Multi-context firewalls allow us to have a tenancy-like setup, we can have different "customers" all sharing one firewall.
To set this up we need change the firewall mode, from single to multiple, which leads to a reboot of the firewall:
ciscoasa(config)# hostname LA-FW LA-FW(config)# mode ? configure mode commands/options: multiple Multiple mode; mode with security contexts noconfirm Do not prompt for confirmation single Single mode; mode without security contexts LA-FW(config)# mode multiple WARNING: This command will change the behavior of the device WARNING: This command will initiate a Reboot Proceed with change mode? [confirm] Convert the system configuration? [confirm] ! The old running configuration file will be written to flash Converting the configuration - this may take several minutes for a large configuration The admin context configuration will be written to flash The new running configuration file was written to flash Security context mode: multiple *** *** --- SHUTDOWN NOW --- *** *** Message to all terminals: *** *** change mode Process shutdown finishedOnce the firewall has come back up again we can check the mode:
LA-FW# sh mode Security context mode: multiple LA-FW#OK, so far so good! Can we connect up to the LA1 router?
LA-FW(config)# int e0 LA-FW(config-if)# ip add 198.240.5.2 255.255.255.252 ^ ERROR: % Invalid input detected at '^' marker. LA-FW(config-if)# ip add LA-FW(config-if)# ? Interface configuration commands: channel-group Etherchannel/port bundling configuration default Set a command to its defaults description Interface specific description duplex Configure duplex operation exit Exit from interface configuration mode help Interactive help for interface subcommands lacp LACP interface subcommands no Negate a command or set its defaults shutdown Shutdown the selected interface speed Configure speed operation LA-FW(config-if)#Nope, not when in this mode we cannot. Time to hit the Google. This page use useful:
http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/99131-multiple-context.html
So, it looks like we need to do a bit of a redesign (again)...
We want to have two user contexts, as well as an admin one. These are done under VLANs, so we'll use:
- VLAN 10 - Admin - VLAN 11
- VLAN 20 - C1 - VLAN 21
- VLAN 30 - C2 - VLAn 31
This is what I ended up with:
LA-FW(config-ctx)# sh run ASA Version 8.4(2)I ran into some issues here, notice that I do not have an entry for the the config URL for the C1 context. We do need this:! hostname LA-FW ! interface Ethernet0 ! interface Ethernet0.10 vlan 10 ! interface Ethernet0.20 vlan 20 ! interface Ethernet0.30 vlan 30 ! interface Ethernet1 ! interface Ethernet1.21 vlan 21 ! interface Ethernet2 ! interface Ethernet2.31 vlan 31 ! class default limit-resource All 0 limit-resource ASDM 5 limit-resource SSH 5 limit-resource Telnet 5 ! admin-context admin context admin config-url disk0:/admin.cfg ! context C1 allocate-interface Ethernet0.20 outsideC1 allocate-interface Ethernet1.21 insideC1 ! context C2 allocate-interface Ethernet0.30 outsideC2 allocate-interface Ethernet2.31 insideC2 config-url disk0:/C2.cfg ! prompt hostname context LA-FW(config-ctx)#
LA-FW(config-ctx)# changeto context C1 ERROR: Context hasn't been initialized with 'config-url' LA-FW(config-ctx)# changeto context C2 LA-FW/C2(config)# exi LA-FW/C2# changeto system LA-FW(config)# context C1 LA-FW(config-ctx)# config-url disk0:/C1.cfg WARNING: Could not fetch the URL disk0:/C1.cfg INFO: Creating context with default config LA-FW(config-ctx)# changeto context C1 LA-FW/C1(config)# LA-FW/C1(config)# interface outsideC1 LA-FW/C1(config-if)# nameif Outside INFO: Security level for "Outside" set to 0 by default. LA-FW/C1(config-if)# ip address 198.250.20.2 255.255.255.252 LA-FW/C1(config-if)# no shut LA-FW/C1(config-if)#I still need to get the (new) switch set up:
Switch(config)#vlan 10 Switch(config-vlan)#name admin-vlan Switch(config-vlan)#vlan 20 Switch(config-vlan)#name C1-vlan Switch(config-vlan)#vlan 30 Switch(config-vlan)#name C2-vlan Switch(config-vlan)#exi Switch(config)#int gi0/1 Switch(config-if)#swi tru encap dot Switch(config-if)#swi mo tru Switch(config-if)#no sh Switch(config-if)#hostname LA-SW LA-SW(config)#Should also get LA1 set up as well:
