Designing and Building Enterprise DMZs

The PIX/ASA has many additional features that enable it to provide high availability, application layer security, and PIX/ASA management and support.The PIX/ASA supports features such as DHCP and VPNs that are out of the scope of this book. In this section, we cover topics such as failover, content filtering, cut-through proxy, application layer security, and securing some of PIX/ASA s management features.
One of the most interesting new features of the PIX/ASA 7. x OS is the introduction of virtual firewalls, or security contexts. Security contexts provide a means for allowing a single piece of hardware to function logically as multiple virtual firewalls. When you set up a security context, each context has its own security policies, interfaces, and supported features.This means that not all PIX firewall features are supported in security contexts. Some that are not supported when you have multiple security contexts include:
Dynamic routing protocols
VPN
Multicast
When you start the PIX in single-context mode and convert to multiple-context mode, a new file called admin.cfg is created on the built-in Flash.This is the default administrator security context.You can store multiple security contexts on the same Flash, or you can have the PIX download them from the network using TFTP, FTP, or HTTP(s).
| Note | When you convert from single security context mode to multiple security context mode, the original startup configuration is not saved, so always make a backup when you work with security contexts. The... |