Virtual Firewalls (Contexts)

Scenario:

You have worked as a network engineer for many companies, but now you have started your own collocated datacenter. At the starting, due to budget constraints, you want to be smart and decided to share a single physical firewall (Cisco ASA) between two customers i.e. Customer-A and Customer-B.

Objectives:

  • Both customers should feel that they have a separate Firewall for them.
  • None of the Customers should be able to manage others firewall policies.
  • Customer-A has opted for Silver plan, so allocate the resources accordingly.
  • Customer-B has opted for Gold plan, so allocate the resources as per plan.

Physical Topology
Virtual Firewalls' Physical Topology

Logical Topology
Virtual Firewalls' Logical Topology



Download the gns3 topology here:
Multiple Contexts_solved.rar

Router IOS: c3725-advipservicesk9-mz.124-17.bin
ASA Software version: 8.4(2)
ASA Hardware: ASA 5520

Solution:

Solution to the above scenario is to create virtual firewalls (also called contexts) in Cisco ASA with three contexts, one for Customer-A, second for Customer-B, and the third one will be admin context for Management of the physical box with admin access. To create contexts on Cisco ASA, you'll need to enable multiple mode, using the following command:
CiscoASA(config)# mode multiple
after which you will be prompted to reboot the ASA. When you convert from single mode to multiple mode, the ASA converts the running configuration into two files: a new startup configuration that comprises the system configuration, and admin.cfg that comprises the admin context (in the root directory of the internal Flash memory). The original running configuration is saved as old_running.cfg (in the root directory of the internal Flash memory). The original startup configuration is not saved. The ASA automatically adds an entry for the admin context to the system configuration with the name "admin". After reboot, firewall will boot into multiple mode and we can proceed towards contexts configuration.
! Enable auto generation of mac-address for shared physical interfaces

mac-address auto


! enable the physical interfaces

interface GigabitEthernet0
no shutdown
!
interface GigabitEthernet1
no shutdown
!
interface GigabitEthernet2
no shutdown


! Create class and assign resources to the class
! that will be used for membership of contexts

class SILVER
  limit-resource Xlates 50
  limit-resource ASDM 2
  limit-resource Hosts 50
  limit-resource Conns 500
  limit-resource SSH 2
  limit-resource Telnet 2
!
class GOLD
  limit-resource Telnet 5
  limit-resource SSH 5
  limit-resource Conns 1000
  limit-resource Hosts 150
  limit-resource ASDM 5
  limit-resource Xlates 150


! allocate a physical interface to the admin
! context so that we can manage the box via SSH.

admin-context admin
context admin
  allocate-interface GigabitEthernet0
  config-url disk0:/admin.cfg

! Create and configure contexts for Customer-A and Customre-B

context Customer-A
  member SILVER
  allocate-interface GigabitEthernet0 Untrusted_Intf
  allocate-interface GigabitEthernet1 Trusted_Intf
  config-url disk0:/Customer-A.cfg
!
context Customer-B
  member GOLD
  allocate-interface GigabitEthernet0 Untrusted_Intf
  allocate-interface GigabitEthernet2 Trusted_Intf
  config-url disk0:/Customer-B.cfg

To switch back and forth at context and system execution space, use the following commands:
! In order to change to a context,

CiscoASA# changeto context <context name>


! In order to change to the system execution space

CiscoASA# changeto system

Now, let's configure the contexts. Let's first configure the admin context.
! Assign IP address, security level and name the interfaces

interface GigabitEthernet0
 nameif OUTSIDE
 security-level 0
 ip address 192.168.1.1 255.255.255.0

! Enable SSH access as desired, here we'll allow SSH access for all

ssh 0.0.0.0 0.0.0.0 OUTSIDE
aaa authentication ssh console LOCAL


! configure a default route

route OUTSIDE 0.0.0.0 0.0.0.0 192.168.1.10


! create a user, which will be used to manage the context

username admin password *****

Now, configure the context Customer-A
! Assign IP address, security level and name the interfaces

interface Untrusted_Intf
 nameif OUTSIDE
 security-level 0
 ip address 192.168.1.100 255.255.255.0
!
interface Trusted_Intf
 nameif INSIDE
 security-level 100
 ip address 172.16.0.1 255.255.255.0

