Onboard an ASA in multi-context mode to Security Cloud Control

About multi-context mode

You can partition a single ASA, installed on a physical appliance, into multiple logical devices known as contexts. The three types of configurations used in an ASA configured in multi-context mode are:

  • Security context

  • Admin context

  • System configuration

About security contexts

Each security context acts as an independent device, with its own security policy, interfaces, and administrators. Multiple security contexts are similar to having multiple standalone devices. A security context is not a virtual ASA in the sense of a virtual machine image installed in a private cloud infrastructure. A security context is configured on an ASA that is installed on a hardware appliance. Each context is configured on a physical interface of that appliance.

For more information about multi-context mode, refer to ASA CLI and ASDM configuration guides.

Security Cloud Control onboards each security context as a separate ASA and manages it as if it were a separate ASA.

About admin contexts

The admin context is similar to a security context, except that when a user logs in to the admin context, the user has system administrator rights and can access the system and all other contexts. The admin context is not restricted in any way and can be used as a regular context. However, because logging into the admin context grants administrator privileges over all contexts, access to the admin context should be restricted to authorized users.

Security Cloud Control onboards each admin context as a separate ASA and manages it as if it were a separate ASA. Security Cloud Control also uses the admin context when upgrading ASA and ASDM software on the appliance.

About system configuration

The system administrator adds and manages contexts by configuring each context configuration location, allocated interfaces, and setting other context operating parameters within the system configuration, which, like a single mode configuration, is the startup configuration. The system configuration identifies basic settings for the ASA. The system configuration does not include any network interfaces or network settings for itself. When the system needs to access network resources, such as downloading the contexts from the server, it uses one of the contexts designated as the admin context.

Security Cloud Control does not onboard the system configuration.

Onboard prerequisites for security and admin contexts

Before you onboard security or admin contexts, check the prerequisites in Onboard ASA Device to Security Cloud Control.

to up

To learn which Cisco appliances support ASAs in multi-context mode, refer to the "Multiple Context Mode" chapter in the CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide for your ASA software version.

An ASA running as a single context firewall, or as the admin context of a multiple-context firewall, can use different port numbers for ASDM and Security Cloud Control access. ASA security contexts use a fixed port (port 443) for ASDM and Security Cloud Control access.

Onboard ASA security and admin contexts

To onboard a security context or admin context, follow the instructions in Onboard ASA Device to Security Cloud Control or Onboard multiple ASAs to Security Cloud Control.

Upgrade security contexts

Security Cloud Control treats each security and admin context of a multiple-context ASA as a separate ASA and each is onboarded separately. However, all security and admin contexts of a multiple-context ASA run the same version of ASA software installed on the appliance.

To upgrade the ASA and ASDM versions used by the security contexts, onboard the admin context and perform the upgrade there.

For more information, refer to Upgrade ASA and ASDM Images on a Single ASA or Upgrade Bulk ASA and ASDM in Security Cloud Control Upgrade Bulk ASA and ASDM in Security Cloud Control.