Configure a PIX Security Appliance to Perform in Multiple Context Mode
Configure a security context

Use the context command in global configuration mode to create a security context in the system configuration and enter context configuration mode . The security context definition in the system configuration identifies the context name, configuration file URL, VLAN, and interfaces that a context can use.

If an admin context is not present, for example, if the configuration has been cleared, then the first context that is added must be the admin context. After the admin context is specified, the context command can be used to configure the admin context.

Allocating Interfaces
To allocate interfaces to a security context, use the allocate-interface command in context configuration mode . This command can be entered multiple times to specify different ranges. For transparent firewall mode, only two interfaces can be used per context. If the PIX Security Appliance model includes a management interface, that interface can be configured for management traffic in addition to the two network interfaces. The same interfaces can be assigned to multiple contexts in routed mode, if desired. Transparent mode does not allow shared interfaces.

If a range of subinterfaces is specified, a matching range of mapped names can also be specified. Follow these guidelines for ranges:

  • The mapped name must consist of an alphabetic portion followed by a numeric portion. The alphabetic portion of the mapped name must match for both ends of the range. For example, enter the following range: int0-int10.
  • The numeric portion of the mapped name must include the same quantity of numbers as the subinterface range. For example, if both ranges include 100 interfaces, enter the following range: gigabitethernet0/ 0.100-gigabitethernet0/ 0.199 int1-int100

Context Configuration Files
Each context on the PIX Security Appliance has its own configuration file which is specified using the config-url command . Until this command is entered the context is not operational. It becomes operation as soon as the command in entered.

The configuration files can be stored in a variety of locations. Note that http(s) locations are read only. Also, all remote URLs must be accessible from the admin context.

NOTE:

Enter the allocate-interface command or commands before entering the config-url command. The PIX Security Appliance must assign interfaces to the context before it loads the context configuration. The context configuration might include commands that refer to interfaces, such as interface, nat, or global commands. If the config-url command is entered first, the PIX loads the context configuration immediately. If the context contains any commands that refer to interfaces, those commands fail.

To identify the URL from which the system downloads the context configuration, use the config-url command in context configuration mode . Note the following:

  • When a context URL is added, the system immediately loads the context so that it is running.
  • The admin context file must be stored on the Flash memory DIMM.
  • If the system cannot retrieve the context configuration file because the server is unavailable, or the file does not yet exist, the system creates a blank context that is ready to be configured with the command-line interface.
  • To change the URL, reenter the config-url command with a new URL.
    • The PIX Security Appliance merges the new configuration with the current running configuration. Reentering the same URL also merges the saved configuration with the running configuration. A merge adds any new commands from the new configuration to the running configuration. If the configurations are the same, no changes occur. If commands conflict or if commands affect the running of the context, then the effect of the merge depends on the command. Errors may happen, or unexpected results may occur. If the running configuration is blank, as in the case that the server was unavailable and the configuration was never downloaded, then the new configuration is used.
    • To avoid merging the configurations, clear the running configuration, which disrupts any communications through the context, and then reload the configuration from the new URL.

The running configuration that is edited in configuration mode, or that is used in the copy or write commands, depends on the location. When in the system execution space, the running configuration consists only of the system configuration. When in a context, the running configuration consists only of that context.

Once the context has been activated it is configured much the same as PIX Security Appliance standalone device . Individual device configuration changes made in the context are stored in the configuration specified by the config-url command. The location of the startup configuration file cannot be changed or viewed from within the context.