CCIE Security Advanced Technologies Class - ASA Multiple Context Mode Configuration

Transcript

1	Introduction	0h 37m
2	CCIE Security Preparation Resources	0h 50m
3	ASA Overview	0h 37m
4	Basic ASA Initialization	1h 02m
5	ASA Routing	0h 37m
6	ASA Reliable Static Routing	0h 20m
7	ASA Access Control Lists (ACLs)	0h 41m
8	ASA Modular Policy Framework (MPF) Overview	0h 53m
9	ASA Modular Policy Framework (MPF) Configuration	0h 51m
10	ASA Advanced TCP Inspection with MPF	0h 40m
11	ASA Advanced Application Inspection with MPF	0h 36m
12	ASA Quality of Service (QoS)	0h 30m
13	ASA Network Address Translation (NAT) Part 1	0h 50m
14	ASA Network Address Translation (NAT) Part 2	0h 30m
15	ASA Transparent Firewall Overview	0h 25m
16	ASA Transparent Firewall Configuration	0h 43m
17	ASA ARP Inspection with Transparent Firewall	0h 21m
18	ASA Multiple Context Mode Overview	0h 42m
19	ASA Multiple Context Mode Configuration	0h 59m
20	ASA Redundant Interfaces	0h 22m
21	ASA Failover Overview	0h 19m
22	ASA Active/Standby Failover Routed Firewall Configuration	0h 29m
23	ASA Active/Standby Failover Transparent Firewall Configuration	0h 17m
24	ASA Active/Active Failover Routed Firewall Configuration	0h 37m
25	ASA Multiple Context Transparent Firewall Configuration	0h 29m
26	ASA Active/Active Failover Transparent Firewall Configuration	0h 29m
27	IOS Access Control Lists (ACLs)	0h 23m
28	IOS Time Based ACLs	0h 13m
29	IOS Lock & Key Security with Dynamic ACLs	0h 24m
30	IOS Reflexive ACLs	0h 44m
31	IOS TCP Intercept and Content Based Access Control (CBAC)	0h 39m
32	Zone Based Policy Firewall Overview	0h 26m
33	Zone Based Policy Firewall Configuration	0h 44m
34	ZBPF Self Zone & ZBPF Exceptions	0h 48m
35	Port to Application Mapping (PAM)	0h 32m
36	ZBPF Parameter Tuning	0h 32m
37	ZBPF Application Inspection	0h 27m
38	IOS Transparent Firewall	0h 28m
39	IPsec Overview	0h 37m
40	IOS IPsec LAN-to-LAN Configuration	0h 58m
41	IPsec Troubleshooting	0h 42m
42	GRE over IPsec, IPsec Profiles, & VTIs	0h 51m
43	ASA IPsec Overview	0h 24m
44	ASA IPsec LAN-to-LAN Configuration	0h 20m
45	Certificate Authority (CA) Overview	0h 16m
46	IOS & ASA LAN-to-LAN IPsec with Certificates	0h 57m
47	Easy VPN Overview	0h 12m
48	IOS Easy VPN Server	1h 10m
49	IOS Easy VPN Client	0h 30m
50	IOS Easy VPN with Dynamic VTIs, ISAKMP Profiles	0h 49m
51	ASA Easy VPN Server	0h 51m
52	ASA Easy VPN Server & IOS Easy VPN Client	0h 17m
53	ASA Clientless & AnyConnect SSL VPN	1h 04m
54	DMVPN	1h 05m
55	IPS Overview, Promiscuous Mode & SPAN	0h 43m
56	IPS Promiscuous Mode & RSPAN	0h 28m
57	IPS Blocking Devices & Custom Signatures	0h 50m
58	IPS Inline Mode, VLAN Pairing	0h 15m
59	IPS Virtual Sensors and Signature Engines	0h 16m
60	AAA Overview, Local AAA, & Role Based CLI	0h 51m
61	RADIUS, TACACS+, & Cisco Secure ACS Configuration	0h 51m
62	RADIUS & TACACS+ Exec Authorization & Accounting	0h 39m
63	TACACS+ Command Accounting	0h 30m
64	RADIUS & TACACS+ Enable Authentication	0h 14m
65	IOS Authentication Proxy	0h 33m
Total Duration		39h 19m

