ASA Multiple Context

7/23/2019 ASA Multiple Context

1/39

ASA Multiple Context

1


2/39

INTRODUCTION

2


3/39

Introduction

ASA frewall supports sotwarevirtualization, by means o socalled

frewall contexts!"very context #as its own set o routin$,flterin$%inspection and addresstranslation rules!

All contexts must be in eit#er routin$ ortransparent frewall mode & you cannotmix modes in di'erent contexts!

(


4/39

Introduction

Supported )eatures* +nly static routin$ )irewall eatures IS Mana$ement

-nsupported )eatures .or ASA pre / versions0 termination 3ynamic 4outin$ rotocol 5oS

ew eatures introduced in ASA /* SitetoSite in multiple context mode ew resource type or sitetosite tunnels 3ynamic routin$ in Security Contexts ew resource type or routin$ table entries Mixed frewall mode support in multiple context mode

6


5/39

Introduction

7#ere do we use Multiple context8 In ISs, were t#ey sell security services to many

customers, t#ey implement a coste'ective, spacesavin$ solution!

9ar$e "nterprises w#o :eeps t#eir departmentscompletelyseparated!

;asically, we use multiple context w#enever t#ere isa networ: t#at re>?> Series Adaptive SecurityAppliance!

>


6/39

CONTEXT TYPES

@


7/39

Context =ypes

System Context

Admin Context ormal Context


8/39

System Context

=#e System administrator adds and mana$escontexts by t#e conf$uration o eac# contextconf$uration location, allocated interaces, andot#er context operational parameters in t#e systemconf$uration!

=#e system conf$uration identifes basic settin$sor t#e security appliance! Bou cannot assi$n any Iaddresses w#en you are under t#e system context,wit# exception to t#e mana$ement interace!

Bou can up$rade or down$rade t#e I%ASAsotware only in t#e System ""C mode, not in t#eot#er context modes!

D


9/39

Admin Context

=#e admin context is li:e any ot#er context, except t#at w#en auser lo$s in to t#e admin context, t#at user will #ave systemadministrator ri$#ts, and can access t#e system and all ot#ercontexts

Admin context conf$uration must reside on t#e )las# memory!

I you convert rom a Sin$le mode to t#e Multiple Context mode, t#eadmin context is created automatically and t#e conf$uration flewill be created on t#e Eas# memory

=#is context could be combined wit# any re$ular user context or be

dedicated!

ote* Admin context .w#en it is dedicated0 is not counted in t#econtext license! )or example, i you $et t#e license or two contexts,you are allowed to #ave t#e admin context and two ot#er contexts!

/


10/39

ormal Context

Is t#e actual partitioned frewall!

Contexts can be accessed viaConsole, =elnet, SSF, and AS3M

I you lo$ in to an nonadmin context,you can only access t#econf$uration or t#at context

1?


11/39

CONFIGURATION

11


12/39

Confguration

ote* =#e portson t#e switc#t#at areconnected to

ASA must be intrun: modesince multiple9A traGc #asto travel t#rou$#

it once t#e ASAinteraces arebro:en intosubHinteraces!

12


13/39

Conf$uration

In order to turn t#e frewall to t#e multiplecontexts mode, you s#ould enter t#ecommand mode multiple w#en lo$$ed viat#e console port!

ote* Bou may do t#is remotely but you ris:losin$ connection to t#e box!

=#is will orce mode c#an$e to multiple and

reload t#e appliance! I you connect to t#e appliance t#e console

port, you are lo$$in$ into t#e !temcontext ater t#e reload!

1(


14/39

Conf$uration

7#en you convert rom sin$le mode to multiplemode, t#e security appliance converts t#erunnin$ conf$uration into two fles*1! ew startup conf$uration t#at comprises t#e

system conf$uration!2! admin!c$ t#at comprises t#e admin context .int#e root directory o t#e internal )las# memory0!

=#e ori$inal runnin$ conf$uration is saved asoldrunnin$!c$ .in t#e root directory o t#einternal )las# memory0!

=#e ori$inal startup conf$uration is not saved! =#e security appliance automatically adds an

entry or t#e admin context to t#e systemconf$uration wit# t#e name Jadmin!K

16


15/39

Conf$uration Steps

Bou s#ould to do t#e ollowin$ t#in$sw#ile lo$$ed into t#e system context*

10 Conf$ure p#ysical interaces! Bou needto uns#utdown t#e interaces t#at youwant to allocate to t#e contexts! I you

are creatin$ subinteraces usin$9As, you s#ould do it under t#esystem context as well!

1>


16/39

Conf$uration Steps

20 3efne t#e admin context!

20=#is is a special context t#at allowslo$$in$ in t#e frewall remotely .via ss#,telnet or #ttps0!

