1-26
Cisco ASA Series CLI Configuration Guide
 
Chapter 1      Introduction to the Cisco ASA
  Firewall Functional Overview
For multiple context mode, if you place the router behind the ASASM, you should only connect it to a 
single context. If you connect the router to multiple contexts, the router will route between the contexts, 
which might not be your intention. The typical scenario for multiple contexts is to use a router in front 
of all the contexts to route between the Internet and the switched networks (see Figure 1-2).
Figure 1-2 MSFC/Router Placement with Multiple Contexts
Firewall Functional Overview
Firewalls protect inside networks from unauthorized access by users on an outside network. A firewall 
can also protect inside networks from each other, for example, by keeping a human resources network 
separate from a user network. If you have network resources that need to be available to an outside user, 
such as a web or FTP server, you can place these resources on a separate network behind the firewall, 
called a demilitarized zone (DMZ). The firewall allows limited access to the DMZ, but because the DMZ 
only includes the public servers, an attack there only affects the servers and does not affect the other 
inside networks. You can also control when inside users access outside networks (for example, access to 
the Internet), by allowing only certain addresses out, by requiring authentication or authorization, or by 
coordinating with an external URL filtering server.
When discussing networks connected to a firewall, the outside network is in front of the firewall, the 
inside network is protected and behind the firewall, and a DMZ, while behind the firewall, allows limited 
access to outside users. Because the ASA lets you configure many interfaces with varied security 
policies, including many inside interfaces, many DMZs, and even many outside interfaces if desired, 
these terms are used in a general sense only.
Context A Context B Context C
VLAN 20
VLAN 202VLAN 201
VLAN 100
Admin
ontext
VLAN 200
VLAN 300 VLAN 303
VLAN 302VLAN 301
MSFC/Router
Internet
Inside
Customer A
Inside
Customer B
Inside
Customer C
Admin
Network