! Enable SSH access as desired, here we'll allow SSH access for all

ssh 0.0.0.0 0.0.0.0 OUTSIDE
aaa authentication ssh console LOCAL


! configure a default route

route OUTSIDE 0.0.0.0 0.0.0.0 192.168.1.10


! create a user, which will be used to manage the context

username user1 password *****

And configure  the context Customer-B
! Assign IP address, security level and name the interfaces

interface Untrusted_Intf
 nameif OUTSIDE
 security-level 0
 ip address 192.168.1.200 255.255.255.0
!
interface Trusted_Intf
 nameif INSIDE
 security-level 100
 ip address 10.0.0.1 255.255.255.0


! Enable SSH access as desired, here we'll allow SSH access for all

ssh 0.0.0.0 0.0.0.0 OUTSIDE
aaa authentication ssh console LOCAL


! configure a default route

route OUTSIDE 0.0.0.0 0.0.0.0 192.168.1.10


! create a user, which will be used to manage the context

username user2 password *****


To save the configuration of system as well as all the context, us the following command from the system execution space.
CiscoASA# write memory all


You can change the admin context using the following command
admin-context <context_name>


You can see the existing contexts using show context command

CiscoASA# sh context
Context Name   Class     Interfaces        URL
*admin         default   GigabitEthernet0  disk0:/admin.cfg
 Customer-A    SILVER    GigabitEthernet0, disk0:/Customer-A.cfg
                         GigabitEthernet1  
 Customer-B    GOLD      GigabitEthernet0, disk0:/Customer-B.cfg
                         GigabitEthernet2  
Total active Security Contexts: 3



When you convert the mode of firewall from single to multiple using the command mode multiple, Cisco ASA saves a copy of running-config to flash: under the name of old_running.cfg, and creates a new context named admin with admin privileges. You can verify the config files in the flash using the dir command.

CiscoASA# dir
Directory of disk0:/
5    drwx  4096   11:21:46 Sep 03 2013  log
15   drwx  4096   11:21:56 Sep 03 2013  coredumpinfo
36   -rwx  2218   06:47:32 Oct 06 2013  old_running.cfg
37   -rwx  2093   03:21:18 Oct 08 2013  admin.cfg
38   -rwx  1913   03:21:21 Oct 08 2013  Customer-A.cfg
39   -rwx  1911   03:21:26 Oct 08 2013  Customer-B.cfg
20   drwx  4096   13:20:56 Sep 03 2013  boot
28   -rwx  0      09:27:40 Sep 04 2013  nat_ident_migrate
40   drwx  4096   09:39:28 Sep 06 2013  tmp
268136448 bytes total (267718656 bytes free)




Comments

Post a Comment

Popular posts from this blog

Specifying SSH port in Ansible Inventory

There may be some instances where you set a custom port for SSH on your network device. If ssh port for hosts is different than the default port 22, it can be specified in the inventory file with colon (:) after hostname. #vi inventory # Inventory file for Ansible   [XE] ios-xe-mgmt.cisco.com:8181 ios-xe-mgmt-latest.cisco.com:8181   [XR] sbx-iosxr-mgmt.cisco.com:8181
Read more

Ansible-Playbook to display output of multiple show commands (using stdout_lines with Loop)

 In this playbook, we we'll see how we can get display of multiple show commands in stdout_lines format. We can make use of loops (or with_items) for submitting multiple commands, but debug output with stdout_lines does not gives the formatted result as it would give for single command. So in case of multiple commands, we can debug the output of each command separately in stdout_lines format.
Read more

