Multicontext mode allows virtual firewalls to exist within a single ASA firewall or a pair of them. A failover pair of ASAs will support multicontext mode as well, with active/active failover also being possible. Active/active failover is covered in Failover. Figure 28-3 shows a logical representation of multiple contexts residing within a single physical firewall.

Figure 28-3. Multiple contexts within a physical ASA

Each context behaves as if it were a single standalone device, though there are ways that interfaces can be shared between contexts. Each context may have its own IP scheme, and networks can be replicated in multiple contexts without issue.

Most of the normal ASA features are available within each context, but there are some important features that are not. Though the ASA appliance is capable of many functions such as VPN, IDS, and the like, most of these additional features are disabled in multicontext mode. It bears repeating that multicontext mode disables the following features:

That’s a pretty significant list! For many, the inability to support VPN alone may make contexts unusable. The disabled QoS and phone proxy features may also be serious negatives when you’re considering contexts. In a nutshell, if you need many firewalls with ...