Summary:

Step 1. Configure the HA

Step 2. Change the firewall mode

Step 3. Create admin context

Step 4. Create channel groups

Step 5. Create a context firewall

Step 6. Configure the context firewall

Details:

 

Step 1. Configure the HA

failover
failover lan unit primary
failover lan interface failover GigabitEthernet0/7
failover replication http
failover link failover GigabitEthernet0/7------------------------------------------------------# we using g0/7 as HA interface
failover interface ip failover 172.12.12.1 255.255.255.252 standby 172.12.12.2

Step 2. Change the firewall mode

 

mode multiple

- This will requires a reboot

- It will create an admin context after reboot

Step 3. Create admin context

context admin
allocate-interface Management0/0

 

Step 4. Create channel groups

changeto system

int gig0/0

channel-group 1 mode active

int gig0/1

channel-group 1 mode active

Step 5. Create context firewalls (in this case, I create 2 sub-interfaces off the port-channel 1 and assigned the interfaces to a single context firewall)

chagneto system


interface Port-channel1.720
vlan 720

interface Port-channel1.726
vlan 726


context ABC001-vFW
description ABC001-vFW

allocate-interface Port-channel1.720
allocate-interface Port-channel1.726

Step 6. Configure the context firewall

changeto context ABC001-vFW

enable password XXXXXXXX level 15

username admin password XXXXXXXX privilege 15

int Port-channel1.720

ip address 24.41.49.242 255.255.255.248 standby 24.41.49.243

nameif outside

security-level 0

interface Port-channel1.726

ip address 27.153.192.18 255.255.255.240 standby 27.153.192.19

nameif dmz

security-level 50

route outside 0.0.0.0 0.0.0.0 24.141.49.246 1  -------------------------------------------! Default route

ssh 123.123.123.1 255.255.255.0 outside --------------------------------------------------! Allow ssh access
ssh 123.123.123.2 255.255.255.0 outside
 

crypto key generate rsa  -------------------------------------------------------------------------! Generates RSA key for ssh

aaa authentication ssh console LOCAL

aaa authentication http console LOCAL

ssh timeout 60

http server enable ------------------------------------------------------------------------------------! Allow http access
http server idle-timeout 30
http 123.123.123.1 255.255.1.0 outside
http 123.123.123.2 255.255.255.0 outside
 

logging enable -----------------------------------------------------------------------------------------! Enable logging
logging timestamp
logging standby
logging buffer-size 1024000
logging monitor errors
logging buffered informational
logging trap informational
logging history informational
logging asdm informational
logging host outside 111.111.11.11 !! syslog server
logging permit-hostdown

access-list outside_access_in extended permit udp host 123.123.123.1 host 123.123.123.2 eq domain ---! ACL
access-group outside_access_in in interface  outside ----------------------------------------------------------------------! Access-group