Skills Tested
Initialize and configure the Cisco ASA as a multi-context firewall. It is important to understand the functions and services available when the Cisco ASA is configured in this mode, knowing they will vary depending on the version of the OS software installed.
The ability to integrate the security appliance into a complex network topology, understanding that the surrounding infrastructure (for example, switches and routers) also must be configured correctly.
A good understanding of basic IP networking including IP addressing, IP routing, and Cisco Catalyst switch port and VLAN configuration.
Solution and Verification
This exercise is fairly simple, but the correct configuration of the Cisco ASA is fundamental to ensuring that the traffic flows, which will be identified in later exercises, can pass through ASA1 securely and as expected.
It is important to be familiar with ASA show commands and their output to be able to validate the solution.
Connectivity and configuration is verified using pings from ASA1 to various major subnets in the topology. Without all devices operational, not all subnets, as shown in Diagram 2 in Part I, are accessible. The packet-tracer command on the ASA can be used to verify that at least ASA1 is properly configured to reach any subnet in the topology.
For all verification syntax that follows:
Required output appears in red Required tasks appear in indigo Basic Parameters
ASA1# changeto system Check that the hostname is ASA1:
ASA1# show hostname ASA1
Verify whether the firewall mode is Router, not Transparent:
ASA1# show firewall Firewall mode: Router
Verify whether the mode is multi-context:
Click here to view code image
ASA1# show mode
Security context mode: multiple
Verify whether three contexts are defined and interfaces are correctly applied in the system execution space:
Click here to view code image
ASA1# show context
Context Name Class Interfaces URL
*admin default GigabitEthernet0/2.2 disk0:/admin.cfg c2 default GigabitEthernet0/0, disk0:/c2.cfg
GigabitEthernet0/1, GigabitEthernet0/3
c1 default GigabitEthernet0/0, disk0:/c1.cfg GigabitEthernet0/2.1
Total active Security Contexts: 3
Verify that the VLAN IDs have been assigned correctly. If the subinterfaces are not up, check your switch port configuration and make sure it is set to trunking and allowing VLANs 101 and 102:
Click here to view code image
ASA1# show int gigabitEthernet 0/2.1 Interface GigabitEthernet0/2.1 "", is up, line protocol is up Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec VLAN identifier 101
Available for allocation to a context
ASA1# show int gigabitEthernet 0/2.2 Interface GigabitEthernet0/2.2 "", is up, line protocol is up Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec VLAN identifier 102
Available for allocation to a context Admin Context Parameters
Click here to view code image
ASA1# changeto context admin
Verify whether the correct format for the nameif name is used (case sensitive) and the security level is set to 100:
Click here to view code image
ASA1/admin# show nameif
Interface Name Security Management0/0 mgmt 100 Verify the interface assignment, status, and IP addressing:
Click here to view code image
ASA1/admin# show interface ip brief
Interface IP-Address OK? Method Status Protocol GigabitEthernet0/2.2 192.168.1.20 YES manual up up Verify the default route for the admin context:
Click here to view code image
ASA1/admin# show route
Gateway of last resort is 192.168.1.5 to network 0.0.0.0 C 192.168.1.0 255.255.255.0 is directly connected, mgmt S* 0.0.0.0 0.0.0.0 [1/0] via 192.168.1.5, mgmt.
Verify the IP address/interface/name assignment. Because no failover is being deployed, the system IP addresses will always match the current IP addresses. If this ASA was the secondary unit in a
failover pair, the current IP addresses would point to the primary device addresses.
