- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-09-2013 08:54 AM - edited 03-11-2019 05:45 PM
We have a active/active context firewall and would like to add an sub-interface to the exisitng context. Can someone share the link on how to do this?
All cisco documentation is for creating a context and allocating interface from scratch but I could not find any document for adding an interface to an exisiting context.
-Mohan
Solved! Go to Solution.
- Labels:
-
NGFW Firewalls
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-09-2013 08:59 AM
Hi,
Taking as example one of our ASA-5585-X ASAs with Trunk interfaces subinterface
I think you need to connect to the ASA which is Active for the admin context. And for the actual user/customer Context you have to connect to the device where its Active. Hopefully I remembered the "logic" correctly.
Create the sub-interface in the System Context space
interface TenGigabitEthernet0/9.2000
description New Link
vlan 2000
Attach the created interface to an Context
Context CONTEXT1
allocate-interface TenGigabitEthernet0/9.2000
Configure the interface configurations under Context
changeto context CONTEXT1
interface TenGigabitEthernet0/9.200
nameif inside
security-level 100
ip add 10.10.10.1 255.255.255.0
The above should handle the very basic regarding the actual interface. Naturally you need all the other firewall configuration and also actually make sure that on the connected device this sub-interface/Vlan ID actually leads somewhere.
Please rate if the information was helpfull and/or ask more if needed
- Jouni
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-09-2013 08:59 AM
Hi,
Taking as example one of our ASA-5585-X ASAs with Trunk interfaces subinterface
I think you need to connect to the ASA which is Active for the admin context. And for the actual user/customer Context you have to connect to the device where its Active. Hopefully I remembered the "logic" correctly.
Create the sub-interface in the System Context space
interface TenGigabitEthernet0/9.2000
description New Link
vlan 2000
Attach the created interface to an Context
Context CONTEXT1
allocate-interface TenGigabitEthernet0/9.2000
Configure the interface configurations under Context
changeto context CONTEXT1
interface TenGigabitEthernet0/9.200
nameif inside
security-level 100
ip add 10.10.10.1 255.255.255.0
The above should handle the very basic regarding the actual interface. Naturally you need all the other firewall configuration and also actually make sure that on the connected device this sub-interface/Vlan ID actually leads somewhere.
Please rate if the information was helpfull and/or ask more if needed
- Jouni
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-10-2013 03:00 AM
Hi,
This is the basic configuration for allocating a sub-interface.
But my question is can I add a sub-interface to a context which is already configured with a config-url and is actively running.
Below is a note taken from a cisco documentation
Note
Enter the allocate-interface command(s) before you enter the config-url command. If you enter the config-url command first, the ASA loads the context configuration immediately. If the context contains any commands that refer to (not yet configured) interfaces, those commands fail. Note Enter the allocate-interface command(s) before you enter the config-url command. If you enter the config-url command first, the ASA loads the context configuration immediately. If the context contains any commands that refer to (not yet configured) interfaces, those commands fail.
Does this mean I have to restart the context for the interface to be added to the context?
-Mohan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-10-2013 06:03 AM
Ah, now I understand your question better.
Yes, you can just add the "allocate-interface
After you have added the interface with the "allocate-interface" command under the Context and move to the Context with the command "changeto context
After this you simply start configuring the interface with "description", "nameif", "security-level", "ip address" and so on and start creating rules for it.
The situation that the Cisco quote above refers to is the following situation
- You have a ready made configuration file for your ASA context
- You load that file to the Flash of the ASA
- You want to apply the configuration on the Flash to the Context you created
- One reason for having a ready configuration might be that your previous ASA has broken down and you are now in the process of recovery with a replacement device and have all the configuration backups and are loading them to the ASA and creating all the Context that were on the previous ASA
- IF you were to create the Context and immediately issue the "config-url" thats configuration refers to certain interfaces THEN naturally the ASA couldnt insert those old backup configurations to the Context as it didnt have those interfaces attached yet.
- This is why that in the above case you would first attach the interfaces to the context and THEN insert the Flash filesystem path where the already ready configuration would be located that the Context could use to fully configure and restore the Context.
Now consider the more typical situation while configuring Contexts
- You already have an Context with a "config-url" set where the Context configuration gets saved.
- When you add a new interface to the Context, nothing happens to the current configuration or firewall operation
- Because the current configuration doesnt refer to the new interface in any way it wont naturally get any configurations when you attach it to the Context.
- When you move under the Context, you can just start configuring the interface settings and configuration related to that interface
- AFTER you issue "write mem" command and save the configuration, it will be saved to the file/path configured in the "config-url" configuration and will after this naturally contain the new interfaces (and all related configurations) in its configurations.
So in shorts
- If you are adding new interfaces to production firewalls you can just use the "allocate-interface" command.
- If you have a ready made configuration before creating the actual context THEN you will have to make sure that the context has the interfaces attached BEFORE you attach the "config-url" configuration witth the ready made file OR IF NOT it will only apply configuration for the interfaces which are attached before this. And naturally the global configurations that dont apply to any specific interface
Hopefully I wasnt too complex with the writing. Im pretty tired at the moment and hard to concentrate
Please rate if you have found the information helpfull And also ask more if needed.
- Jouni
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-28-2016 11:48 PM
Thank you Jouni, You saved my day..
-Zakir

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-02-2018 07:07 PM - edited 05-02-2018 07:08 PM
@Jouni Forss wrote:
Hi,
Taking as example one of our ASA-5585-X ASAs with Trunk interfaces subinterface
I think you need to connect to the ASA which is Active for the admin context. And for the actual user/customer Context you have to connect to the device where its Active. Hopefully I remembered the "logic" correctly.
Create the sub-interface in the System Context space
interface TenGigabitEthernet0/9.2000
description New Link
vlan 2000
Attach the created interface to an Context
Context CONTEXT1
allocate-interface TenGigabitEthernet0/9.2000
Configure the interface configurations under Context
changeto context CONTEXT1
interface TenGigabitEthernet0/9.200
nameif inside
security-level 100
ip add 10.10.10.1 255.255.255.0
The above should handle the very basic regarding the actual interface. Naturally you need all the other firewall configuration and also actually make sure that on the connected device this sub-interface/Vlan ID actually leads somewhere.
Please rate if the information was helpfull and/or ask more if needed
- Jouni
Is there anyway to combine context configs.
Example: If I want to combine CONTEXT-A and CONTEXT-B to reduce the context? any suggestion on the best approach?
context CONTEXT-A
allocate-interface Port-channel1.115 visible
config-url disk0:/CONTEXT-A.cfg
context CONTEXT-B
allocate-interface Port-channel1.115 visible
allocate-interface Port-channel11.3016-Port-channel11.3018 visible
config-url disk0:/CONTEXT-B.cfg

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-03-2018 01:28 AM

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-03-2018 03:32 PM
Migrate the config from one context to another.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-04-2018 02:02 AM
So I would first remove one interface at a time from old_context then add it to the new_context.
Configure the IP on the new context and finally take care of the routing, ACLs and NAT config.
