Multiple Context Modes
A Security Appliance can support either a single or multiple context mode. In a single-mode
configuration, the Security Appliance does not separate the firewall options from the system
resources. When the multiple-contexts mode is enabled, the Security Appliance creates a new
configuration scheme. The Security Appliance separates the context options from the current
start-up configuration and places these configurations in an administrative context called the
admin context. The remaining system configurations are stored in the start-up configuration
file. The administration configuration uses the admin.cfg file. The original running
configuration is saved as old_running.cfg on the local Flash disk when the security context
mode is changed. If the running configuration differs from the start-up configuration, the
start-up configuration should also be saved manually. If you are copying a configuration
from a Security Appliance in multiple-context mode to a device configured for single-context
mode, the context mode must be manually changed, or scripted with the [noconfirm] switch
This is needed because the security context mode is not saved in the configuration file. All
mode changes must be made from the command-line interface (CLI) and cannot be done
through the Cisco Adaptive Security Device Manager (ASDM). To enable the multiplecontext
mode, use the mode command:
mode {single | multiple} [noconfirm]
With the noconfirm command syntax, the mode of the Security Appliance can be changed
without confirmation. This can be done when managing the appliance through scripts
through the CLI, but it will cause the Security Appliance to reboot without a warning.
If the security administrator chooses to return the Security Appliance to single mode, the
Security Appliance will inherit most of the necessary configuration options from the multiple
contexts to create a nonfunctioning configuration for a single-mode firewall. It is
recommended that a full start-up configuration be applied to the Security Appliance before
converting to single mode. After the Security Appliance resets to single-context mode, all the
interfaces will be offline. To enable the interfaces, as well as to copy any additional
configuration settings back onto the Security Appliance, access to the CLI will be required.
A security administrator can verify the security-context mode that the Security Appliance has
enabled by using the show mode command in EXEC mode. Example 9-1 shows sample
output from the show mode command.