1-2
Cisco ASA Series CLI Configuration Guide
 
Chapter 1      Configuring Multiple Context Mode
  Information About Security Contexts
Common Uses for Security Contexts
You might want to use multiple security contexts in the following situations:
• You are a service provider and want to sell security services to many customers. By enabling 
multiple security contexts on the ASA, you can implement a cost-effective, space-saving solution 
that keeps all customer traffic separate and secure, and also eases configuration.
• You are a large enterprise or a college campus and want to keep departments completely separate.
• You are an enterprise that wants to provide distinct security policies to different departments.
• You have any network that requires more than one ASA.
Context Configuration Files
This section describes how the ASA implements multiple context mode configurations and includes the 
following topics:
• Context Configurations, page 1-2
• System Configuration, page 1-2
• Admin Context Configuration, page 1-2
Context Configurations
For each context, the ASA includes a configuration that identifies the security policy, interfaces, and all 
the options you can configure on a standalone device. You can store context configurations in flash 
memory, or you can download them from a TFTP, FTP, or HTTP(S) server.
System Configuration
The system administrator adds and manages contexts by configuring each context configuration 
location, allocated interfaces, and other context operating parameters in the system configuration, which, 
like a single mode configuration, is the startup configuration. The system configuration identifies basic 
settings for the ASA. The system configuration does not include any network interfaces or network 
settings for itself; rather, when the system needs to access network resources (such as downloading the 
contexts from the server), it uses one of the contexts that is designated as the admin context. The system 
configuration does include a specialized failover interface for failover traffic only.
Admin Context Configuration
The admin context is just like any other context, except that when a user logs in to the admin context, 
then that user has system administrator rights and can access the system and all other contexts. The 
admin context is not restricted in any way, and can be used as a regular context. However, because 
logging into the admin context grants you administrator privileges over all contexts, you might need to 
restrict access to the admin context to appropriate users. The admin context must reside on flash memory, 
and not remotely.
If your system is already in multiple context mode, or if you convert from single mode, the admin context 
is created automatically as a file on the internal flash memory called admin.cfg. This context is named 
“admin.” If you do not want to use admin.cfg as the admin context, you can change the admin context.