Filtering Routes in BGP using Route-maps and Prefix-list

Image
Order of preference of attributes in BGP The order of preference varies based on whether the attributes are applied for inbound updates or outbound updates. For inbound updates the order of preference is:     route-map     filter-list     prefix-list, distribute-list For outbound updates the order of preference is:     prefix-list, distribute-list     filter-list     route-map NOTE: The attributes prefix-list and distribute-list are mutually exclusive, and only one command (neighbor distribute-list or neighbor prefix-list) can be applied to each inbound or outbound direction for a particular neighbor. Scenario: We own the AS500 and advertising a network block of 192.0.2.0/24 and 180.179.179.0/16 to two different ISPs. Objectives: Configure router R1 to establish eBGP neighbor relationship with ISP1. Configure router R1 to establish eBGP neighbor relationship with ISP2. Advertise  192.0.2.0/24 network to ISP1 only. Advertise 180.179.179.0/16 network to ISP2 only. Receive routes having n
Read more

Ansible Playbook for Network OS Upgrade with pre and post checks

You have 100s of network switches or routers that you need to upgrade. How much time would it take for you to do the upgrades? There are a lot number of sub-tasks involved while upgrading IOS image of a Cisco router or a switch. This time of upgradation can be reduced through automation from various Enterprise Configuration Management tools that also have ability to upgrade network OS. Though these tools give an easy to use graphical interface, but this requires you to have appropriate license and also restricts you to customize your upgrade process.
Read more

Bypassing Proxy Server in Google Chrome

Image
There may be times when you might want to use Google Chrome and do not wish to use the proxy settings for which you are bound to use in Internet Explorer because of your company policies. If you try to change proxy settings in Google Chrome, by default it will open the System Internet Properties dialogue box, and most of the times, change in proxy setting options is restricted by domain group policy. So here is an alternate way to remove or disable proxy settings in Google Chrome. 1. Right click the GoogleChrome.exe and create it's shortcut. 2. Open the properties of the shortcut of GoogleChrome.exe created in previous step. 3. Here you have to edit the Target of this shortcut. You have to add   --proxy-server=""  after the existing path. You are done. Now enjoy the web browsing without any restrictions.
Read more

VMware NSX Traffic Flow — East-West & North-South

Image
Understanding how traffic is flowing in NSX environment is an important aspect to successfully maintain and troubleshoot networks having NSX. In this post we'll understand hop-by-hop flow of traffic in East-West and North-South directions. East-West: VMs on Same Subnet, Same Host VM-1 has IP address 172.16.20.6 and VM-2 has IP address 172.16.20.7 VM-1 vNIC è Logical Switch (Segment ID 5002) è VM-2 vNIC
Read more

Export or Backup Azure Network Security Groups into CSV using PowerShell

There could be many use cases where you may want to export Network Security Groups into CSV. You might have question, how to export or backup Azure Network Security Groups into CSV. Here is the PowerShell script that you can use to export Azure Network Security Groups into CSV using PowerShell script. This script will export Network Security Group along with rules of all Active subscriptions into a CSV.
Read more

Ansible-playbook for backing up running config of Cisco IOS

This ansible-playbook can be used to backup running configuration from Cisco IOS devices. You can refer to my earlier post Getting Started with your first ansible-playbook for Network Automation  to know about the parameters used in this playbook. Inventory file # Inventory file for Ansible [XE] ios-xe-mgmt.cisco.com:8181 ios-xe-mgmt-latest.cisco.com:8181 [XR] sbx-iosxr-mgmt.cisco.com:8181 [all:vars] ansible_network_os=ios Playbook --- - name: Define Parameters   hosts: XE   gather_facts: no   connection: network_cli   tasks:    - name: backup the config      ios_config:       backup: yes      register: backup_config    - name: Store the config to directory      copy:       src: "{{ backup_config.backup_path }}"       dest: "/tmp/backups/{{ inventory_hostname }}" Running the playbook [prashant@Prashant-VM01 ~]$ ansible-playbook play03.yml -i /home/prashant/inventory -u developer -k SSH password: PLAY [Define Parameters] **********************************************
Read more