Multiple Contexts in ASA | Virtual Firewalls (CCIE Notes)


Note: This post was created when 9.x was probably not released for production use (or I wasn’t aware at that time) so it’s based on 8.4 version. Post 9.x version, ASA supports Dynamic Routing Protocols, VPNs and probably some other stuff too. You can check this info on Cisco’s website. Will update this post later with the latest info.

What IS NOT supported in multiple mode?

  • Dynamic routing protocols
  • VPNs
  • Multicast routing
  • Threat detection
  • Phone proxy
  • Qos
  • Unified Communications
  • ASA 5505
  • Active/Standby failover

What IS supported in multiple mode?

  • Routed and transparent mode
  • Static routing only
  • Active-Active failover only
  • IPv6

What happens when multiple mode is enabled?

  • ASA converts the running-config into two files:
    Startup-config file for the system configuration
    admin.cfg that is used for the admin context (root dir of internal flash)
  • Original config of the single context is saved as old_running.cfg (root dir of internal flash). The original startup-config of the single context is not saved.
  • Admin context is automatically added to the system configuration with the name “admin”
  • Context mode is not stored in the configuration file.
ASA1-FW(config)# mode multiple

Steps for configuring multiple mode and contexts;

  1. Enable multiple context mode (be aware of what happens when it is enabled!)
  2. No shut the physical interfaces to be used under the contexts
  3. Configure security context
  4. Allocate interfaces to context
  5. Specify the location of the config file for the context in the internal flash
  6. (Optional) Automatically assign MAC addresses to context interface
  7. Configure classes and reference it under the context config for managing resources for each security context
context customer1
 member customer1-resources
 allocate-interface Ethernet0/0 outside 
 allocate-interface Ethernet0/1 inside 
 allocate-interface Ethernet0/2 dmz 
 config-url disk0:/.private/customer1.cfg

changeto customer1
write memory

ASA1-FW# show context detail customer1
Context "customer1", has been created
 Config URL: disk0:/.private/customer1.cfg
 Real Interfaces: Ethernet0/0, Ethernet0/1, Ethernet0/2
 Mapped Interfaces: dmz, inside, outside
 Real IPS Sensors: 
 Mapped IPS Sensors: 
 Class: customer1-resources, Flags: 0x00000811, ID: 2
ASA1-FW# 
ASA1-FW# changeto context customer1
ASA1-FW/customer1#
ASA1-FW/customer1# show context detail 
Context "customer1", has been created
 Config URL: disk0:/.private/customer1.cfg
 Interfaces: dmz, inside, outside
 IPS Sensors: 
 Class: customer1-resources, Flags: 0x00000811, ID: 2
ASA1-FW/customer1# 
ASA1-FW/customer1# show interface 
Interface outside "outside", is up, line protocol is up
 MAC address 00ab.cd92.5200, MTU 1500
 IP address 10.1.1.10, subnet mask 255.255.255.0
 Traffic Statistics for "outside":
 71 packets input, 19694 bytes
 7 packets output, 556 bytes
 61 packets dropped
Interface inside "inside", is up, line protocol is up
 MAC address 00ab.cd92.5201, MTU 1500
 IP address 10.2.2.10, subnet mask 255.255.255.0
 Traffic Statistics for "inside":
 67 packets input, 19582 bytes
 7 packets output, 556 bytes
 61 packets dropped
Interface dmz "dmz", is up, line protocol is up
 MAC address 00ab.cd92.5202, MTU 1500
 IP address 10.3.3.10, subnet mask 255.255.255.0
 Traffic Statistics for "dmz":
 67 packets input, 20070 bytes
 7 packets output, 556 bytes
 61 packets dropped

Note: 

  1. After creating the context, log in to the context that you created and do a write memory so that the newly created base config of the context is written to that file you specified under the config-url command.
  2. While allocating interfaces, the default option is invisible. So once you’re inside a user-defined context, you won’t be able to view the physical interfaces mapped to a context. Appending the visible option to the allocate-interface command will show you the physical interfaces mapped in a user-defined context while you’re in the user-defined context.

Security context general guidelines;

  • Configuration is done in the system execution space
  • Make sure an admin context is present to manage the firewall. If not, create one using the admin-context command.
  • Context name is case-sensitive
  • System and Null are reserved names and cannot be used.

