Onboard an ASA in Multi-Context Mode to CDO
About Multi-Context Mode
You can partition a single ASA, installed on a physical appliance, into multiple logical devices known as contexts. There are three kinds of configurations used in an ASA configued in multi-context mode:
-
Security Context
-
Admin Context
-
System Configuration
About Security Contexts
Each security context acts as an independent device, with its own security policy, interfaces, and administrators. Multiple security contexts are similar to having multiple standalone devices. A security context is not a virtual ASA in the sense of a virtual machine image installed in a private cloud infrastructure. A security context is configured on an ASA installed on a hardware appliance. Each context is configured on a physical interface of that appliance.
See the ASA CLI and ASDM configuration guides for more information about multi-context mode.
CDO onboards each security context as a separate ASA and manages it as if it were a separate ASA.
About Admin Contexts
The admin context is like a security context, except that when a user logs in to the admin context, then that user has system administrator rights and can access the system and all other contexts. The admin context is not restricted in any way, and can be used as a regular context. However, because logging into the admin context grants you administrator privileges over all contexts, you might need to restrict access to the admin context to appropriate users.
CDO onboards each admin context as a separate ASA and manages it as if it were a separate ASA. CDO also uses the admin context when upgrading ASA and ASDM software on the appliance.
About System Configuration
The system administrator adds and manages contexts by configuring each context configuration location, allocated interfaces, and other context operating parameters in the system configuration, which, like a single mode configuration, is the startup configuration. The system configuration identifies basic settings for the ASA. The system configuration does not include any network interfaces or network settings for itself; rather, when the system needs to access network resources (such as downloading the contexts from the server), it uses one of the contexts that is designated as the admin context.
CDO does not onboard the system configuration.
Onboarding Prerequisites for Security and Admin Contexts
The prerequisites for onboarding security and admin contexts are the same for onboarding any other ASA. See Onboard ASA Device to CDOfor the list of prerequisites.
To learn which Cisco appliances support ASAs in multi-context mode, see the "Multiple Context Mode" chapter in the CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide for whatever ASA software version you are running.
For an ASA running as a single context firewall and for the admin context of a multiple-context firewall, many different port numbers could be used for ASDM and CDO access. However, for security contexts, the ASDM and CDO access port is fixed to port 443. This is a limitation of ASA.
Onboarding ASA Security and Admin Contexts
The method of onboarding a security context or admin context is the same for onboarding any other ASA. See Onboard ASA Device to CDO or Onboard Multiple ASAs to CDO for onboarding instructions.
Upgrading Security Contexts
CDO treats each security and admin context of a multiple-context ASA as a separate ASA and each is onboarded separately. However, all security and admin contexts of a multiple-context ASA run the same version of ASA software installed on the appliance.
To upgrade the versions of ASA and ASDM used by the ASA's security contexts, you onboard the the admin context and perform the upgrade on that context. See Upgrade ASA and ASDM Images on a Single ASA or Upgrade Bulk ASA and ASDM in CDO Upgrade Bulk ASA and ASDM in CDOfor more information.