Friday, 5 February 2016

Running multiple contexts with the ASA 5510

Using security contexts we can divide up our firewall to run multiple autonomous virtual firewalls - i.e. with separate routing tables, management, IDS / IPS etc. - Although note that when an ASA is running multiple contexts VPN's are not possible.

Note: You will need a 'Security Plus' license to utilize this feature!

There are three main configurations that the ASA manages when using multiple contexts:

- Context Configuration: Holds all of the context specific details e.g. routing tables, interface information, management interfaces - http etc.

- System Configuration: The base settings that the ASAS uses for startup e.g. images, boot parameters etc.

- Admin Context Configuration: This is the context (it its own right) that allows you to manage / access all other contexts.

All incoming traffic to the appliance needs to be classified when entering:

- If a unique / dedicated interface is used for a single context - all traffic is simply classified for that context.

- If there are multiple contexts sharing the same interface you have the ability to assign additional MAC addresses to the interface - one for each context - so they are classified correctly.

- You can also use NAT as a clasifier - the classifier intercepts the packet and looks at the destination address - by knowing this it can then route the traffic to the correct context.

For example on Context A:
static (inside,shared) 10.0.0.0 10.0.0.0 netmask 255.255.255.0

and on Context B:

static (inside,shared) 192.168.10.0 192.168.10.0 netmask 255.255.255.0

In order to enable multi-context mode we should perform the following:

write memory
copy startup-config tftp

mode multiple

Example output:

WARNING: This command will change the behavior of the deviceWARNING: This command will initiate a RebootProceed with change mode? [confirm]Convert the system configuration? [confirm]!!The old running configuration file will be written to flash
The admin context configuration will be written to flash
The new running configuration file was written to flashSecurity context mode: multiple

This will also make a backup of your current configuration in the flash memory.

You should now be prompted to reboot. You will notice on reboot that there is a new configuration file, but also a file entitled 'admin.cfg' that holds the configuration for the admin context.

Note: After reboot, when connecting via serial you are connecting to your new admin context.

To revert use something like:

copy flash:old_running.cfg startup-config
mode single

0 comments:

Post a Comment