Base Configs

Diagrams

Slides - Introduction

Slides - ASA

Slides - IOS Firewall

Slides - VPN

Slides - IPS

Slides - Identity Management

0:00:13	In our next section here for the ASA we are going to look for the configuration
0:00:17	of the multiple context mode
0:00:20	where the basic configuration in the system mode is fairly straight forward
0:00:24	and the first step we need to do
0:00:27	is to change the ASA from the single context mode
0:00:31	router firewall
0:00:32	to the multiple context mode
0:00:34	which is simple the mode multiple command
0:00:37	from global configuration
0:00:39	Now when we do this
0:00:41	it does require
0:00:42	that the platform be rebooted
0:00:45	and it is generally going to erase
0:00:47	the configuration that you previously had in that
0:00:50	So when you are switching from
0:00:52	the single mode to multiple mode if you if you retain some of your configuration
0:00:56	you need to make sure to make a backup
0:01:00	and you can use that later as a
0:01:01	as either one of the admin context or the user
0:01:05	defined context
0:01:07	So as you talk about the rest of the configuration, lets start the first step
0:01:12	So allow the ASA to
0:01:14	reload
0:01:15	So from asa1, I am going to go into global configuration
0:01:19	right now if you look at the show mode and the show firewall
0:01:23	we can see that it is in the single mode as a routed firewall
0:01:27	So we are going to change this to multiple context mode
0:01:33	So now its going to reboot
0:01:34	and then comeback with a blank configuration in
0:01:37	multiple context mode
0:01:39	Now once we get back into the
0:01:42	the exact prompt, we are going to end up in the system context
0:01:46	and again in the system context, this is where going to find
0:01:50	what are the other user defined context
0:01:53	Now there will automatically be an admin context
0:01:56	which we can use for remote access
0:01:59	either with telnet SSH or the ASTN
0:02:02	in order to manage the other context
0:02:05	but for the user defined once
0:02:07	we are going to do this in global configuration
0:02:09	simple say context and then give it a case-sensitive name
0:02:13	Now we will see as we get into the more details of the configuration
0:02:17	and we are changing back and forth between the context
0:02:20	as long as the name is not ambiguous
0:02:24	which is similar to how the tab completion works in IOS
0:02:28	then you do not necessarily have to type out the entire context name
0:02:33	when you are changing between it after it is configured
0:02:37	Now for example if I said that I had context
0:02:40	abcdefg
0:02:43	Now as long as I do not have another
0:02:44	context that starts with the letter A
0:02:47	to change to context abcdefg
0:02:50	I could simply say, change to context A
0:02:53	change to context ab, change to context abc etc
0:02:58	so similar to the commands
0:03:01	for tab completion in the IOS
0:03:03	as long as the first
0:03:04	portion that you are typing in with the context name is unique
0:03:07	or non ambiguous
0:03:09	then you will be able to change to without typing in the whole thing
0:03:14	Now once we define the context
0:03:16	next thing we are going to do is actually allocate the interfaces
0:03:20	Now again we can do this
0:03:21	with the physical links, we can do this with the sub interfaces
0:03:26	and we can also do this with multiple
0:03:28	interfaces being allocated between multiple context
0:03:32	Now when we do this, we will have some sub options here
0:03:35	to specify what is going to be the name
0:03:38	of the interface
0:03:39	when we actually look at it inside the user context mode
0:03:44	Now what I mean by this
0:03:46	is that if we were to have a
0:03:48	physical interface on the ASA
0:03:51	which in this case we have the outside interface
0:03:54	that is ethernet0/0
0:03:57	I have two separate inside interfaces
0:04:00	One of them is going to be for context
0:04:04	will say this is context1
0:04:06	and this is context 2
0:04:10	the physical name of the interfaces are ethernet 0/1.117
0:04:17	and ethernet0/1.118
0:04:20	because these are going to be the dot1q sub-interfaces
0:04:24	Now from the perspective of the system context
0:04:28	I am going to know, what is the actual hardware identifier of the link
0:04:31	but I can configure an alias
0:04:34	So that once an administrator of the actual context logs in
0:04:39	they would simply see this as interface outside, or interface
0:04:43	interface inside
0:04:45	so they won't necessarily know the hardware designation
0:04:48	because I can specify the alias
0:04:50	when I am actually allocating the interface
0:04:52	to that individual sub context
0:04:55	Now you don't necessarily have to do this
0:04:57	but it can be a useful feature
0:05:00	So that the end users of the context if you doing some sort of managed services
0:05:05	then they don't need to know what is the
0:05:07	the actual physical resources of the
0:05:10	the ASA that you are carving up for the context
0:05:14	So once we allocate the interfaces
0:05:17	next thing we need to do is tell where we are going to store the configuration
0:05:21	this is with the config-url command
0:05:25	Now for the admin context as I mentioned, this is going to be admin.cfg
0:05:31	on the flash, the disk0, depending on what platform you are using
0:05:36	for the user context, we need to define, what is the specific
0:05:40	file that we were using
0:05:41	and this can't be a local file
0:05:44	or it can't be a
0:05:46	remote file
0:05:47	So when we make the changes
0:05:49	in the actual user context mode
0:05:52	its going to stored to this particular file
0:05:55	So we can make just a backup of the file
