top of page


Step 1. Configure the HA

Step 2. Change the firewall mode

Step 3. Create admin context

Step 4. Create channel groups

Step 5. Create a context firewall

Step 6. Configure the context firewall



Step 1. Configure the HA

failover lan unit primary
failover lan interface failover GigabitEthernet0/7
failover replication http
failover link failover GigabitEthernet0/7------------------------------------------------------# we using g0/7 as HA interface
failover interface ip failover standby

Step 2. Change the firewall mode


mode multiple

- This will requires a reboot

- It will create an admin context after reboot

Step 3. Create admin context

context admin
allocate-interface Management0/0


Step 4. Create channel groups

changeto system

int gig0/0

channel-group 1 mode active

int gig0/1

channel-group 1 mode active

Step 5. Create context firewalls (in this case, I create 2 sub-interfaces off the port-channel 1 and assigned the interfaces to a single context firewall)

chagneto system

interface Port-channel1.720
vlan 720

interface Port-channel1.726
vlan 726

context ABC001-vFW
description ABC001-vFW

allocate-interface Port-channel1.720
allocate-interface Port-channel1.726

Step 6. Configure the context firewall

changeto context ABC001-vFW

enable password XXXXXXXX level 15

username admin password XXXXXXXX privilege 15

int Port-channel1.720

ip address standby

nameif outside

security-level 0

interface Port-channel1.726

ip address standby

nameif dmz

security-level 50

route outside 1  -------------------------------------------! Default route

ssh outside --------------------------------------------------! Allow ssh access
ssh outside

crypto key generate rsa  -------------------------------------------------------------------------! Generates RSA key for ssh

aaa authentication ssh console LOCAL

aaa authentication http console LOCAL

ssh timeout 60

http server enable ------------------------------------------------------------------------------------! Allow http access
http server idle-timeout 30
http outside
http outside

logging enable -----------------------------------------------------------------------------------------! Enable logging
logging timestamp
logging standby
logging buffer-size 1024000
logging monitor errors
logging buffered informational
logging trap informational
logging history informational
logging asdm informational
logging host outside !! syslog server
logging permit-hostdown

access-list outside_access_in extended permit udp host host eq domain ---! ACL
access-group outside_access_in in interface  outside ----------------------------------------------------------------------! Access-group

bottom of page