Limitations
Here are some important limitations regarding virtual firewalls on a Cisco ASA:
* Key features that are unsupported on a Cisco ASA in multiple mode are dynamic routing protocols, IPsec and SSL VPNs, multicast IP routing, threat detection, and Phone Proxy.
* The Cisco ASA 5505 does not support multiple mode. (This personally frustrates me).
* The number of Security Contexts you can create depends on the software licenses and the Cisco ASA hardware model used.
I had a discussion with our core design engineer and he mentioned that we should be able to run IPsec site-to-site VPNs on context-based firewalls. And sure enough after doing some research, Cisco has finally released a code to support this feature.
As of ASA code 9.0+, there's been an enhancement to support some of these features especially on Multi-Context VPN. Refer to useful links:
http://sevenlayers.wordpress.com/2012/09/13/cisco-multi-conext-vpn-is-finally-here-in-asa-release-9-0-a-few-years-too-late/
http://www.cisco.com/c/en/us/products/collateral/security/adaptive-security-appliance-asa-software/data_sheet_c78-714849.html
Configuration Tasks
Here is an overview for the configuration of virtual firewalls on the Cisco ASA.
Step 1: Enable multiple mode on the Cisco ASA.
Step 2: Create a Security Context.
Step 3: Allocate interfaces to the context.
Step 4: Specify the startup configuration location for the context.
Step 5: Configure the Security Context resource management.
Step 6: Configure each Security Context as a separate security appliance.
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 100 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
VPN-DES : Enabled perpetual
VPN-3DES-AES : Enabled perpetual
Security Contexts : 2 perpetual // EXCLUDES SYSTEM AND ADMIN CONTEXT
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 5000 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 5000 perpetual
Total VPN Peers : 0 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
This platform has an ASA 5520 VPN Plus license.
ciscoasa# configure terminal
ciscoasa(config)# mode ?
configure mode commands/options:
multiple Multiple mode; mode with security contexts
noconfirm Do not prompt for confirmation
single Single mode; mode without security contexts
ciscoasa(config)# mode multiple
WARNING: This command will change the behavior of the device
WARNING: This command will initiate a Reboot
Proceed with change mode? [confirm]
Convert the system configuration? [confirm]
!
The old running configuration file will be written to flash
Converting the configuration - this may take several minutes for a large configuration
The admin context configuration will be written to flash
The new running configuration file was written to flash
Security context mode: multiple
***
*** --- SHUTDOWN NOW ---
***
*** Message to all terminals:
***
*** change mode
REBOOT: open message queue fail: No such file or directory/2
REBOOT: enforce reboot...
Restarting system.
machine restart
<OUTPUT TRUNCATED>
ciscoasa# configure terminal
ciscoasa(config)# interface gigabitethernet0 // WE UNSHUT MAIN INTERFACES IN SYSTEM CONTEXT
ciscoasa(config-if)# ?
Interface configuration commands:
channel-group Etherchannel/port bundling configuration
default Set a command to its defaults
description Interface specific description
exit Exit from interface configuration mode
help Interactive help for interface subcommands
lacp LACP interface subcommands
no Negate a command or set its defaults
shutdown Shutdown the selected interface
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# interface gigabitethernet1
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# exit
ciscoasa(config)# context ?
configure mode commands/options:
WORD Symbolic name of the context
ciscoasa(config)# context CONTEXT-A
Creating context 'CONTEXT-A'... Done. (2)
ciscoasa(config-ctx)# ?
Context configuration commands:
allocate-interface Allocate interface to context
allocate-ips Allocate IPS virtual sensor to context
config-url Configure URL for a context configuration
description Provide a description of the context
exit Exit from context configuration mode
help Interactive help for context subcommands
join-failover-group Join a context to a failover group
member Configure class membership for a context
no Negate a command
ciscoasa(config-ctx)# allocate-interface ?
context mode commands/options:
WORD Indicate interfaces assigned to the context
ciscoasa(config-ctx)# allocate-interface gigabitethernet0 ?
context mode commands/options:
WORD Optional interface name mapping for the context
invisible Optional flag for hiding hardware property in context (default)
visible Optional flag for publishing hardware property in context
<cr>
ciscoasa(config-ctx)# allocate-interface gigabitethernet0 intg0
ciscoasa(config-ctx)# allocate-interface gigabitethernet1 intg1
ciscoasa(config-ctx)# config-url ?
