I have a FWSM in a 7609 that is currently up and running in a single context, supporting our Internet access and customer circuits. We have a need to stand up a second context for our daughter company. I would like to know if there are any things I need to watch out for, other than the obvious (backup current config, etc)? FWSM is running 3.2 (3) code and we only have the 2 context basic license.
1) You have 3 contexts available to you. The admin context and then the 2 other contexts. Haven't done it on v3.x but when i switched to multiple context mode on v2.x it moved my existing firewall config into the admin context which you probably don't want.
2) When you switch to multiple context you get what's called the "system exection space". So when you log onto the firewall "sess slot x proc 1" you are in system execution space (SEP for short).
3) To allocate a vlan to the firewall you still have to add to the "firewall vlan-group ..." in the 6500 switch config but there is now an additional step where you then have to add it to the context in the SEP before you can assign it in your context.
4) You cannot run a dynamic routing protocol in multi context mode so if you are currently running one be prepared to add a lot of statics.
5) Failover is configured in SEP.
6) To change to context from SEP -
7) To change back to SEP -
8) Shared interfaces. If you decide that you are going to use the same vlan on the outside for both contexts this is fine but you need to read up on the FWSM classifier - if you have a look in the relevant configuration guides there is a good explanation of how the classifier works.
For your info here is the output from the SEP on one of our lab FWSM's.
SZ-JFH-F00-DTE-FW1# sh run
FWSM Version 2.3(2)
resource acl-partition 12
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
pager lines 24
logging buffer-size 4096
limit-resource All 0
limit-resource IPSec 5
limit-resource Mac-addresses 65535
limit-resource PDM 5
limit-resource SSH 5
limit-resource Telnet 5
failover lan unit primary
failover lan interface fover vlan 200
failover polltime unit 1 holdtime 15
failover polltime interface 15
failover interface-policy 50%
failover link statefover vlan 201
failover interface ip fover 192.168.11.1 255.255.255.248 standby 192.168.11.2
failover interface ip statefover 192.168.11.17 255.255.255.248 standby 192.168.11.18
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...