Skip to main content



Cisco Defense Orchestrator

Onboard an ASA in Multi-Context Mode

About Multi-Context Mode

You can partition a single ASA, installed on a physical appliance, into multiple logical devices known as contexts. There are three kinds of configurations used in an ASA configued in multi-context mode:

  • Security Context
  • Admin Context
  • System Configuration 

About Security Contexts

Each security context acts as an independent device, with its own security policy, interfaces, and administrators. Multiple security contexts are similar to having multiple standalone devices. A security context is not a virtual ASA in the sense of a virtual machine image installed in a private cloud infrastructure. A security context is configured on an ASA installed on a hardware appliance. Each context is configured on a physical interface of that appliance. See the ASA CLI and ASDM configuration guides for more information about multi-context mode. 

CDO onboards each security context as a separate ASA and manages it as if it were a separate ASA. 

About Admin Contexts

The admin context is like a security context, except that when a user logs in to the admin context, that user has system administrator rights and can access the system and all other contexts. The admin context is not restricted in any way, and can be used as a regular context. However, because logging into the admin context grants you administrator privileges over all contexts, you might need to restrict access to the admin context to appropriate users. 

CDO onboards each admin context as a separate ASA and manages it as if it were a separate ASA. CDO also uses the admin context when upgrading ASA and ASDM software on the appliance.

About System Configuration

The system administrator adds and manages contexts by configuring each context configuration location, allocated interfaces, and other context operating parameters in the system configuration, which, like a single mode configuration, is the startup configuration. The system configuration identifies basic settings for the ASA. The system configuration does not include any network interfaces or network settings for itself; rather, when the system needs to access network resources (such as downloading the contexts from the server), it uses one of the contexts that is designated as the admin context

CDO does not onboard the system configuration. 

Onboarding Prerequisites for Security and Admin Contexts

The prerequisites for onboarding security and admin contexts are the same for onboarding any other ASA. See Onboard an ASA Device for the list of prerequisites.

To learn which Cisco appliances support ASAs in multi-context mode, see the "Multiple Context Mode" chapter in the CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide for whatever ASA software version you are running. 

For an ASA running as a single context firewall and for the admin context of a multiple-context firewall, many different port numbers could be used for ASDM and CDO access. However, for security contexts, the ASDM and CDO access port is fixed to port 443. This is a limitation of ASA.

Onboarding ASA Security and Admin Contexts

The method of onboarding a security context or admin context is the same for onboarding any other ASA. See Onboard an ASA Device or Onboard ASAs in Bulk for onboarding instructions.

Upgrading Security Contexts

CDO treats each security and admin context of a multiple-context ASA as a separate ASA and each is onboarded separately. However, all security and admin contexts of a multiple-context ASA run the same version of ASA software installed on the appliance. 

To upgrade the versions of ASA and ASDM used by the ASA's security contexts, you onboard the the admin context and perform the upgrade on that context.  See Upgrade ASA and ASDM Images on a Single ASA or Bulk ASA and ASDM Upgrade for more information. 

  • Was this article helpful?