Upload
ratnesh-kumar
View
216
Download
0
Embed Size (px)
Citation preview
7/23/2019 ASA Multiple Context
1/39
ASA Multiple Context
1
7/23/2019 ASA Multiple Context
2/39
INTRODUCTION
2
7/23/2019 ASA Multiple Context
3/39
Introduction
ASA frewall supports sotwarevirtualization, by means o socalled
frewall contexts!"very context #as its own set o routin$,flterin$%inspection and addresstranslation rules!
All contexts must be in eit#er routin$ ortransparent frewall mode & you cannotmix modes in di'erent contexts!
(
7/23/2019 ASA Multiple Context
4/39
Introduction
Supported )eatures* +nly static routin$ )irewall eatures IS Mana$ement
-nsupported )eatures .or ASA pre / versions0 termination 3ynamic 4outin$ rotocol 5oS
ew eatures introduced in ASA /* SitetoSite in multiple context mode ew resource type or sitetosite tunnels 3ynamic routin$ in Security Contexts ew resource type or routin$ table entries Mixed frewall mode support in multiple context mode
6
7/23/2019 ASA Multiple Context
5/39
Introduction
7#ere do we use Multiple context8 In ISs, were t#ey sell security services to many
customers, t#ey implement a coste'ective, spacesavin$ solution!
9ar$e "nterprises w#o :eeps t#eir departmentscompletelyseparated!
;asically, we use multiple context w#enever t#ere isa networ: t#at re>?> Series Adaptive SecurityAppliance!
>
7/23/2019 ASA Multiple Context
6/39
CONTEXT TYPES
@
7/23/2019 ASA Multiple Context
7/39
Context =ypes
System Context
Admin Context ormal Context
7/23/2019 ASA Multiple Context
8/39
System Context
=#e System administrator adds and mana$escontexts by t#e conf$uration o eac# contextconf$uration location, allocated interaces, andot#er context operational parameters in t#e systemconf$uration!
=#e system conf$uration identifes basic settin$sor t#e security appliance! Bou cannot assi$n any Iaddresses w#en you are under t#e system context,wit# exception to t#e mana$ement interace!
Bou can up$rade or down$rade t#e I%ASAsotware only in t#e System ""C mode, not in t#eot#er context modes!
D
7/23/2019 ASA Multiple Context
9/39
Admin Context
=#e admin context is li:e any ot#er context, except t#at w#en auser lo$s in to t#e admin context, t#at user will #ave systemadministrator ri$#ts, and can access t#e system and all ot#ercontexts
Admin context conf$uration must reside on t#e )las# memory!
I you convert rom a Sin$le mode to t#e Multiple Context mode, t#eadmin context is created automatically and t#e conf$uration flewill be created on t#e Eas# memory
=#is context could be combined wit# any re$ular user context or be
dedicated!
ote* Admin context .w#en it is dedicated0 is not counted in t#econtext license! )or example, i you $et t#e license or two contexts,you are allowed to #ave t#e admin context and two ot#er contexts!
/
7/23/2019 ASA Multiple Context
10/39
ormal Context
Is t#e actual partitioned frewall!
Contexts can be accessed viaConsole, =elnet, SSF, and AS3M
I you lo$ in to an nonadmin context,you can only access t#econf$uration or t#at context
1?
7/23/2019 ASA Multiple Context
11/39
CONFIGURATION
11
7/23/2019 ASA Multiple Context
12/39
Confguration
ote* =#e portson t#e switc#t#at areconnected to
ASA must be intrun: modesince multiple9A traGc #asto travel t#rou$#
it once t#e ASAinteraces arebro:en intosubHinteraces!
12
7/23/2019 ASA Multiple Context
13/39
Conf$uration
In order to turn t#e frewall to t#e multiplecontexts mode, you s#ould enter t#ecommand mode multiple w#en lo$$ed viat#e console port!
ote* Bou may do t#is remotely but you ris:losin$ connection to t#e box!