LA1(config)#int gi 0/0.10 LA1(config-subif)#encapsulation dot1Q 10 LA1(config-subif)#int gi 0/0.20 LA1(config-subif)#encapsulation dot1Q 20 LA1(config-subif)#int gi 0/0.30 LA1(config-subif)#encapsulation dot1Q 30 LA1(config-subif)#exi LA1(config)#int gi 0/0 LA1(config-if)#no sh LA1(config-if)#int gi 0/0.20 LA1(config-subif)#ip add 198.250.20.1 255.255.255.252 LA1(config-subif)#do sh ip int bri Interface IP-Address OK? Method Status Protocol GigabitEthernet0/0 198.240.5.1 YES NVRAM up up GigabitEthernet0/0.10 unassigned YES unset up up GigabitEthernet0/0.20 198.250.20.1 YES manual up up GigabitEthernet0/0.30 unassigned YES unset up up GigabitEthernet0/1 134.20.1.6 YES NVRAM up up GigabitEthernet0/2 unassigned YES NVRAM administratively down down GigabitEthernet0/3 unassigned YES NVRAM administratively down down Loopback0 4.4.4.4 YES NVRAM up up LA1(config-subif)#do ping 198.250.20.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 198.250.20.2, timeout is 2 seconds: .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 12/15/25 ms LA1(config-subif)#Back to te C1 context to set up the inside:
LA-FW/C1(config-if)# int insideC1 LA-FW/C1(config-if)# nameif inside INFO: Security level for "inside" set to 100 by default. LA-FW/C1(config-if)# ip add 20.5.5.1 255.255.255.0 LA-FW/C1(config-if)# no shut LA-FW/C1(config-if)#Because we are using ASA 8.4.2, we cannot use dynamic routing protocols with this version, only static routes:
LA-FW/C1(config)# route Outside 0.0.0.0 0.0.0.0 198.250.20.1Because it's ASA 8.4 we need to use the new NAT syntax, and thanks to Peter Revill over at CCIErants for this excellent post: http://www.ccierants.com/2012/06/asa-84-nat-mostly-definitive-guide.html it really helped.
LA-FW/C1(config)# object network InsideNetwork LA-FW/C1(config-network-object)# subnet 20.5.0.0 255.255.0.0 LA-FW/C1(config-network-object)# nat (inside,outside) dynamic interface LA-FW/C1(config-network-object)#Again, we need to make sure we are working within the MPLS vrf:
LA1(config)#int GigabitEthernet0/0.20 LA1(config-subif)#ip vrf forwarding 802101 % Interface GigabitEthernet0/0.20 IPv4 disabled and address(es) removed due to disabling VRF 802101 LA1(config-subif)#ip address 198.250.20.1 255.255.255.252 LA1(config-subif)#exi LA1(config)#ip route vrf 802101 20.5.0.0 255.255.0.0 198.250.20.2 LA1(config)#router bgp 1 LA1(config-router)#address-family ipv4 vrf 802101 LA1(config-router-af)#red static metric 1 LA1(config-router-af)#redistribute connected metric 1 LA1(config-router-af)#Now let's set up the C1 router:
Router(config)#int gi0/0 Router(config-if)#ip add 20.5.5.2 255.255.255.0 Router(config-if)#no sh Router(config-if)#exi Router(config)#ip route 0.0.0.0 0.0.0.0 20.5.5.1 Router(config)#hostname LA-C1 LA-C1(config)#Thanks to the magic of redistribution, we have routes:
NY2#sh ip route eigrp | b Gate Gateway of last resort is not set 10.0.0.0/24 is subnetted, 1 subnets D EX 10.1.1.0 [170/2562816] via 128.2.2.2, 02:24:38, GigabitEthernet0/0 20.0.0.0/16 is subnetted, 1 subnets D EX 20.5.0.0 [170/2562816] via 128.2.2.2, 00:00:10, GigabitEthernet0/0 21.0.0.0/24 is subnetted, 1 subnets D EX 21.38.5.0 [170/2562816] via 128.2.2.2, 02:02:39, GigabitEthernet0/0 198.240.5.0/30 is subnetted, 1 subnets D EX 198.240.5.0 [170/2562816] via 128.2.2.2, 02:15:44, GigabitEthernet0/0 NY2#We can even get to NY2 from the LA-FW C1 context:
LA-FW/C1(config)# ping 3.3.3.3 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms LA-FW/C1(config)#But this is pretty much as far as it goes. Most of the stuff revolved around NAT issues, but I got around these, and packet tracer gave a clean result.
Something is majorly wrong here, and at the most basic of levels:
So I tried throwing a switch in between the two LA routers and the LA-FW, little bit of reconfiguration later, and it looks like this:
However, it still does not work.
ARP is still failing, so I need to go and do some digging. Still, I like a challenge.