System context and Admin context guidelines;

  • System context is only used for configuring multiple security contexts in a multiple mode.
  • No network configuration or setting is done under this mode. It is only a context for configuring and setting up other contexts and their parameters.
    Note: Make sure the interfaces are not shutdown under the system context.
  • Admin context is used for the administration stuff like accessing the firewall, copying images or config from a tftp-server, etc.
  • This is the context with which you will manage the firewall itself.
  • Any context can be marked as an admin context with the command admin-context CONTEXT_NAME. The admins logging onto that context can then administer other contexts including the system context.
  • Admin context is created automatically when the ASA is converted to multiple mode.

User defined contexts guidelines;

THREE important steps to configure a context:-

  1. Allocate interface.
    – Visible, the admin of the particular context CAN see the physical interfaces that are
    assigned to his context.
    Invisible, the admin of the particular context CANNOT see the physical interfaces that are
    assigned to his context. Can see only the mapped name.
  2. Specify the location of the configuration file in flash.
    – If the config file is not present the ASA WON’T create a new file, so save the config first and
    then specify the location of the saved config file.
    – If there is already a file present with the name that you specified, ASA will use that file as
    the configuration for that context.
  3. (Optional) You can specify a resource class under the context configuration. This will limit
    the resources used by that context as the specified values under that class.

Classes for resource management;

  • Classes provide a way of managing how much processing and hardware resources are utilized by each security context so that a single context does not overwhelm the firewall leaving the other contexts without any resources left to perform their function.
  • Configuration is done in the system execution space (system config)
  • show resource types shows the types and limits of resources that can be classified.
  • In the default class, the resource limit is set to unlimited.

User-defined class;

class customer1-resources
 limit-resource ASDM 2
 limit-resource Conns 10000
 limit-resource SSH 2
 limit-resource Telnet 2
 limit-resource Xlates 500

Default class;

class default
 limit-resource All 0
 limit-resource ASDM 5
 limit-resource SSH 5
 limit-resource Telnet 5

Verification;

ASA1-FW# show class customer1-resources
Class Name           Members    ID    Flags
customer1-resources      1       3     0000

Resource types;

ASA1-FW# show resource types 
Rate limited resource types:
 Conns Connections/sec
 Inspects Inspects/sec
 Syslogs Syslogs/sec

Absolute limit types:
 Conns Connections
 Hosts Hosts
 ASDM ASDM Connections
 SSH SSH Sessions
 Telnet Telnet Sessions
 Xlates XLATE Objects
 All All Resources

Shared interfaces

If a physical/sub-interface is used in multiple contexts, that means there are multiple IP addresses assigned using the same MAC address belonging to that physical/sub-interface.

This creates a problem as the ASA does not know how to classify ingress/egress traffic on that interface and send it to an appropriate context.

Three methods to make it work;

In transparent mode, unique interfaces for context are REQUIRED.

Unique MAC addresses – If multiple contexts share an interface, then the same physical/sub-interface MAC address is used for each of the mapped interfaces using that interface under different contexts for classifying the traffic. You can assign different MAC address to the mapped interfaces in each context. MAC address can be set manually while configuring the interfaces within the user-defined context or by automatically generating MAC addresses using the mac-address auto command from the system execution space.

  • Auto MAC address assignment (under system configuration);
ASA1-FW# conf t
ASA1-FW(config)# mac-address auto

Note:- This assigns MAC addresses to all the mapped interfaces even if they are not shared between multiple contexts.

  • Manual MAC address configuration (under user-defined context);
ASA1-FW(config)# changeto context customer1
ASA1-FW/customer1(config)# interface outside
ASA1-FW/customer1(config-if)# mac-address aaaa.bbbb.cccc standby 1111.2222.3333
ASA1-FW/customer1(config-if)# changeto context customer2
ASA1-FW/customer2(config)# interface outside
ASA1-FW/customer2(config-if)# mac-address dddd.eeee.ffff standby 4444.5555.6666
  • NAT Configuration – If unique MAC addresses are not configured, a destination IP address lookup is performed. The destination IP address is either matched to a Static NAT command or a Global NAT command. In case of a global command, matching the nat statement isn’t required, it only matches the global statement.
nat (inside) 1 0.0.0.0 0.0.0.0
global (outside) 1 interface

OR
static (inside,outside) 10.1.102.0 10.1.104.0 netmask 255.255.255.0

Bookmark to follow my CCIE Security v4 journey -> https://networkology.net/tag/ccie

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s