Click here to view code image
ASA1/admin# show ip address System IP Addresses:
Interface Name IP address Subnet mask Method
GigabitEthernet0/2.2 mgmt 192.168.1.20 255.255.255.0 manual Current IP Addresses:
Interface Name IP address Subnet mask Method
GigabitEthernet0/2.2 mgmt 192.168.1.20 255.255.255.0 manual Verify whether the management interface is set to management-only:
Click here to view code image
ASA1/admin# show interface
Interface GigabitEthernet0/2.2 "mgmt", is up, line protocol is up MAC address 1200.0202.0100, MTU 1500
IP address 192.168.1.20, subnet mask 255.255.255.0 Traffic Statistics for "mgmt":
138 packets input, 10938 bytes 715 packets output, 27076 bytes
0 packets dropped
Management-only interface. Blocked 0 through-the-device packets
Verify admin context connectivity, which is limited to the part of the network where key servers such as a syslog server and DNS are located:
Click here to view code image
ASA1/admin# ping 192.168.1.5 Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA1/admin# ping 192.168.2.5 Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/10 ms Context c1 Parameters
ASA1# changeto context c1
Verify whether the correct format for the nameif names are used (case sensitive) and the security levels are set correctly:
Click here to view code image
ASA1/c1# show nameif
Interface Name Security GigabitEthernet0/0 outside 0 GigabitEthernet0/2.1 inside 100 Verify the interface assignment, status, and IP addressing:
Click here to view code image
ASA1/c1# show interface ip brief
Interface IP-Address OK? Method Status Protocol GigabitEthernet0/0 10.50.80.20 YES manual up up GigabitEthernet0/2.1 192.168.2.20 YES manual up up Verify the default route for the user context c1:
Click here to view code image
ASA1/c1# show route
Gateway of last resort is 10.50.80.6 to network 0.0.0.0 C 10.50.80.0 255.255.255.0 is directly connected, outside
C 192.168.2.0 255.255.255.0 is directly connected, inside S* 0.0.0.0 0.0.0.0 [1/0] via 10.50.80.6, outside
Verify the IP address/interface/name assignment. Because no failover is being deployed, the system IP addresses will always match the current IP addresses. If this ASA was the secondary unit in a
failover pair, the current IP addresses would point to the primary device addresses.
Click here to view code image
ASA1/c1# show ip address
Click here to view code image
ASA1/c1# ping 192.168.2.25 Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.25, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms ASA1/c1# ping 10.50.70.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.50.70.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms ASA1/c1# ping 10.50.90.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.50.90.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms Context c2 Parameters
ASA1# changeto context c2
Verify whether the correct format for the nameif names are used (case sensitive) and the security levels are set correctly:
Click here to view code image
ASA1/c2# show nameif
Interface Name Security
GigabitEthernet0/0 outside 0 GigabitEthernet0/1 dmz 50 GigabitEthernet0/3 inside 100 Verify the interface assignment, status, and IP addressing:
Click here to view code image
ASA1/c2# show interface ip brief
Interface IP-Address OK? Method Status Protocol GigabitEthernet0/0 10.50.80.30 YES manual up up GigabitEthernet0/1 10.50.90.20 YES manual up up GigabitEthernet0/3 10.50.100.20 YES manual up up Verify the default route for the user context c2:
Click here to view code image
ASA1/c2# show route
Gateway of last resort is 10.50.80.6 to network 0.0.0.0 S 10.10.0.0 255.255.0.0 [1/0] via 10.50.100.2, inside C 10.50.100.0 255.255.255.0 is directly connected, inside C 10.50.90.0 255.255.255.0 is directly connected, dmz C 10.50.80.0 255.255.255.0 is directly connected, outside S* 0.0.0.0 0.0.0.0 [1/0] via 10.50.80.6, outside
Verify the IP address/interface/name assignment. Because no failover is being deployed, the system IP addresses will always match the current IP addresses. If this ASA was the secondary unit in a
failover pair, the current IP addresses would point to the primary device addresses.
