After the issues in the previous post about Multiple context ASAs, I went off and made use of my INE All Access pass subscription, and watched the two videos on the subject. I really couldn't see what I was doing wrong, the steps Brian went through did not look any different to the ones I was doing. Confusion still reigned.
So after a nights sleep (well, a morning's sleep as I stayed up till 1am playing Fallout 4), I decided to scale it back a bit, and (almost) start from scratch.
Now it works!
Here is the configuration for the firewall:
LA-FW# sh run ASA Version 8.4(2)As you can see, the Ethernet1 interface is allocated to the C1 context, without any VLAN information (as it is NOT a shared interface). Similarly, Ethernet2 is allocated to the C2 context.! hostname LA-FW ! interface Ethernet0 ! interface Ethernet0.10 vlan 10 ! interface Ethernet0.20 vlan 20 ! interface Ethernet0.30 vlan 30 ! interface Ethernet1 ! interface Ethernet2 ! interface Ethernet3 shutdown ! class default limit-resource All 0 limit-resource ASDM 5 limit-resource SSH 5 limit-resource Telnet 5 ! admin-context admin context admin config-url disk0:/admin.cfg ! context C1 allocate-interface Ethernet0.20 outsideC1 allocate-interface Ethernet1 insideC1 config-url disk0:/C1.cfg ! context C2 allocate-interface Ethernet0.30 outsideC2 allocate-interface Ethernet2 insideC2 visible config-url disk0:/C2.cfg ! prompt hostname context : end LA-FW#
Here are the configurations for the contexts:
LA-FW# changeto con C1 LA-FW/C1# sh run ASA Version 8.4(2)Now we can ping from the routers in the different contexts, to the LA-FW context IP addresses:! hostname C1 ! interface outsideC1 nameif Outside security-level 0 ip address 198.250.20.2 255.255.255.252 ! interface insideC1 nameif Inside security-level 100 ip address 20.5.5.1 255.255.255.0 ! same-security-traffic permit inter-interface same-security-traffic permit intra-interface object-group network INSIDE-NAT-SUBNETS network-object 20.5.5.0 255.255.255.0 network-object 20.5.6.0 255.255.255.0 network-object 20.5.7.0 255.255.255.0 access-list outside->in extended permit ip any any access-list outside->in extended permit icmp any any access-list outside->in extended permit icmp any any echo-reply access-group outside->in in interface Outside route Outside 0.0.0.0 0.0.0.0 198.250.20.1 1 : end LA-FW/C1# LA-FW/C1# changeto con C2 LA-FW/C2# LA-FW/C2# sh run ASA Version 8.4(2) ! hostname C2 ! interface outsideC2 nameif Outside security-level 0 ip address 198.250.30.2 255.255.255.252 ! interface insideC2 nameif Inside security-level 100 ip address 20.6.6.1 255.255.255.0 ! object network Customer2 subnet 20.6.6.0 255.255.255.0 access-list outside->in extended permit ip any any access-list outside->in extended permit icmp any any access-group outside->in in interface Outside route Outside 0.0.0.0 0.0.0.0 198.250.30.1 1 : end LA-FW/C2# LA-FW/C2# LA-FW/C2# changeto system LA-FW#
LA-C1#ping 20.5.5.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 20.5.5.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 5/7/16 ms LA-C1# LA-C2#ping 20.6.6.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 20.6.6.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/6 ms LA-C2#The LA1 router needs to be set up (again, I thought I had done this, but maybe I didn't save the configuration!):
LA1(config-if)#int gi 0/0.20 LA1(config-subif)#ip vrf for 802101 LA1(config-subif)#encapsulation dot 20 LA1(config-subif)#ip add 198.250.20.1 255.255.255.252 LA1(config-subif)#no sh LA1(config-subif)# LA1(config-subif)#int gi 0/0.30 LA1(config-subif)#ip vrf for 802101 LA1(config-subif)#encap dot 30 LA1(config-subif)#ip add 198.250.30.1 255.255.255.252 LA1(config-subif)#We now have connectivity from LA-FW to the LA1 router:
LA-FW/C1# ping 198.250.20.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 198.250.20.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/10 ms LA-FW/C1# LA-FW/C1# changeto con C2 LA-FW/C2# ping 198.250.30.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 198.250.30.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/6/10 ms LA-FW/C2#A bit of redistribution
LA1(config)#router bgp 1 LA1(config-router)#address-family ipv4 vrf 802101 LA1(config-router-af)#red connect metric 1 LA1(config-router-af)#And we have routes:
NY2#sh ip route eigrp | b Gate
Gateway of last resort is not set
198.240.5.0/30 is subnetted, 1 subnets
D EX 198.240.5.0 [170/2562816] via 128.2.2.2, 00:00:16, GigabitEthernet0/0
198.250.20.0/30 is subnetted, 1 subnets
D EX 198.250.20.0
[170/2562816] via 128.2.2.2, 00:00:16, GigabitEthernet0/0
198.250.30.0/30 is subnetted, 1 subnets
D EX 198.250.30.0
