PIX firewall security context configuration Manual (Virtual firewall technology)

R1/R2/R3 sets the IP address, and sets a default route to point to its next hop.
SW enables the port used, divides VLAN, and sets port F0/15 to port trunk.

Go to firewall global Mode
Show flash: // view the configuration file in the firewall Flash. If *. cfg exists, run the del flash:/*. cfg command to delete it.
Show mode // view the current firewall mode. For single mode, use the command mode multiple to set the firewall to multi-mode.

Create a management context
Global:
Admin-context admin // set the name of the management context to admin.
Context admin // generate the admin context
Config-url flash:/admin. cfg // set the location and name of the configuration file for admin-context
Exit
Changeto context admin // switch from the current system configuration mode to the admin context Mode
Write // write the configuration. The admin. cfg file is generated.
Changeto system // return to system Configuration Mode

Enter the e1 e0.1 e0.2 interface of the firewall, activate it, and configure VLAN (nameif cannot be configured)
Int e0.1
Vlan 2
Int e0.2
Vlan 4 // the sub-interface must be specified to a VLAN. The dot.1q protocol is encapsulated by default.
(If the sub-interface is not specified to a VLAN in system mode, then the interface cannot be nameif in context Mode)

Context c1 // create the first context named C1
Config-url flash:/c1.cfg // set the location and name of the c1 context configuration file.
Allocate-interface e1 // allocate the e1 interface to context c1
Allocate-interface e0.1 // assign the e0.1 sub-interface to context c1

Context c2 // create the second context and name it C2
Config-url flash:/c2.cfg // set the location and name of the c2 context configuration file.
Allocate-interface e1 // allocate the e1 interface to context c2
Allocate-interface e0.2 // allocate the e0.2 sub-interface to context c2

Changeto context c1
Write // write the configuration and save it to the c1.cfg File
Changeto context c2
Write
Changeto system

Changeto context c1 // enter C1 context
Int e1
Nameif outside
Ip add 3.1.1.1 255.255.255.0
No sh
Int e0.1
Nameif inside
Ip add 1.1.1.254 255.255.255.0
No sh
Access-list out permit icmp any // set this acl to Allow icmp traffic to pass, so you can use ping test later.
Access-group out in inter outside // apply the out acl to the in direction of outside

Changeto context c2
Int e1
Nameif outside
Ip add 3.1.1.2 255.255.255.0
No sh
Int e0.2
Nameif inside
Ip add 2.1.1.254 255.255.255.0
No sh
Access-list out permit icmp any
Access-group out in inter outside

By now, the virtual firewall has been configured, but R1 cannot ping R3.
Because E1 currently only has one MAC address, when a layer-2 data frame arrives at the E1 port of the firewall, it will not know how to send the data frame to anyone, therefore, you must assign different MAC addresses to context 1 and context 2 respectively.
Changeto context c1
Int e1
Mac-address 0001.0001.0001
Exit
Changeto context c2
Int e1
Mac-address 0002.0002.0002
Exit