Note: This post was created when 9.x was probably not released for production use (or I wasn’t aware at that time) so it’s based on 8.4 version. Post 9.x version, ASA supports Dynamic Routing Protocols, VPNs and probably some other stuff too. You can check this info on Cisco’s website. Will update this post later with the latest info.
What IS NOT supported in multiple mode?
- Dynamic routing protocols
- Multicast routing
- Threat detection
- Phone proxy
- Unified Communications
- ASA 5505
- Active/Standby failover
What IS supported in multiple mode?
- Routed and transparent mode
- Static routing only
- Active-Active failover only
What happens when multiple mode is enabled?
- ASA converts the running-config into two files:
Startup-config file for the system configuration
admin.cfg that is used for the admin context (root dir of internal flash)
- Original config of the single context is saved as old_running.cfg (root dir of internal flash). The original startup-config of the single context is not saved.
- Admin context is automatically added to the system configuration with the name “admin”
- Context mode is not stored in the configuration file.
ASA1-FW(config)# mode multiple
Steps for configuring multiple mode and contexts;
- Enable multiple context mode (be aware of what happens when it is enabled!)
- No shut the physical interfaces to be used under the contexts
- Configure security context
- Allocate interfaces to context
- Specify the location of the config file for the context in the internal flash
- (Optional) Automatically assign MAC addresses to context interface
- Configure classes and reference it under the context config for managing resources for each security context
context customer1 member customer1-resources allocate-interface Ethernet0/0 outside allocate-interface Ethernet0/1 inside allocate-interface Ethernet0/2 dmz config-url disk0:/.private/customer1.cfg changeto customer1 write memory ASA1-FW# show context detail customer1 Context "customer1", has been created Config URL: disk0:/.private/customer1.cfg Real Interfaces: Ethernet0/0, Ethernet0/1, Ethernet0/2 Mapped Interfaces: dmz, inside, outside Real IPS Sensors: Mapped IPS Sensors: Class: customer1-resources, Flags: 0x00000811, ID: 2 ASA1-FW# ASA1-FW# changeto context customer1 ASA1-FW/customer1# ASA1-FW/customer1# show context detail Context "customer1", has been created Config URL: disk0:/.private/customer1.cfg Interfaces: dmz, inside, outside IPS Sensors: Class: customer1-resources, Flags: 0x00000811, ID: 2 ASA1-FW/customer1# ASA1-FW/customer1# show interface Interface outside "outside", is up, line protocol is up MAC address 00ab.cd92.5200, MTU 1500 IP address 10.1.1.10, subnet mask 255.255.255.0 Traffic Statistics for "outside": 71 packets input, 19694 bytes 7 packets output, 556 bytes 61 packets dropped Interface inside "inside", is up, line protocol is up MAC address 00ab.cd92.5201, MTU 1500 IP address 10.2.2.10, subnet mask 255.255.255.0 Traffic Statistics for "inside": 67 packets input, 19582 bytes 7 packets output, 556 bytes 61 packets dropped Interface dmz "dmz", is up, line protocol is up MAC address 00ab.cd92.5202, MTU 1500 IP address 10.3.3.10, subnet mask 255.255.255.0 Traffic Statistics for "dmz": 67 packets input, 20070 bytes 7 packets output, 556 bytes 61 packets dropped
- After creating the context, log in to the context that you created and do a write memory so that the newly created base config of the context is written to that file you specified under the config-url command.
- While allocating interfaces, the default option is invisible. So once you’re inside a user-defined context, you won’t be able to view the physical interfaces mapped to a context. Appending the visible option to the allocate-interface command will show you the physical interfaces mapped in a user-defined context while you’re in the user-defined context.
Security context general guidelines;
- Configuration is done in the system execution space
- Make sure an admin context is present to manage the firewall. If not, create one using the admin-context command.
- Context name is case-sensitive
- System and Null are reserved names and cannot be used.
System context and Admin context guidelines;
- System context is only used for configuring multiple security contexts in a multiple mode.