=#is will orce mode c#an$e to multiple and
reload t#e appliance! I you connect to t#e appliance t#e console
port, you are lo$$in$ into t#e !temcontext ater t#e reload!
1(
7/23/2019 ASA Multiple Context
14/39
Conf$uration
7#en you convert rom sin$le mode to multiplemode, t#e security appliance converts t#erunnin$ conf$uration into two fles*1! ew startup conf$uration t#at comprises t#e
system conf$uration!2! admin!c$ t#at comprises t#e admin context .int#e root directory o t#e internal )las# memory0!
=#e ori$inal runnin$ conf$uration is saved asoldrunnin$!c$ .in t#e root directory o t#einternal )las# memory0!
=#e ori$inal startup conf$uration is not saved! =#e security appliance automatically adds an
entry or t#e admin context to t#e systemconf$uration wit# t#e name Jadmin!K
16
7/23/2019 ASA Multiple Context
15/39
Conf$uration Steps
Bou s#ould to do t#e ollowin$ t#in$sw#ile lo$$ed into t#e system context*
10 Conf$ure p#ysical interaces! Bou needto uns#utdown t#e interaces t#at youwant to allocate to t#e contexts! I you
are creatin$ subinteraces usin$9As, you s#ould do it under t#esystem context as well!
1>
7/23/2019 ASA Multiple Context
16/39
Conf$uration Steps
20 3efne t#e admin context!
20=#is is a special context t#at allowslo$$in$ in t#e frewall remotely .via ss#,telnet or #ttps0!
(0=#is context s#ould be conf$ured frstas t#e frewall wonLt let you create anyot#er contexts prior to desi$natin$ t#eadmin context usin$ t#e $lobal command
admin"#onte$t %NA&E'!60As we #ave said t#is context is
automatically created 7#en youconvert rom t#e sin$lecontext mode!
1@
7/23/2019 ASA Multiple Context
17/39
Conf$uration Steps
(0 3efne additional contexts i needed andallocate p#ysical interaces to t#e contexts! -se t#e command allo#ate"inter(a#e %P)!i#al"
Inter(a#e' *%I(a#e"Name'+ under t#e context
conf$uration mode or interace allocation! Fere %P)!i#al"Inter(a#e' is t#e p#ysical
interace or subinterace name and %I(a#e"Name' is t#e name t#at t#e context sees or t#isinterace!
-sin$ t#is command you can #ide t#e real interacenames rom t#e context administrators .e!$! #ide9A numbers0, in order to provide additional levelo isolation rom t#e p#ysical conf$uration!
1
7/23/2019 ASA Multiple Context
18/39
Conf$uration Steps
60 C#an$e to t#e context conf$uration,and proceed as usual! Assi$n interace names, security levels and
I addresses! Set up static routes or subnets not directly
connected to t#e context & even or t#esubnets connected to anot#er contexts!
1D
7/23/2019 ASA Multiple Context
19/39
Conf$uration otes "very conf$ured context s#ould #ave a conf$uration -49 defned usin$ t#e
command #onfg"url %PAT,' to store its conf$uration! 7it#out t#is command,t#e context conf$uration is incomplete!
Ater t#e context #as been defned, you may switc# to t#e Kincontextconf$uration usin$ t#e command #)angeto #onte$t %NA&E'!
In order to access t#e system context remotely, you s#ould lo$ into t#e admin
context usin$ any conf$ured remote access met#od and issue t#e command#)angeto !tem!
"nter t#e allocateHinterace command.s0 beore you enter t#e conf$Hurlcommand! =#e security appliance must assi$n interaces to t#e context beore itloads t#e context conf$urationN t#e context conf$uration can include commandst#at reer to interaces .interace, nat, $lobal!!!0! I you enter t#e conf$Hurlcommand frst, t#e security appliance loads t#e context conf$uration
immediately! I t#e context contains any commands t#at reer to interaces,t#ose commands ail!
-se t#e command -rite memor! all in t#e system context to save all contextsconf$uration on t#e persistent stora$e! Bou may also save conf$uration or acontext individually w#en lo$$ed under t#e particular context usin$ t#ecommand -rite memor!!