(0=#is context s#ould be conf$ured frstas t#e frewall wonLt let you create anyot#er contexts prior to desi$natin$ t#eadmin context usin$ t#e $lobal command

admin"#onte$t %NA&E'!60As we #ave said t#is context is

automatically created 7#en youconvert rom t#e sin$lecontext mode!

1@


17/39

Conf$uration Steps

(0 3efne additional contexts i needed andallocate p#ysical interaces to t#e contexts! -se t#e command allo#ate"inter(a#e %P)!i#al"

Inter(a#e' *%I(a#e"Name'+ under t#e context

conf$uration mode or interace allocation! Fere %P)!i#al"Inter(a#e' is t#e p#ysical

interace or subinterace name and %I(a#e"Name' is t#e name t#at t#e context sees or t#isinterace!

-sin$ t#is command you can #ide t#e real interacenames rom t#e context administrators .e!$! #ide9A numbers0, in order to provide additional levelo isolation rom t#e p#ysical conf$uration!

1


18/39

Conf$uration Steps

60 C#an$e to t#e context conf$uration,and proceed as usual! Assi$n interace names, security levels and

I addresses! Set up static routes or subnets not directly

connected to t#e context & even or t#esubnets connected to anot#er contexts!

1D


19/39

Conf$uration otes "very conf$ured context s#ould #ave a conf$uration -49 defned usin$ t#e

command #onfg"url %PAT,' to store its conf$uration! 7it#out t#is command,t#e context conf$uration is incomplete!

Ater t#e context #as been defned, you may switc# to t#e Kincontextconf$uration usin$ t#e command #)angeto #onte$t %NA&E'!

In order to access t#e system context remotely, you s#ould lo$ into t#e admin

context usin$ any conf$ured remote access met#od and issue t#e command#)angeto !tem!

"nter t#e allocateHinterace command.s0 beore you enter t#e conf$Hurlcommand! =#e security appliance must assi$n interaces to t#e context beore itloads t#e context conf$urationN t#e context conf$uration can include commandst#at reer to interaces .interace, nat, $lobal!!!0! I you enter t#e conf$Hurlcommand frst, t#e security appliance loads t#e context conf$uration

immediately! I t#e context contains any commands t#at reer to interaces,t#ose commands ail!

-se t#e command -rite memor! all in t#e system context to save all contextsconf$uration on t#e persistent stora$e! Bou may also save conf$uration or acontext individually w#en lo$$ed under t#e particular context usin$ t#ecommand -rite memor!!

1/


20/39

Conf$uration otes

#ysical interaces could be shared amon$contexts, i!e! you may assi$n t#e same interaceto di'erent contexts!

Interace s#arin$ is t#e uni


21/39

Conf$uration otes

I t#ere is a s#ared p#ysical interace between t#e contexts, eac#context could $enerally #ave di'erent I and MAC addresses ont#is interace!

It is possible to s#are t#e I address as well, t#ou$#! I you want toassi$n t#e same I address to t#e s#ared interaces in multiple

context mode youLll need to $ive t#e lo$ical interaces a separateMAC address!

Bou may use nonoverlappin$ subnets or simply di'erent Is ont#e same subnet!

;y deault bot# contexts will in#erit t#e same MAC address romt#e s#ared p#ysical interace! =#is mi$#t result in t#e frewall notbein$ able to classiy t#e incomin$ traGc properly!

-se t#e command ma#"addre auto in t#e system context toautomatically $enerate a MAC address or every new Kvirtual

interace! 21


22/39

Conf$uration

22

In order to enable multiple mode, enter t#is command*

hostname(config)# mode multiple

Bou are prompted to reboot t#e security appliance!

CiscoASA(config)# mode multiple

WARNING: This command will change the behavior of the device

WARNING: This command will initiate a Reboot

Proceed with change mode? [confirm]

onvert the s!stem config"ration? [confirm]#

The old running configuration file will be written to flash

The admin context configuration will be written to flash

The new running configuration file was written to flash

Security context mode: multiple

$$$

$$$ %%% &'(T)*WN N*W %%%

$$$

$$$ +essage to all terminals:

$$$

***change mode

Rebooting,,,,


23/39

Conf$uration

Creatin$ a new context*

Ciscoasa(config)# Context ContextACiscoasa(configctx)# description textCiscoasa(configctx)# Allocateinterface!"hysicalinterface$ %mapped name&Ciscoasa(configctx)# Configurl url

Bou canLt rename t#e context, you will #ave todelete it, t#en create a new one wit# t#e newname! 3elete a Context*

'o context ContextA

2(


24/39

"xample Scenario

26


25/39

FIRE.A// CONTEXTSROUTING

2>


26/39

)irewall Context 4outin$

As mentioned previously, in t#e multiplecontext mode t#e frewall supports onlystatic routin$!

you need to conf$ure a static route orevery nondirectly connected subnet or afrewall context or set up a static deaultroute!