context mode commands/options:
disk0: A URL beginning with this prefix for the context's config (file need
not exist)
flash: A URL beginning with this prefix for the context's config (file need
not exist)
ftp: A URL beginning with this prefix for the context's config (file need
not exist)
http: A URL beginning with this prefix for the context's config (file need
not exist)
https: A URL beginning with this prefix for the context's config (file need
not exist)
smb: A URL beginning with this prefix for the context's config (file need
not exist)
tftp: A URL beginning with this prefix for the context's config (file need
not exist)
ciscoasa(config-ctx)# config-url disk0:/CONTEXT-A.cfg
WARNING: Could not fetch the URL disk0:/CONTEXT-A.cfg
INFO: Creating context with default config
ciscoasa/CONTEXT-A(config)# interface intg0
ciscoasa/CONTEXT-A(config-if)# ip address 192.168.1.1 255.255.255.0
ciscoasa/CONTEXT-A(config-if)# no shutdown
ciscoasa/CONTEXT-A(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
ciscoasa/CONTEXT-A(config-if)# interface intg1
ciscoasa/CONTEXT-A(config-if)# ip address 209.165.200.1 255.255.255.0
ciscoasa/CONTEXT-A(config-if)# no shutdown
ciscoasa/CONTEXT-A(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.
ciscoasa(config-ctx)# exit
ciscoasa(config)# context CONTEXT-B
Creating context 'CONTEXT-B'... Done. (3)
ciscoasa(config-ctx)# allocate-interface gigabitethernet0 intg0
ciscoasa(config-ctx)# allocate-interface gigabitethernet1 intg1
ciscoasa/CONTEXT-B(config)# interface intg0
ciscoasa/CONTEXT-B(config-if)# ip address 172.16.1.1 255.255.255.0
ciscoasa/CONTEXT-B(config-if)# no shutdown
ciscoasa/CONTEXT-B(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
ciscoasa/CONTEXT-B(config-if)# interface intg1
ciscoasa/CONTEXT-B(config-if)# ip address 209.165.200.1 255.255.255.0
ERROR: This address conflicts with another address on net
ciscoasa/CONTEXT-B(config-if)# ip address 209.165.200.2 255.255.255.0
ciscoasa/CONTEXT-B(config-if)# no shutdown
ciscoasa/CONTEXT-B(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.
ciscoasa(config-ctx)# config-url disk0:/CONTEXT-B.cfg
WARNING: Could not fetch the URL disk0:/CONTEXT-B.cfg
INFO: Creating context with default config
ciscoasa(config-ctx)# exit
ciscoasa(config)# admin-context ?
configure mode commands/options:
WORD Name of administrative context
ciscoasa(config)# admin-context admin // ASSIGN ADMIN CONTEXT AS "ADMIN" FOR REMOTE MANAGEMENT
ciscoasa(config)# context admin
ciscoasa(config-ctx)# config-url disk0:/admin.cfg
Cryptochecksum (changed): d9951253 3b82d2ce 840166f8 ccd3d7f1
INFO: Context admin was created with URL disk0:/admin.cfg
INFO: Admin context will take some time to come up .... please wait.
ciscoasa(config-ctx)# allocate-interface gigabitethernet0 intg0
ciscoasa(config-ctx)# allocate-interface gigabitethernet1 intg1
ciscoasa(config-ctx)# end
ciscoasa# changeto ?
context Change to context
system Change to system space
ciscoasa# changeto context ?
WORD Context name
ciscoasa# changeto context admin
ciscoasa/admin# configure terminal
ciscoasa/admin(config)# interface intg0
ciscoasa/admin(config-if)# ip address 10.1.1.1 255.255.255.0
ciscoasa/admin(config-if)# no shutdown
ciscoasa/admin(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
ciscoasa/admin(config-if)# exit
ciscoasa/admin(config)# http server enable
ciscoasa/admin(config)# http 0 0 inside // HTTPS/ASDM ACCESS FROM ANY IP SOURCE COMING FROM THE INSIDE INTERFACE
ciscoasa/admin(config)#end
Here are some important limitations regarding virtual firewalls on a Cisco ASA:
* Key features that are unsupported on a Cisco ASA in multiple mode are dynamic routing protocols, IPsec and SSL VPNs, multicast IP routing, threat detection, and Phone Proxy.
