Cisco ASA Series Cli Configuration Manual page 228

Information About Security Contexts
example, you log in to the admin context with the username "admin." The admin context does not have
any command authorization configuration, but all other contexts include command authorization. For
convenience, each context configuration includes a user "admin" with maximum privileges. When you
change from the admin context to context A, your username is altered to enable_15, so you must log in
again as "admin" by entering the login command. When you change to context B, you must again enter
the login command to log in as "admin."
The system execution space does not support any AAA commands, but you can configure its own enable
password, as well as usernames in the local database to provide individual logins.
Context Administrator Access
You can access a context using Telnet, SSH, or ASDM. If you log in to a non-admin context, you can
only access the configuration for that context. You can provide individual logins to the context. See
Chapter 1, "Configuring Management Access,"
configure management authentication.
Information About Resource Management
By default, all security contexts have unlimited access to the resources of the ASA, except where
maximum limits per context are enforced; the only exception is VPN resources, which are disabled by
default. If you find that one or more contexts use too many resources, and they cause other contexts to
be denied connections, for example, then you can configure resource management to limit the use of
resources per context. For VPN resources, you must configure resource management to allow any VPN
tunnels.
This section includes the following topics:
•
•
•
•
•
Resource Classes
The ASA manages resources by assigning contexts to resource classes. Each context uses the resource
limits set by the class. To use the settings of a class, assign the context to the class when you define the
context. All contexts belong to the default class if they are not assigned to another class; you do not have
to actively assign a context to default. You can only assign a context to one resource class. The exception
to this rule is that limits that are undefined in the member class are inherited from the default class; so
in effect, a context could be a member of default plus another class.
Resource Limits
You can set the limit for individual resources as a percentage (if there is a hard system limit) or as an
absolute value.
For most resources, the ASA does not set aside a portion of the resources for each context assigned to
the class; rather, the ASA sets the maximum limit for a context. If you oversubscribe resources, or allow
some resources to be unlimited, a few contexts can "use up" those resources, potentially affecting service
Cisco ASA Series CLI Configuration Guide
1-8
Resource Classes, page 1-8
Resource Limits, page 1-8
Default Class, page 1-9
Using Oversubscribed Resources, page 1-10
Using Unlimited Resources, page 1-11
Chapter 1 Configuring Multiple Context Mode
to enable Telnet, SSH, and ASDM access and to