All adOacent routers s#ould be alsoconf$ured wit# static routes to allow orull connectivity!

2@


27/39


4outin$ between contexts* frewall contexts do not s#are I routin$

tables, and t#us i you want to establis#

communications between t#e routin$contexts you need eit#er o t#e ollowin$*1! Conf$ure eac# context wit# a set o static

routes or t#e subnets connected or locatedbe#ind t#e ot#er context!

2! -se an external router t#at #as ull:nowled$e o t#e subnets be#ind eac# ot#e contexts to provide connectivity!

2


28/39


Context Cascadin$ 4ecall t#at p#ysical interaces could be

s#ared between t#e contexts!

In some scenarios, you may evenconf$ure t#e same p#ysical interace ast#e inside or one context and outsideor anot#er! =#is is called context

cascadin$! P9oo: at t#e f$ure below*

2D


29/39

FIRE.A// CONTEXTSC/ASSIFICATION

2/


30/39

Fire-all Conte$tClaif#ation

It is easy to assi$n an input pac:et tot#e context i t#e interace w#ere it#as been received is uni


31/39


S#ared interaces classifcation rules*10 =#e frewall loo:s at t#e destination MAC address o t#e

pac:et & t#e destination MAC desi$nated t#e Knext#opor t#e pac:et!P

20 I t#e MAC address is t#e same in bot# contexts or t#e

same interace, t#e frewall attempts to use A=conf$uration in every context to resolve t#e KconEicts! =#is may #appen i you intentionally assi$n t#e same I

address to bot# contexts or did not assi$n di'erent MACaddresses to t#e s#ared interaces!

=#e frewall attempts to matc# t#e destination I address and=C%-3 port inormation in t#e pac:et wit# t#e active

translation slots in every context! =#e context wit# t#ematc#in$ translation slot is selected as t#e tar$et context! =#is type o classifcation allows s#arin$ t#e same I subnet or

even I address on t#e s#ared interace! Bou are not re


32/39


S#ared interaces classifcation rules*

(0 I all contexts on t#e s#ared interace uset#e same I address%MAC t#en you

cannot access t#e contexts on t#e s#aredinterace! 7#y8 ;ecause or traGc destined to t#e

frewall itsel, it classifes based on t#e

destination I address! So it is $enerally recommended to use

separate I addresses .MAC could be t#esame0 on t#e s#ared interaces!

(2


33/39

RESOURCE &ANAGE&ENT

((


34/39

4esource Mana$ement

=#e frewall #as limited resources, s#aredbetween t#e contexts!

=#e resources include concurrent

connections, inspections, translation slots,mana$ement sessions .telnet, ss# and#ttps0 number o inside #osts and so on!

Some o t#ose resources are limited based

on t#e licensin$ option & e!$! t#e number oinside #osts! +t#ers are limited by t#efrewall #ardware!

(6


35/39

4esource Mana$ement

In order to avoid resource contention andex#austion, t#e frewall allows limitin$ percontext resources usin$ t#e resource classconcept!

"very class specifes t#e amount o resourceavailable to a context! Classes are assi$ned tot#e contexts to enorce t#e limits!

;y deault, all contexts are assi$ned class

Kdeault! ote t#at contexts do not Ks#are t#e particular

class resources! =#ey only in#erit t#e resourcelimits set by a class!

(>


36/39

4esource Mana$ement

7#en you create a new class, it in#eritsall limits rom t#e Kdeault resourceclass!

7#en you redefne any particular limitin t#e new class, you automaticallyoverride t#e deault settin$ or t#is limit!

Bou may also conf$ure t#e deault classsettin$s and all classes will in#erit t#esevalues, unless t#ey redefne t#em!

(@


37/39

4esource Mana$ement

(


38/39

4esource Mana$ement

=#e appliance never Kreserves any resources orclasses! It simply uses t#em to compute t#eresource limits and satisfes any re?? connections! Bou assi$nt#is class to ( contexts! At t#e pea: o t#eir usa$eevery context may re?? connections,exceedin$ t#e total limit o 1???! =#us it is up to t#eadministrator to properly set limits and preventresource starvation!

Bou may set resource limits in absolute values .e!$!number o connections or #osts0 or in percentQs ot#e maximum resource available!

(D


39/39

4esource Mana$ement

=#e syntax is*

#la %NA&E'

limit"reour#e %Reour#e' *%0alue'123"

34456+

Some resources, li:e Conns, Inspects and

Syslo$s support rate limitin$, usin$ t#ecommand*

limit"reour#e rate *2Conn1Inpe#t1S!log6123"34456+

(/

Date post:	17-Feb-2018
Category:	Documents
Upload:	ratnesh-kumar
View:	216 times
Download:	0 times

ASA Multiple Context

Documents