Configure a PIX Security Appliance to Perform in Multiple Context Mode
Security context overview

A single PIX Security Appliance can be partitioned into multiple virtual firewalls, known as security contexts . Each context is an independent firewall, with its own security policy, interfaces, and administrators. Multiple contexts are similar to having multiple stand-alone PIX Security Appliances.

Each context has its own configuration that identifies the security policy, interfaces, and almost all the options that can be configured on a stand-alone PIX Security Appliance. If desired, individual context administrators can be allowed to implement the security policy on the context. Some resources are controlled by the overall system administrator, such as VLANs and system resources, so that one context cannot affect other contexts inadvertently.

The system administrator adds and manages contexts by configuring them in the system configuration, which identifies basic settings for the PIX Security Appliance. The system administrator has privileges to manage all contexts. The system configuration does not include any network interfaces or network settings for itself. Instead, when the system needs to access network resources, such as downloading the contexts from the server, it uses one of the contexts that is designated as the admin context.

The admin context is just like any other context, except that when a user logs into the admin context, for example, over an SSH connection, then that user has system administrator rights, and can access the system execution space and all other contexts. Typically, the admin context provides network access to network-wide resources, such as a syslog server or context configuration server.

Multiple security contexts can be considered for use in the situations listed in Figure .

In the example in Figure , a service provider is using a single PIX Security Appliance divided into multiple contexts to deliver the same service as multiple stand alone small PIX units. By enabling multiple security contexts on the PIX, the service provider can implement a cost-effective, space-saving solution that keeps all customer traffic separate and secure, and also eases configuration.

Each context has its own configuration file that identifies the security policy, interfaces, and almost all the options that can be configured on a stand-alone PIX Security Appliance . Context configurations can be stored on the local disk partition on the Flash memory card, or they can be downloaded from a TFTP, FTP, or HTTP(S) server.

In addition to individual security contexts, the firewall appliance also includes a system configuration that identifies basic settings for the firewall appliance, including a list of contexts. Like the single mode configuration, this configuration resides as the "startup" configuration in the flash partition.

Each packet that enters the PIX Security Appliance must be classified, so that the PIX can determine to which context to send a packet. The PIX checks for the following characteristics:

  • Source interface, the source VLAN
  • Destination address

The PIX Security Appliance uses the characteristic that is unique and not shared across contexts. For example, if a VLAN is shared across contexts, then the classifier uses the IP address. A VLAN interface can be shared so long as each IP address space on that VLAN is unique, or overlapping IP addresses can be used so long as the VLANs are unique. The example in Figure shows multiple contexts sharing an outside VLAN, while the inside VLANs are unique, allowing overlapping IP addresses.


Web Links