1/
7/23/2019 ASA Multiple Context
20/39
Conf$uration otes
#ysical interaces could be shared amon$contexts, i!e! you may assi$n t#e same interaceto di'erent contexts!
Interace s#arin$ is t#e uni
7/23/2019 ASA Multiple Context
21/39
Conf$uration otes
I t#ere is a s#ared p#ysical interace between t#e contexts, eac#context could $enerally #ave di'erent I and MAC addresses ont#is interace!
It is possible to s#are t#e I address as well, t#ou$#! I you want toassi$n t#e same I address to t#e s#ared interaces in multiple
context mode youLll need to $ive t#e lo$ical interaces a separateMAC address!
Bou may use nonoverlappin$ subnets or simply di'erent Is ont#e same subnet!
;y deault bot# contexts will in#erit t#e same MAC address romt#e s#ared p#ysical interace! =#is mi$#t result in t#e frewall notbein$ able to classiy t#e incomin$ traGc properly!
-se t#e command ma#"addre auto in t#e system context toautomatically $enerate a MAC address or every new Kvirtual
interace! 21
7/23/2019 ASA Multiple Context
22/39
Conf$uration
22
In order to enable multiple mode, enter t#is command*
hostname(config)# mode multiple
Bou are prompted to reboot t#e security appliance!
CiscoASA(config)# mode multiple
WARNING: This command will change the behavior of the device
WARNING: This command will initiate a Reboot
Proceed with change mode? [confirm]
onvert the s!stem config"ration? [confirm]#
The old running configuration file will be written to flash
The admin context configuration will be written to flash
The new running configuration file was written to flash
Security context mode: multiple
$$$
$$$ %%% &'(T)*WN N*W %%%
$$$
$$$ +essage to all terminals:
$$$
***change mode
Rebooting,,,,
7/23/2019 ASA Multiple Context
23/39
Conf$uration
Creatin$ a new context*
Ciscoasa(config)# Context ContextACiscoasa(configctx)# description textCiscoasa(configctx)# Allocateinterface!"hysicalinterface$ %mapped name&Ciscoasa(configctx)# Configurl url
Bou canLt rename t#e context, you will #ave todelete it, t#en create a new one wit# t#e newname! 3elete a Context*
'o context ContextA
2(
7/23/2019 ASA Multiple Context
24/39
"xample Scenario
26
7/23/2019 ASA Multiple Context
25/39
FIRE.A// CONTEXTSROUTING
2>
7/23/2019 ASA Multiple Context
26/39
)irewall Context 4outin$
As mentioned previously, in t#e multiplecontext mode t#e frewall supports onlystatic routin$!
you need to conf$ure a static route orevery nondirectly connected subnet or afrewall context or set up a static deaultroute!
All adOacent routers s#ould be alsoconf$ured wit# static routes to allow orull connectivity!
2@
7/23/2019 ASA Multiple Context
27/39
)irewall Context 4outin$
4outin$ between contexts* frewall contexts do not s#are I routin$
tables, and t#us i you want to establis#
communications between t#e routin$contexts you need eit#er o t#e ollowin$*1! Conf$ure eac# context wit# a set o static
routes or t#e subnets connected or locatedbe#ind t#e ot#er context!
2! -se an external router t#at #as ull:nowled$e o t#e subnets be#ind eac# ot#e contexts to provide connectivity!
2
7/23/2019 ASA Multiple Context
28/39
)irewall Context 4outin$
Context Cascadin$ 4ecall t#at p#ysical interaces could be
s#ared between t#e contexts!