Click here to view code image
ASA1/c2# show ip address
Click here to view code image
ASA1/c2# ping 10.50.90.5 Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.50.90.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms ASA1/c2# ping 10.50.70.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.50.70.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms ASA1/c2# ping 192.168.2.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms ASA1/c2# ping 192.168.2.50
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.50, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms ASA1 Configuration
Click here to view code image
! System Execution Space
!
class default
limit-resource All 0 limit-resource ASDM 5 limit-resource SSH 5 limit-resource Telnet 5
!
ip address 192.168.1.20 255.255.255.0 management-only
!
route mgmt 0.0.0.0 0.0.0.0 192.168.1.5 1
! Context c1
ip address 10.50.80.20 255.255.255.0
!
interface GigabitEthernet0/2.1 nameif inside
security-level 100
ip address 192.168.2.20 255.255.255.0
!
access-list 101 extended permit icmp any any pager lines 24
mtu outside 1500 mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1 no asdm history enable
arp timeout 14400
access-group 101 in interface outside route outside 0.0.0.0 0.0.0.0 10.50.80.6 1
! Context c2
ip address 10.50.80.30 255.255.255.0
!
interface GigabitEthernet0/1 nameif dmz
security-level 50
ip address 10.50.90.20 255.255.255.0
!
interface GigabitEthernet0/3 nameif inside
security-level 100
ip address 10.50.100.20 255.255.255.0
!
access-list 101 extended permit icmp any any pager lines 24
mtu outside 1500 mtu dmz 1500 mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1 no asdm history enable
arp timeout 14400
access-group 101 in interface outside access-group 101 in interface dmz route outside 0.0.0.0 0.0.0.0 10.50.80.6 Tech Notes
In this exercise, static routes were defined in such a way as to direct context-to-context traffic through the Cisco Intrusion Prevention Sensor (IPS). Traffic that must be forwarded between contexts c1 and c2 will do so via R6, which means it will pass through the sensor twice.
In some situations, it might be allowable to pass traffic directly between contexts on the Cisco ASA. This can be accomplished by adding the following static routes:
c1 to c2:
Click here to view code image
route outside 10.50.100.0 255.255.255.0 10.50.80.30 c2 to c1:
Click here to view code image
route outside 192.168.2.0 255.255.255.0 10.50.80.20 Note
In later versions of Cisco ASA software (starting with v9.X), dynamic routing is supported in multicontext firewall mode, which can be used in lieu of defining static routes.
Note
The Cisco ASA is capable of hosting an IPS module that can be used as a replacement for the Cisco IPS sensor. The network administrator should be aware of any differences in the
capabilities of each sensor implementation (standalone versus integrated) to find the most appropriate solution for a customer environment.
This configuration is using the concept of a shared outside interface. By default, the two contexts c1 and c2 would share the same MAC address. This will lead to packet forwarding issues for upstream devices that will not see a unique MAC address mapped to each context IP address in the ARP cache. Using the mac-address auto command is the quickest way to assign
a unique MAC address to each context. To verify whether this command has been correctly configured, check the output of the ARP cache on R6 and note distinct MAC addresses for each ASA1 context IP address:
Click here to view code image
R6# show arp
Protocol Address Age (min) Hardware Addr Type Interface Internet 10.50.80.20 13 1200.0000.0400 ARPA Ethernet0/0 Internet 10.50.80.30 98 1200.0000.0300 ARPA Ethernet0/0
The Cisco ASA will classify a packet using the following criteria to determine the correct destination context:
Unique interface Unique MAC address
Address translation policies
In this exercise, the outside interface of ASA1 is shared, and as yet no NAT rules are defined, so the use of unique MAC addresses is critical for correct packet classification.
On ASA1, interface GigabitEthernet0/2 is also shared using subinterfaces/VLANs. Note that the VLAN identifier is defined in the system execution space with the remainder of the logical
parameters applied at the context level (admin and user). The switch port supporting multiple VLANs should be configured as a trunk port.
In this design, the Management0/0 interface is assigned to the admin context for management-only purposes. This means the interface will accept management-only traffic destined to and sourced from the appliance. To enable this interface to forward traffic through the appliance, management-only mode must be disabled on the interface.