CCIE Security: Multiple context firewalls (Part 1)

CCIE Security: Multiple context firewalls (Part 1)

12:59:00

Multi-context firewalls allow us to have a tenancy-like setup, we can have different "customers" all sharing one firewall.

To set this up we need change the firewall mode, from single to multiple, which leads to a reboot of the firewall: 
ciscoasa(config)# hostname LA-FW
LA-FW(config)# mode ?

configure mode commands/options:
  multiple   Multiple mode; mode with security contexts
  noconfirm  Do not prompt for confirmation
  single     Single mode; mode without security contexts
LA-FW(config)# mode multiple 
WARNING: This command will change the behavior of the device
WARNING: This command will initiate a Reboot
Proceed with change mode? [confirm] 
Convert the system configuration? [confirm] 
!
The old running configuration file will be written to flash

Converting the configuration - this may take several minutes for a large configuration

The admin context configuration will be written to flash

The new running configuration file was written to flash
Security context mode: multiple 



***
*** --- SHUTDOWN NOW ---
***
*** Message to all terminals:
***
***   change mode
Process shutdown finished
Once the firewall has come back up again we can check the mode: 
LA-FW# sh mode
Security context mode: multiple 
LA-FW#
OK, so far so good! Can we connect up to the LA1 router? 
LA-FW(config)# int e0
LA-FW(config-if)# ip add 198.240.5.2 255.255.255.252
                   ^
ERROR: % Invalid input detected at '^' marker.
LA-FW(config-if)# ip add                            
LA-FW(config-if)# ?     

Interface configuration commands:
  channel-group  Etherchannel/port bundling configuration
  default        Set a command to its defaults
  description    Interface specific description
  duplex         Configure duplex operation
  exit           Exit from interface configuration mode
  help           Interactive help for interface subcommands
  lacp           LACP interface subcommands
  no             Negate a command or set its defaults
  shutdown       Shutdown the selected interface
  speed          Configure speed operation
LA-FW(config-if)#
Nope, not when in this mode we cannot. Time to hit the Google. This page use useful:

http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/99131-multiple-context.html

So, it looks like we need to do a bit of a redesign (again)...

We want to have two user contexts, as well as an admin one. These are done under VLANs, so we'll use:

  • VLAN 10 - Admin - VLAN 11
  • VLAN 20 - C1 - VLAN 21
  • VLAN 30 - C2 - VLAn 31
It's all VLAN based, so we need to throw an L2 switch between the FW and the LA1 router, then do more connections, or sub-interfaces.

This is what I ended up with: 
LA-FW(config-ctx)# sh run
ASA Version 8.4(2) 
!
hostname LA-FW
!
interface Ethernet0
!
interface Ethernet0.10
 vlan 10
!
interface Ethernet0.20
 vlan 20
!
interface Ethernet0.30
 vlan 30
!
interface Ethernet1
!
interface Ethernet1.21
 vlan 21
!
interface Ethernet2
!             
interface Ethernet2.31
 vlan 31
!
class default
  limit-resource All 0
  limit-resource ASDM 5
  limit-resource SSH 5
  limit-resource Telnet 5
!
admin-context admin
context admin
  config-url disk0:/admin.cfg
!             
context C1
  allocate-interface Ethernet0.20 outsideC1 
  allocate-interface Ethernet1.21 insideC1 
!
context C2
  allocate-interface Ethernet0.30 outsideC2 
  allocate-interface Ethernet2.31 insideC2 
  config-url disk0:/C2.cfg
!
prompt hostname context 
LA-FW(config-ctx)#
I ran into some issues here, notice that I do not have an entry for the the config URL for the C1 context. We do need this: 
LA-FW(config-ctx)# changeto context C1
ERROR: Context hasn't been initialized with 'config-url'
LA-FW(config-ctx)# changeto context C2
LA-FW/C2(config)# exi
LA-FW/C2# changeto system
LA-FW(config)# context C1
LA-FW(config-ctx)# config-url disk0:/C1.cfg