[170/2562816] via 128.2.2.2, 00:00:16, GigabitEthernet0/0
NY2#
We have connectivity from the LA-FW to the 3.3.3.3 loopback:
LA-FW/C2# ping 3.3.3.3 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/10 ms LA-FW/C2# changeto con C1 LA-FW/C1# ping 3.3.3.3 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/6/10 ms LA-FW/C1#But I do need to fix something (either NAT or routing on the context "hosts"), and packet-tracer is where to start. Unfortunately I did a packet-tracer, and the router crashed. Second time around, packet tracer gave the all-clear:
LA-FW/C1# packet-tracer input Inside icmp 20.5.5.2 0 0 3.3.3.3 det
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xbd1373a0, priority=1, domain=permit, deny=false
hits=0, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=Inside, output_ifc=any
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 Outside
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xbd13b298, priority=0, domain=inspect-ip-options, deny=true
hits=0, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=Inside, output_ifc=any
Phase: 4
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0xbd47d5a8, priority=70, domain=inspect-icmp, deny=false
hits=1, user_data=0xbd47c588, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, dscp=0x0
input_ifc=Inside, output_ifc=any
Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xbd13ae70, priority=66, domain=inspect-icmp-error, deny=false
hits=1, user_data=0xbd13a488, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, dscp=0x0
input_ifc=Inside, output_ifc=any
Phase: 6
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 1, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_inspect_icmp
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Module information for reverse flow ...
Result:
input-interface: Inside
input-status: up
input-line-status: up
output-interface: Outside
output-status: up
output-line-status: up
Action: allow
LA-FW/C1#
Notice anything missing though? Yep, no NAT... It looks like when I reconfigured the interfaces, the NAT command was removed. Let's put it back in:
LA-FW/C1(config)# nat (Inside,Outside) after-auto source dynamic INSIDE-NAT-SU$ LA-FW/C1(config)# sh run | i nat nat (Inside,Outside) after-auto source dynamic INSIDE-NAT-SUBNETS interface LA-FW/C1(config)#Now we have success!!!!
LA-C1#ping 3.3.3.3 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 9/14/22 ms LA-C1#Lets fix the other context:
LA-FW/C2(config)# object-group network INSIDE-NAT-SUBNETS LA-FW/C2(config-network-object-group)# network-object 20.6.6.0 255.255.255.0 LA-FW/C2(config-network-object-group)# network-object 20.6.7.0 255.255.255.0 LA-FW/C2(config-network-object-group)# network-object 20.6.8.0 255.255.255.0 LA-FW/C2(config-network-object-group)# exi LA-FW/C2(config)# nat (Inside,Outside) after-auto source dynamic INSIDE-NAT-SU$ LA-FW/C2(config)# sh run | i nat nat (Inside,Outside) after-auto source dynamic INSIDE-NAT-SUBNETS interface LA-FW/C2(config)#It works for the second context as well:
LA-C2#ping 3.3.3.3 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 16/21/26 ms LA-C2#Wonderful! As it turns out, multiple context configuration is not all that hard, it's just a couple of commands per-context, and after that it's no different to setting up a regular ASA. I am glad it worked today, if it had not then I am not sure what my next steps were going to be (apart from asking other people). But now I have end to end connectivity between the two contexts, and the NY2 loopback(s), fron different ASA contexts, through the MPLS cloud, through a transparent firewall and onto the end destination.
Things are shaping up pretty well, and I haven't had to resort to ASDM (yet). Usually I hardly ever touch the ASA CLI, and now this is really starting to push me moe, which it the whole idea behind these studies.
Next up will be the configuration of the London firewalls, but not today. My boys need Lego building and I need another coffee.
Happy weekend all!
Oh, one final tip I picked up from the INE videos - use "wr mem all" under the system context to save everything:
LA-FW# wr mem all Building configuration... Saving context : system : (000/003 Contexts saved) Cryptochecksum: 71b164a0 daea0c41 451c6344 3f3803aa 1765 bytes copied in 0.160 secs Saving context : admin : (001/003 Contexts saved) Cryptochecksum: 1fa07e8d c5853280 5cc9f91f 7db4eb43 1525 bytes copied in 0.170 secs Saving context : C1 : (002/003 Contexts saved) Cryptochecksum: cc1f9db0 56a702be 6112fb7b 71b13455 2405 bytes copied in 0.160 secs Saving context : C2 : (003/003 Contexts saved) Cryptochecksum: 3f8ba835 ca4016d9 7770dcfe e3a4d37d 2168 bytes copied in 0.170 secs [OK] LA-FW#