* The Cisco ASA 5505 does not support multiple mode. (This personally frustrates me).
* The number of Security Contexts you can create depends on the software licenses and the Cisco ASA hardware model used.
I had a discussion with our core design engineer and he mentioned that we should be able to run IPsec site-to-site VPNs on context-based firewalls. And sure enough after doing some research, Cisco has finally released a code to support this feature.
As of ASA code 9.0+, there's been an enhancement to support some of these features especially on Multi-Context VPN. Refer to useful links:
http://sevenlayers.wordpress.com/2012/09/13/cisco-multi-conext-vpn-is-finally-here-in-asa-release-9-0-a-few-years-too-late/
http://www.cisco.com/c/en/us/products/collateral/security/adaptive-security-appliance-asa-software/data_sheet_c78-714849.html
Configuration Tasks
Here is an overview for the configuration of virtual firewalls on the Cisco ASA.
Step 1: Enable multiple mode on the Cisco ASA.
Step 2: Create a Security Context.
Step 3: Allocate interfaces to the context.
Step 4: Specify the startup configuration location for the context.
Step 5: Configure the Security Context resource management.
Step 6: Configure each Security Context as a separate security appliance.
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 100 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
VPN-DES : Enabled perpetual
VPN-3DES-AES : Enabled perpetual
Security Contexts : 2 perpetual // EXCLUDES SYSTEM AND ADMIN CONTEXT
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 5000 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 5000 perpetual
Total VPN Peers : 0 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
This platform has an ASA 5520 VPN Plus license.
ciscoasa# configure terminal
ciscoasa(config)# mode ?
configure mode commands/options:
multiple Multiple mode; mode with security contexts
noconfirm Do not prompt for confirmation
single Single mode; mode without security contexts
ciscoasa(config)# mode multiple
WARNING: This command will change the behavior of the device
WARNING: This command will initiate a Reboot
Proceed with change mode? [confirm]
Convert the system configuration? [confirm]
!
The old running configuration file will be written to flash
Converting the configuration - this may take several minutes for a large configuration
The admin context configuration will be written to flash
The new running configuration file was written to flash
Security context mode: multiple
***
*** --- SHUTDOWN NOW ---
***
*** Message to all terminals:
***
*** change mode
REBOOT: open message queue fail: No such file or directory/2
REBOOT: enforce reboot...
Restarting system.
machine restart
<OUTPUT TRUNCATED>
ciscoasa# configure terminal
ciscoasa(config)# interface gigabitethernet0 // WE UNSHUT MAIN INTERFACES IN SYSTEM CONTEXT
ciscoasa(config-if)# ?
Interface configuration commands:
channel-group Etherchannel/port bundling configuration
default Set a command to its defaults
description Interface specific description
exit Exit from interface configuration mode
help Interactive help for interface subcommands
lacp LACP interface subcommands
no Negate a command or set its defaults
shutdown Shutdown the selected interface
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# interface gigabitethernet1
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# exit
ciscoasa(config)# context ?
configure mode commands/options:
WORD Symbolic name of the context
ciscoasa(config)# context CONTEXT-A
Creating context 'CONTEXT-A'... Done. (2)
ciscoasa(config-ctx)# ?
Context configuration commands:
allocate-interface Allocate interface to context
allocate-ips Allocate IPS virtual sensor to context
config-url Configure URL for a context configuration
description Provide a description of the context
exit Exit from context configuration mode
help Interactive help for context subcommands
join-failover-group Join a context to a failover group
member Configure class membership for a context
no Negate a command
ciscoasa(config-ctx)# allocate-interface ?
context mode commands/options:
WORD Indicate interfaces assigned to the context
ciscoasa(config-ctx)# allocate-interface gigabitethernet0 ?
context mode commands/options:
WORD Optional interface name mapping for the context
invisible Optional flag for hiding hardware property in context (default)
visible Optional flag for publishing hardware property in context
<cr>
ciscoasa(config-ctx)# allocate-interface gigabitethernet0 intg0
ciscoasa(config-ctx)# allocate-interface gigabitethernet1 intg1
ciscoasa(config-ctx)# config-url ?