WARNING: Could not fetch the URL disk0:/C1.cfg
INFO: Creating context with default config
LA-FW(config-ctx)# changeto context C1
LA-FW/C1(config)#
LA-FW/C1(config)# interface outsideC1
LA-FW/C1(config-if)# nameif Outside
INFO: Security level for "Outside" set to 0 by default.
LA-FW/C1(config-if)# ip address 198.250.20.2 255.255.255.252
LA-FW/C1(config-if)# no shut
LA-FW/C1(config-if)#
I still need to get the (new) switch set up: 
Switch(config)#vlan 10
Switch(config-vlan)#name admin-vlan
Switch(config-vlan)#vlan 20
Switch(config-vlan)#name C1-vlan
Switch(config-vlan)#vlan 30
Switch(config-vlan)#name C2-vlan
Switch(config-vlan)#exi
Switch(config)#int gi0/1
Switch(config-if)#swi tru encap dot
Switch(config-if)#swi mo tru
Switch(config-if)#no sh
Switch(config-if)#hostname LA-SW
LA-SW(config)#
Should also get LA1 set up as well: 
LA1(config)#int gi 0/0.10
LA1(config-subif)#encapsulation dot1Q 10
LA1(config-subif)#int gi 0/0.20
LA1(config-subif)#encapsulation dot1Q 20
LA1(config-subif)#int gi 0/0.30         
LA1(config-subif)#encapsulation dot1Q 30
LA1(config-subif)#exi
LA1(config)#int gi 0/0
LA1(config-if)#no sh
LA1(config-if)#int gi 0/0.20
LA1(config-subif)#ip add 198.250.20.1 255.255.255.252
LA1(config-subif)#do sh ip int bri
Interface                  IP-Address      OK? Method Status                Protocol
GigabitEthernet0/0         198.240.5.1     YES NVRAM  up                    up      
GigabitEthernet0/0.10      unassigned      YES unset  up                    up      
GigabitEthernet0/0.20      198.250.20.1    YES manual up                    up      
GigabitEthernet0/0.30      unassigned      YES unset  up                    up      
GigabitEthernet0/1         134.20.1.6      YES NVRAM  up                    up      
GigabitEthernet0/2         unassigned      YES NVRAM  administratively down down    
GigabitEthernet0/3         unassigned      YES NVRAM  administratively down down    
Loopback0                  4.4.4.4         YES NVRAM  up                    up      
LA1(config-subif)#do ping 198.250.20.2                
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 198.250.20.2, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 12/15/25 ms
LA1(config-subif)#
Back to te C1 context to set up the inside: 
LA-FW/C1(config-if)# int insideC1
LA-FW/C1(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
LA-FW/C1(config-if)# ip add 20.5.5.1 255.255.255.0
LA-FW/C1(config-if)# no shut
LA-FW/C1(config-if)#
Because we are using ASA 8.4.2, we cannot use dynamic routing protocols with this version, only static routes: 
LA-FW/C1(config)# route Outside 0.0.0.0 0.0.0.0 198.250.20.1
Because it's ASA 8.4 we need to use the new NAT syntax, and thanks to Peter Revill over at CCIErants for this excellent post: http://www.ccierants.com/2012/06/asa-84-nat-mostly-definitive-guide.html it really helped. 
LA-FW/C1(config)# object network InsideNetwork
LA-FW/C1(config-network-object)# subnet 20.5.0.0 255.255.0.0
LA-FW/C1(config-network-object)# nat (inside,outside) dynamic interface 
LA-FW/C1(config-network-object)#
Again, we need to make sure we are working within the MPLS vrf: 
LA1(config)#int GigabitEthernet0/0.20
LA1(config-subif)#ip vrf forwarding 802101
% Interface GigabitEthernet0/0.20 IPv4 disabled and address(es) removed due to disabling VRF 802101
LA1(config-subif)#ip address 198.250.20.1 255.255.255.252
LA1(config-subif)#exi
LA1(config)#ip route vrf 802101 20.5.0.0 255.255.0.0 198.250.20.2
LA1(config)#router bgp 1
LA1(config-router)#address-family ipv4 vrf 802101
LA1(config-router-af)#red static metric 1
LA1(config-router-af)#redistribute connected metric 1
LA1(config-router-af)#
Now let's set up the C1 router: 
Router(config)#int gi0/0
Router(config-if)#ip add 20.5.5.2 255.255.255.0
Router(config-if)#no sh
Router(config-if)#exi
Router(config)#ip route 0.0.0.0 0.0.0.0 20.5.5.1
Router(config)#hostname LA-C1
LA-C1(config)#
Thanks to the magic of redistribution, we have routes: 
NY2#sh ip route eigrp | b Gate
Gateway of last resort is not set

      10.0.0.0/24 is subnetted, 1 subnets
D EX     10.1.1.0 [170/2562816] via 128.2.2.2, 02:24:38, GigabitEthernet0/0
      20.0.0.0/16 is subnetted, 1 subnets
D EX     20.5.0.0 [170/2562816] via 128.2.2.2, 00:00:10, GigabitEthernet0/0
      21.0.0.0/24 is subnetted, 1 subnets
D EX     21.38.5.0 [170/2562816] via 128.2.2.2, 02:02:39, GigabitEthernet0/0
      198.240.5.0/30 is subnetted, 1 subnets
D EX     198.240.5.0 [170/2562816] via 128.2.2.2, 02:15:44, GigabitEthernet0/0
NY2#
We can even get to NY2 from the LA-FW C1 context: 
LA-FW/C1(config)# ping 3.3.3.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
LA-FW/C1(config)#
But this is pretty much as far as it goes. Most of the stuff revolved around NAT issues, but I got around these, and packet tracer gave a clean result.

Something is majorly wrong here, and at the most basic of levels:



ARP is failing.

So I tried throwing a switch in between the two LA routers and the LA-FW, little bit of reconfiguration later, and it looks like this:



However, it still does not work.

ARP is still failing, so I need to go and do some digging. Still, I like a challenge.
Unknown

CCIE #49337, author of CCNA and Beyond, BGP for Cisco Networks, MPLS for Cisco Networks, VPNs and NAT for Cisco Networks.

Related Posts

Next
« Prev Post
Previous
Next Post »

Subscribe to: Post Comments (Atom)