Professional Documents
Culture Documents
INTRODUCTION
Introduction
ASA firewall supports software
virtualization, by means of so-called
firewall contexts.
Every context has its own set of routing,
filtering/inspection and address
translation rules.
All contexts must be in either routing or
transparent firewall mode you cannot
mix modes in different contexts.
3
Introduction
Supported Features:
Introduction
Where do we use Multiple context?
In ISPs, were they sell security services to many
customers, they implement a cost-effective, space
saving solution.
Large Enterprises who keeps their departments
completely separated.
Basically, we use multiple context whenever there is
a network that requires more than one security
appliance.
CONTEXT TYPES
Context Types
System Context
Admin Context
Normal Context
System Context
The System administrator adds and manages
contexts by the configuration of each context
configuration location, allocated interfaces, and
other context operational parameters in the system
configuration.
The system configuration identifies basic settings
for the security appliance. You cannot assign any IP
addresses when you are under the system context,
with exception to the management interface.
You can upgrade or downgrade the PIX/ASA
software only in the System EXEC mode, not in the
other context modes.
8
Admin Context
The admin context is like any other context, except that when a
user logs in to the admin context, that user will have system
administrator rights, and can access the system and all other
contexts
Admin context configuration must reside on the Flash memory.
If you convert from a Single mode to the Multiple Context mode, the
admin context is created automatically and the configuration file
will be created on the flash memory
This context could be combined with any regular user context or be
dedicated.
Note: Admin context (when it is dedicated) is not counted in the
context license. For example, if you get the license for two contexts,
you are allowed to have the admin context and two other contexts.
Normal Context
Is the actual partitioned firewall.
Contexts can be accessed
Console, Telnet, SSH, and ASDM
via
CONFIGURATION
11
Configurat
ion
Note: The ports
on the switch
that are
connected to
ASA must be in
trunk mode
since multiple
VLAN traffic has
to travel through
it once the ASA
interfaces are
broken into
subinterfaces.
12
Configuration
In order to turn the firewall to the multiple
contexts mode, you should enter the
command mode multiple when logged via
the console port.
Note: You may do this remotely but you risk
losing connection to the box.
This will force mode change to multiple and
reload the appliance.
If you connect to the appliance the console
port, you are logging into the system
context after the reload.
13
Configuration
When you convert from single mode to multiple
mode, the security appliance converts the
running configuration into two files:
1. New startup configuration that comprises the
system configuration.
2. admin.cfg that comprises the admin context (in
the root directory of the internal Flash memory).
Configuration Steps
You should to do the following things
while logged into the system context:
1) Configure physical interfaces. You need
to un-shutdown the interfaces that you
want to allocate to the contexts. If you
are creating sub-interfaces using
VLANs, you should do it under the
system context as well.
15
Configuration Steps
2) Define the admin context.
2)This is a special context that allows
logging in the firewall remotely (via ssh,
telnet or https).
3)This context should be configured first
as the firewall wont let you create any
other contexts prior to designating the
admin context using the global command
admin-context <NAME>.
4)As we have said this context is
automatically created When you
convert from the single-context mode.
16
Configuration Steps
3) Define additional contexts if needed and
allocate physical interfaces to the contexts.
Use the command allocate-interface <PhysicalInterface> [<Iface-Name>] under the context
configuration mode for interface allocation.
Here <Physical-Interface> is the physical
interface or sub-interface name and <IfaceName> is the name that the context sees for this
interface.
Using this command you can hide the real interface
names from the context administrators (e.g. hide
VLAN numbers), in order to provide additional level
of isolation from the physical configuration.
17
Configuration Steps
4) Change to the context configuration,
and proceed as usual.
Assign interface names, security levels and
IP addresses.
Set up static routes for subnets not directly
connected to the context even for the
subnets connected to another contexts.
18
Configuration Notes
Every configured context should have a configuration URL defined using the
command config-url <PATH> to store its configuration. Without this command,
the context configuration is incomplete.
After the context has been defined, you may switch to the in-context
configuration using the command changeto context <NAME>.
In order to access the system context remotely, you should log into the admin
context using any configured remote access method and issue the command
changeto system.
Use the command write memory all in the system context to save all contexts
configuration on the persistent storage. You may also save configuration for a
context individually when logged under the particular context using the
command write memory.