- No network configuration or setting is done under this mode. It is only a context for configuring and setting up other contexts and their parameters.
Note: Make sure the interfaces are not shutdown under the system context.
- Admin context is used for the administration stuff like accessing the firewall, copying images or config from a tftp-server, etc.
- This is the context with which you will manage the firewall itself.
- Any context can be marked as an admin context with the command admin-context CONTEXT_NAME. The admins logging onto that context can then administer other contexts including the system context.
- Admin context is created automatically when the ASA is converted to multiple mode.
User defined contexts guidelines;
THREE important steps to configure a context:-
- Allocate interface.
– Visible, the admin of the particular context CAN see the physical interfaces that are
assigned to his context.
– Invisible, the admin of the particular context CANNOT see the physical interfaces that are
assigned to his context. Can see only the mapped name.
- Specify the location of the configuration file in flash.
– If the config file is not present the ASA WON’T create a new file, so save the config first and
then specify the location of the saved config file.
– If there is already a file present with the name that you specified, ASA will use that file as
the configuration for that context.
- (Optional) You can specify a resource class under the context configuration. This will limit
the resources used by that context as the specified values under that class.
Classes for resource management;
- Classes provide a way of managing how much processing and hardware resources are utilized by each security context so that a single context does not overwhelm the firewall leaving the other contexts without any resources left to perform their function.
- Configuration is done in the system execution space (system config)
- show resource types shows the types and limits of resources that can be classified.
- In the default class, the resource limit is set to unlimited.
class customer1-resources limit-resource ASDM 2 limit-resource Conns 10000 limit-resource SSH 2 limit-resource Telnet 2 limit-resource Xlates 500
class default limit-resource All 0 limit-resource ASDM 5 limit-resource SSH 5 limit-resource Telnet 5
ASA1-FW# show class customer1-resources Class Name Members ID Flags customer1-resources 1 3 0000
ASA1-FW# show resource types Rate limited resource types: Conns Connections/sec Inspects Inspects/sec Syslogs Syslogs/sec Absolute limit types: Conns Connections Hosts Hosts ASDM ASDM Connections SSH SSH Sessions Telnet Telnet Sessions Xlates XLATE Objects All All Resources
If a physical/sub-interface is used in multiple contexts, that means there are multiple IP addresses assigned using the same MAC address belonging to that physical/sub-interface.
This creates a problem as the ASA does not know how to classify ingress/egress traffic on that interface and send it to an appropriate context.
Three methods to make it work;
In transparent mode, unique interfaces for context are REQUIRED.
Unique MAC addresses – If multiple contexts share an interface, then the same physical/sub-interface MAC address is used for each of the mapped interfaces using that interface under different contexts for classifying the traffic. You can assign different MAC address to the mapped interfaces in each context. MAC address can be set manually while configuring the interfaces within the user-defined context or by automatically generating MAC addresses using the mac-address auto command from the system execution space.
- Auto MAC address assignment (under system configuration);
ASA1-FW# conf t ASA1-FW(config)# mac-address auto
Note:- This assigns MAC addresses to all the mapped interfaces even if they are not shared between multiple contexts.
- Manual MAC address configuration (under user-defined context);
ASA1-FW(config)# changeto context customer1 ASA1-FW/customer1(config)# interface outside ASA1-FW/customer1(config-if)# mac-address aaaa.bbbb.cccc standby 1111.2222.3333 ASA1-FW/customer1(config-if)# changeto context customer2 ASA1-FW/customer2(config)# interface outside ASA1-FW/customer2(config-if)# mac-address dddd.eeee.ffff standby 4444.5555.6666
- NAT Configuration – If unique MAC addresses are not configured, a destination IP address lookup is performed. The destination IP address is either matched to a Static NAT command or a Global NAT command. In case of a global command, matching the nat statement isn’t required, it only matches the global statement.
nat (inside) 1 0.0.0.0 0.0.0.0 global (outside) 1 interface OR static (inside,outside) 10.1.102.0 10.1.104.0 netmask 255.255.255.0