit-resource Telnet 5
!            

ftp mode passive
pager lines 24
no failover
no asdm history enable
arp timeout 14400
console timeout 0

admin-context admin
context admin
  config-url disk0:/admin.cfg
!

prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
crashinfo save disable
Cryptochecksum:2812193d036302b9b304ad8b1772c974
: end


Ensure the ASA interfaces are unshut (no shutdown) in System Context.
ciscoasa(config)# interface g0
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# interface g1
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# int g1.444
ciscoasa(config-subif)# vlan 444
ciscoasa(config-subif)# no shut
ciscoasa(config-subif)#
ciscoasa(config-subif)# context TEST-1
Creating context 'TEST-1'... Done. (2)

ciscoasa(config-ctx)# allocate-interface g0
ciscoasa(config-ctx)# allocate-interface g1.444
ciscoasa(config-ctx)# config-url disk0:/TEST-1.cfg

WARNING: Could not fetch the URL disk0:/TEST-1.cfg
INFO: Creating context with default config

ciscoasa(config-ctx)# exit
ciscoasa(config)# end
ciscoasa# show run
: Saved
:
ASA Version 8.4(2) <system>
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
no mac-address auto
!
interface GigabitEthernet0
!
interface GigabitEthernet1
!
interface GigabitEthernet1.444
 vlan 444
!
interface GigabitEthernet2
 shutdown
!
interface GigabitEthernet3
 shutdown
!
class default
  limit-resource All 0
  limit-resource ASDM 5
  limit-resource SSH 5
  limit-resource Telnet 5
!

ftp mode passive
pager lines 24
no failover
no asdm history enable
arp timeout 14400
console timeout 0

admin-context admin
context admin
  config-url disk0:/admin.cfg
!

context TEST-1
  allocate-interface GigabitEthernet0
  allocate-interface GigabitEthernet1.444
  config-url disk0:/TEST-1.cfg

!

prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
crashinfo save disable
Cryptochecksum:e0ee857ea073cb0043c19d47245179da
: end

 
ciscoasa# changeto context TEST-1
ciscoasa/TEST-1#
ciscoasa/TEST-1# show run
: Saved
:
ASA Version 8.4(2) <context>
!
hostname TEST-1
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1.444
 no nameif
 no security-level
 no ip address
!
pager lines 24
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
telnet timeout 5
ssh timeout 5
no threat-detection statistics tcp-intercept
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny 
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip 
  inspect xdmcp
!
service-policy global_policy global
Cryptochecksum:2cb2107b9725b16aaf94ceb8f71ea75b
: end


In order to remove a Security Context, go under the System Context and simply issue a no context <CONTEXT NAME> and make sure to delete the context config in flash memory (disk0).


ciscoasa(config)# no context TEST-1
WARNING: Removing context 'TEST-1'
Proceed with removing the context? [confirm]
Removing context 'TEST-1' (2)... Done
ciscoasa(config)# delete config-url disk0:/TEST-1.cfg
ciscoasa(config)# show run
: Saved
:
ASA Version 8.4(2) <system>
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
no mac-address auto
!
interface GigabitEthernet0
!
interface GigabitEthernet1
!
interface GigabitEthernet1.444
 vlan 444
!
interface GigabitEthernet2
 shutdown
!
interface GigabitEthernet3
 shutdown
!
class default
  limit-resource All 0
  limit-resource ASDM 5
  limit-resource SSH 5
  limit-resource Telnet 5
!

ftp mode passive
pager lines 24
no failover
no asdm history enable
arp timeout 14400
console timeout 0

admin-context admin
context admin
  config-url disk0:/admin.cfg
!

prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
crashinfo save disable
Cryptochecksum:f3ea19991e889c8988eef5380a4c345c
: end