In some scenarios, you may evenconf$ure t#e same p#ysical interace ast#e inside or one context and outsideor anot#er! =#is is called context
cascadin$! P9oo: at t#e f$ure below*
2D
7/23/2019 ASA Multiple Context
29/39
FIRE.A// CONTEXTSC/ASSIFICATION
2/
7/23/2019 ASA Multiple Context
30/39
Fire-all Conte$tClaif#ation
It is easy to assi$n an input pac:et tot#e context i t#e interace w#ere it#as been received is uni
7/23/2019 ASA Multiple Context
31/39
Fire-all Conte$tClaif#ation
S#ared interaces classifcation rules*10 =#e frewall loo:s at t#e destination MAC address o t#e
pac:et & t#e destination MAC desi$nated t#e Knext#opor t#e pac:et!P
20 I t#e MAC address is t#e same in bot# contexts or t#e
same interace, t#e frewall attempts to use A=conf$uration in every context to resolve t#e KconEicts! =#is may #appen i you intentionally assi$n t#e same I
address to bot# contexts or did not assi$n di'erent MACaddresses to t#e s#ared interaces!
=#e frewall attempts to matc# t#e destination I address and=C%-3 port inormation in t#e pac:et wit# t#e active
translation slots in every context! =#e context wit# t#ematc#in$ translation slot is selected as t#e tar$et context! =#is type o classifcation allows s#arin$ t#e same I subnet or
even I address on t#e s#ared interace! Bou are not re
7/23/2019 ASA Multiple Context
32/39
Fire-all Conte$tClaif#ation
S#ared interaces classifcation rules*
(0 I all contexts on t#e s#ared interace uset#e same I address%MAC t#en you
cannot access t#e contexts on t#e s#aredinterace! 7#y8 ;ecause or traGc destined to t#e
frewall itsel, it classifes based on t#e
destination I address! So it is $enerally recommended to use
separate I addresses .MAC could be t#esame0 on t#e s#ared interaces!
(2
7/23/2019 ASA Multiple Context
33/39
RESOURCE &ANAGE&ENT
((
7/23/2019 ASA Multiple Context
34/39
4esource Mana$ement
=#e frewall #as limited resources, s#aredbetween t#e contexts!
=#e resources include concurrent
connections, inspections, translation slots,mana$ement sessions .telnet, ss# and#ttps0 number o inside #osts and so on!
Some o t#ose resources are limited based
on t#e licensin$ option & e!$! t#e number oinside #osts! +t#ers are limited by t#efrewall #ardware!
(6
7/23/2019 ASA Multiple Context
35/39
4esource Mana$ement
In order to avoid resource contention andex#austion, t#e frewall allows limitin$ percontext resources usin$ t#e resource classconcept!
"very class specifes t#e amount o resourceavailable to a context! Classes are assi$ned tot#e contexts to enorce t#e limits!
;y deault, all contexts are assi$ned class
Kdeault! ote t#at contexts do not Ks#are t#e particular
class resources! =#ey only in#erit t#e resourcelimits set by a class!
(>
7/23/2019 ASA Multiple Context
36/39
4esource Mana$ement
7#en you create a new class, it in#eritsall limits rom t#e Kdeault resourceclass!
7#en you redefne any particular limitin t#e new class, you automaticallyoverride t#e deault settin$ or t#is limit!
Bou may also conf$ure t#e deault classsettin$s and all classes will in#erit t#esevalues, unless t#ey redefne t#em!
(@
7/23/2019 ASA Multiple Context
37/39
4esource Mana$ement
(
7/23/2019 ASA Multiple Context
38/39
4esource Mana$ement
=#e appliance never Kreserves any resources orclasses! It simply uses t#em to compute t#eresource limits and satisfes any re?? connections! Bou assi$nt#is class to ( contexts! At t#e pea: o t#eir usa$eevery context may re?? connections,exceedin$ t#e total limit o 1???! =#us it is up to t#eadministrator to properly set limits and preventresource starvation!
Bou may set resource limits in absolute values .e!$!number o connections or #osts0 or in percentQs ot#e maximum resource available!
(D
7/23/2019 ASA Multiple Context
39/39
4esource Mana$ement
=#e syntax is*
#la %NA&E'
limit"reour#e %Reour#e' *%0alue'123"
34456+
Some resources, li:e Conns, Inspects and
Syslo$s support rate limitin$, usin$ t#ecommand*
limit"reour#e rate *2Conn1Inpe#t1S!log6123"34456+
(/