19
Configuration Notes
Physical interfaces could be shared among
contexts, i.e. you may assign the same interface
to different contexts.
Interface sharing is the unique feature of the
ASA firewall contexts, and this is what makes it
stand apart from IOS VRF technology.erface to
different contexts.
When an interface is shared between two
contexts, certain classification rules should be
applied to determine which context the
incoming packets should use.
20
Configuration Notes
By default both contexts will inherit the same MAC address from
the shared physical interface. This might result in the firewall not
being able to classify the incoming traffic properly.
21
Configuration
In order to enable multiple mode, enter this command:
hostname(config)# mode multiple
You are prompted to reboot the security appliance.
CiscoASA(config)# mode multiple
WARNING: This command will change the behavior of the device
WARNING: This command will initiate a Reboot
Proceed with change mode? [confirm]
Convert the system configuration? [confirm]
!
The old running configuration file will be written to flash
The admin context configuration will be written to flash
The new running configuration file was written to flash
Security context mode: multiple
***
*** SHUTDOWN NOW
***
*** Message to all terminals:
***
*** change mode
Rebooting....
22
Configuration
Creating a new context:
Ciscoasa(config)# Context ContextA
Ciscoasa(config-ctx)# description text
Ciscoasa(config-ctx)# Allocate-interface
<Physical_interface> [mapped name]
Ciscoasa(config-ctx)# Config-url url
Example Scenario
24
FIREWALL CONTEXTS
ROUTING
25
28
FIREWALL CONTEXTS
CLASSIFICATION
29
Firewall Contexts
Classification
It is easy to assign an input packet to
the context if the interface where it
has been received is uniquely
allocated to the context.
If the interface is shared, additional
rules are needed.
30
Firewall Contexts
Classification
Shared interfaces classification rules:
1) The firewall looks at the destination MAC address of the
packet the destination MAC designated the next-hop
for the packet.*
2) If the MAC address is the same in both contexts for the
same interface, the firewall attempts to use NAT
configuration in every context to resolve the conflicts.
Firewall Contexts
Classification
Shared interfaces classification rules:
3) If all contexts on the shared interface use
the same IP address/MAC then you
cannot access the contexts on the shared
interface.
Why? Because for traffic destined to the
firewall itself, it classifies based on the
destination IP address.
So it is generally recommended to use
separate IP addresses (MAC could be the
same) on the shared interfaces.
32
RESOURCE MANAGEMENT
33
Resource Management
The firewall has limited resources, shared
between the contexts.
The resources include concurrent
connections, inspections, translation slots,
management sessions (telnet, ssh and
https) number of inside hosts and so on.
Some of those resources are limited based
on the licensing option e.g. the number of
inside hosts. Others are limited by the
firewall hardware.
34
Resource Management
In order to avoid resource contention and
exhaustion, the firewall allows limiting percontext resources using the resource class
concept.
Every class specifies the amount of resource
available to a context. Classes are assigned to
the contexts to enforce the limits.
By default, all contexts are assigned class
default.
Note that contexts do not share the particular
class resources. They only inherit the resource
limits set by a class.
35
Resource Management
When you create a new class, it inherits
all limits from the default resource
class.
When you re-define any particular limit
in the new class, you automatically
override the default setting for this limit.
You may also configure the default class
settings and all classes will inherit these
values, unless they redefine them.
36
Resource Management
37
Resource Management
The appliance never reserves any resources for
classes. It simply uses them to compute the
resource limits and satisfies any request that is
within the limit for a given class.
For example, suppose the system supports up to
1000 connection maximum, and you create new
class with the limit of 500 connections. You assign
this class to 3 contexts. At the peak of their usage
every context may request up to 500 connections,
exceeding the total limit of 1000. Thus it is up to the
administrator to properly set limits and prevent
resource starvation.
You may set resource limits in absolute values (e.g.
number of connections or hosts) or in percent's of
the maximum resource available.
38
Resource Management
The syntax is:
class <NAME>
limit-resource <Resource> [<Value>|{1100%}]
Some resources, like Conns, Inspects and
Syslogs support rate limiting, using the
command:
limit-resource rate [{Conns|Inspects|Syslogs}|
{1-100%}]
39