Use the context command in global configuration mode to
create a security context in the system configuration and enter context
configuration mode
. The security
context definition in the system configuration identifies the context name,
configuration file URL, VLAN, and interfaces that a context can use.
If
an admin context is not present, for example, if the configuration has been
cleared, then the first context that is added must be the admin context. After
the admin context is specified, the context command can be
used to configure the admin context.
Allocating Interfaces
To
allocate interfaces to a security context, use the
allocate-interface command in context configuration mode
. This
command can be entered multiple times to specify different ranges. For
transparent firewall mode, only two interfaces can be used per context. If the
PIX Security Appliance model includes a management interface, that interface
can be configured for management traffic in addition to the two network
interfaces. The same interfaces can be assigned to multiple contexts in routed
mode, if desired. Transparent mode does not allow shared interfaces.
If a
range of subinterfaces is specified, a matching range of mapped names can also
be specified. Follow these guidelines for ranges:
- The mapped name must consist of an alphabetic portion followed by a numeric
portion. The alphabetic portion of the mapped name must match for both ends of
the range. For example, enter the following range:
int0-int10.
- The numeric portion of the mapped name must include the same quantity of
numbers as the subinterface range. For example, if both ranges include 100
interfaces, enter the following range: gigabitethernet0/
0.100-gigabitethernet0/ 0.199 int1-int100
Context Configuration Files
Each context on the PIX Security
Appliance has its own configuration file which is specified using the
config-url command
. Until this
command is entered the context is not operational. It becomes operation as soon
as the command in entered.
The configuration files can be stored in a
variety of locations. Note that http(s) locations are read only. Also, all
remote URLs must be accessible from the admin context.
 |
NOTE:
Enter the allocate-interface command or commands
before entering the config-url command. The PIX Security
Appliance must assign interfaces to the context before it loads the context
configuration. The context configuration might include commands that refer to
interfaces, such as interface, nat, or
global commands. If the config-url
command is entered first, the PIX loads the context configuration immediately.
If the context contains any commands that refer to interfaces, those commands
fail.
|
To identify the URL from which the system downloads the context
configuration, use the config-url command in context
configuration mode
. Note the
following:
- When a context URL is added, the system immediately loads the context so
that it is running.
- The admin context file must be stored on the Flash memory DIMM.
- If the system cannot retrieve the context configuration file because the
server is unavailable, or the file does not yet exist, the system creates a
blank context that is ready to be configured with the command-line
interface.
- To change the URL, reenter the config-url command with
a new URL.
- The PIX Security Appliance merges the new configuration with the current
running configuration. Reentering the same URL also merges the saved
configuration with the running configuration. A merge adds any new commands
from the new configuration to the running configuration. If the configurations
are the same, no changes occur. If commands conflict or if commands affect the
running of the context, then the effect of the merge depends on the command.
Errors may happen, or unexpected results may occur. If the running
configuration is blank, as in the case that the server was unavailable and the
configuration was never downloaded, then the new configuration is used.
- To avoid merging the configurations, clear the running configuration, which
disrupts any communications through the context, and then reload the
configuration from the new URL.
The running configuration that is edited in configuration mode, or that
is used in the copy or write commands,
depends on the location. When in the system execution space, the running
configuration consists only of the system configuration. When in a context, the
running configuration consists only of that context.
Once the context has
been activated it is configured much the same as PIX Security Appliance
standalone device
. Individual
device configuration changes made in the context are stored in the
configuration specified by the config-url command. The
location of the startup configuration file cannot be changed or viewed from
within the context.