Licensing
PIX 515 and higher and ASA 5510 and higher support contexts.
Context Uses
- active/active failover
- ISP, co-location/hosting companies that host services requiring firewall functions
- Need more than one firewall in the same physical location.
Context Restriction
- Dynamic routing protocols (unicast & multicast) are unsupported, only static routes available.
- No VPN support, no matter IPSec, L2TP or WebVPN.
- Threat detection is unsupported.
System Area
- system-wide configuration
- create/delete contexts
- doesn’t count as a context itself.
- accessed by admin context.
- leverage admin context to communicate with external devices/services.
Context
- Have a name, interfaces allocated to it and a configuration file to store the security policies and configuration of actual context itself.
- By default, ‘admin’ context is the administrative context to access system area.
- Any context can be admin context, but just only one. (admin-context context_name)
Context chaining
- Context can be chained by sharing a common physical/vlan interface.
- Only MAC address and translation rules are used to match a packet to a context when interfaces are shared.
- Recommend to assign unique MAC for interface of each context. (mac-address auto)
Managing Resources
Following resources can be defined(limited) for a context.
- Mgmt connections: ASDM, telnet & ssh.
- Hosts.
- MAC addresses
- Xlates in the translation table.
- Connectoins in the state table.
- Syslog messages/second.
- Applicaton inspections/second.
發表文章
沒有留言:
張貼留言