context mode commands/options:
disk0: A URL beginning with this prefix for the context's config (file need
not exist)
flash: A URL beginning with this prefix for the context's config (file need
not exist)
ftp: A URL beginning with this prefix for the context's config (file need
not exist)
http: A URL beginning with this prefix for the context's config (file need
not exist)
https: A URL beginning with this prefix for the context's config (file need
not exist)
smb: A URL beginning with this prefix for the context's config (file need
not exist)
tftp: A URL beginning with this prefix for the context's config (file need
not exist)
ciscoasa(config-ctx)# config-url disk0:/CONTEXT-A.cfg
WARNING: Could not fetch the URL disk0:/CONTEXT-A.cfg
INFO: Creating context with default config
ciscoasa/CONTEXT-A(config)# interface intg0
ciscoasa/CONTEXT-A(config-if)# ip address 192.168.1.1 255.255.255.0
ciscoasa/CONTEXT-A(config-if)# no shutdown
ciscoasa/CONTEXT-A(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
ciscoasa/CONTEXT-A(config-if)# interface intg1
ciscoasa/CONTEXT-A(config-if)# ip address 209.165.200.1 255.255.255.0
ciscoasa/CONTEXT-A(config-if)# no shutdown
ciscoasa/CONTEXT-A(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.
ciscoasa(config-ctx)# exit
ciscoasa(config)# context CONTEXT-B
Creating context 'CONTEXT-B'... Done. (3)
ciscoasa(config-ctx)# allocate-interface gigabitethernet0 intg0
ciscoasa(config-ctx)# allocate-interface gigabitethernet1 intg1
ciscoasa/CONTEXT-B(config)# interface intg0
ciscoasa/CONTEXT-B(config-if)# ip address 172.16.1.1 255.255.255.0
ciscoasa/CONTEXT-B(config-if)# no shutdown
ciscoasa/CONTEXT-B(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
ciscoasa/CONTEXT-B(config-if)# interface intg1
ciscoasa/CONTEXT-B(config-if)# ip address 209.165.200.1 255.255.255.0
ERROR: This address conflicts with another address on net
ciscoasa/CONTEXT-B(config-if)# ip address 209.165.200.2 255.255.255.0
ciscoasa/CONTEXT-B(config-if)# no shutdown
ciscoasa/CONTEXT-B(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.
ciscoasa(config-ctx)# config-url disk0:/CONTEXT-B.cfg
WARNING: Could not fetch the URL disk0:/CONTEXT-B.cfg
INFO: Creating context with default config
ciscoasa(config-ctx)# exit
ciscoasa(config)# admin-context ?
configure mode commands/options:
WORD Name of administrative context
ciscoasa(config)# admin-context admin // ASSIGN ADMIN CONTEXT AS "ADMIN" FOR REMOTE MANAGEMENT
ciscoasa(config)# context admin
ciscoasa(config-ctx)# config-url disk0:/admin.cfg
Cryptochecksum (changed): d9951253 3b82d2ce 840166f8 ccd3d7f1
INFO: Context admin was created with URL disk0:/admin.cfg
INFO: Admin context will take some time to come up .... please wait.
ciscoasa(config-ctx)# allocate-interface gigabitethernet0 intg0
ciscoasa(config-ctx)# allocate-interface gigabitethernet1 intg1
ciscoasa(config-ctx)# end
ciscoasa# changeto ?
context Change to context
system Change to system space
ciscoasa# changeto context ?
WORD Context name
ciscoasa# changeto context admin
ciscoasa/admin# configure terminal
ciscoasa/admin(config)# interface intg0
ciscoasa/admin(config-if)# ip address 10.1.1.1 255.255.255.0
ciscoasa/admin(config-if)# no shutdown
ciscoasa/admin(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
ciscoasa/admin(config-if)# exit
ciscoasa/admin(config)# http server enable
ciscoasa/admin(config)# http 0 0 inside // HTTPS/ASDM ACCESS FROM ANY IP SOURCE COMING FROM THE INSIDE INTERFACE
ciscoasa/admin(config)#end
No comments:
Post a Comment