0:05:57	as if we would like the normal running config of the ASA
0:06:03	Now, once we get to this point
0:06:05	pretty much everything beyond this
0:06:07	is going to be
0:06:09	now, the changes are going to be made in the actual user context mode
0:06:13	So we will specify
0:06:14	that we want to change to
0:06:17	this context or we want to enter that configuration mode of the context
0:06:20	in this case we will say change to context abc
0:06:24	and we should see that the exact prompt
0:06:27	for the parser is going to change
0:06:30	to the ASA's hostname
0:06:32	followed by a / [forward slash] and then the context name
0:06:36	we are in asa/abc where asa is the host name
0:06:41	then thats telling us that we are in
0:06:43	the context configuration mode abc
0:06:47	any case that we see just hostname on its own
0:06:54	where we would say asa # [pound sign] as opposed to
0:06:57	asa/abc
0:06:59	the first one here
0:07:01	in the case that you are in the system context
0:07:04	where the second one indicates that you are in the user context
0:07:09	Now once we are in the user context, if we want to leave that, we can say change to system
0:07:15	which is going to change us back to the system context
0:07:18	or we can change to admin, thats going to change us to admin context
0:07:21	but we remember this specific command
0:07:24	we change to command
0:07:26	is only available in either
0:07:28	the system context or the admin context
0:07:31	if I am logging directly in to the user context to telnet SSH or ASTN
0:07:37	I am only going to be able to administer
0:07:39	that particular context configuration
0:07:43	Now, if we look at this, within the scope of
0:07:45	this particular design
0:07:47	where those going to two separate contexts
0:07:50	that have unique inside interfaces
0:07:53	but they are going to sharing the same outside interfaces
0:07:59	So what we will see here once we have the context configured
0:08:02	that is connecting to the test PC and to switch2
0:08:06	if I were to go to the PC's console and telnet in to the asa
0:08:11	its going to allow me to manage just that individual context
0:08:16	if I wanted to be able to get into the system context
0:08:19	either I need to connect via console
0:08:22	or I need to get remote access into the
0:08:24	admin context
0:08:27	So we will see that these interfaces we are going to allocate
0:08:30	are for the user defined context
0:08:32	we can take the management interface of the asa
0:08:35	what if where ever else we want in the network
0:08:37	and then allocate that to the admin context, just for the management
0:08:44	so now lets take a look back at the command line, we can see that the
0:08:47	the asa has now reloaded
0:08:50	it said that
0:08:51	there is also a config url on
0:08:54	flash that is admin
0:08:56	doesn't shows the rest of this but this would be admin.cfg
0:09:00	if now we look at the
0:09:02	show mode
0:09:05	and show firewall
0:09:07	we are now in multiple context mode with the routed firewall
0:09:11	if we wanted to change to transparent mode
0:09:14	this is going to be under
0:09:15	the individual contexts
0:09:17	However the context have to agree
0:09:21	on whether they are running
0:09:22	either routed mode or transparent mode
0:09:25	So we cannot have a miss, all the user context have to be routed
0:09:28	or all of the user context have to be transparent
0:09:34	So next lets go into global config
0:09:37	we will give this box a hostname, we will say this is asa1
0:09:41	and next step I want to
0:09:42	make sure that the physical links are working
0:09:45	before we can actually allocate them to the context
0:09:48	So when we look at the show run here
0:09:51	we will see that there is much less configuration
0:09:54	than there normally would be when we are in the single context mode
0:09:58	So I don't see any options that are related to the Modular
0:10:01	Policy Framework inspections
0:10:03	any type of timeouts that relate to xlates
0:10:06	or individual host connections
0:10:08	because those type of now
0:10:10	logical options
0:10:12	are going to be configured under the individual context modes
0:10:16	Not the system context
0:10:18	system context is mainly just for three things
0:10:22	its for specifying
0:10:24	the configuration of the interfaces
0:10:26	from a physical point of view
0:10:28	So the shutdown or no shutdown
0:10:30	the speed of the duplex
0:10:33	what are the resource allocations
0:10:36	where here we have the default class that says
0:10:39	we are limiting resources of all
0:10:42	connections, all hosts, all xlates to 0
0:10:45	which essentially means that when we create a context
0:10:48	and it gets assigned its class default
0:10:50	that it is not going to be limited
0:10:53	as to how the
0:10:54	the licensing numbers like the connections and xlates are
0:11:00	are split up between the individual user context
0:11:04	So as I mentioned before
0:11:06	in a real design typically you would want to limit them
0:11:09	just to make sure that one context is not going to
0:11:12	take all the resources
0:11:14	that the other user context are trying to contend for
0:11:21	then the next thing we have is the
0:11:23	the actual context names and their configurations
0:11:27	So we see we have the admin context
0:11:30	its name is admin
0:11:32	and we have the url that is disk0
0:11:36	: [colon] / [slash] admin.cfg
0:11:38	So this is not just the normal flash
0:11:40	If I were to say dir
0:11:42	disk0
0:11:44	we could see its just a regular file
0:11:46	thats stored on the
0:11:49	flash drive, admin.cfg
0:11:51	So if I were to say more
0:11:53	admin.cfg
0:11:55	this is going to show me the configuration thats in there
0:12:00	So really there is nothing configured
0:12:02	everything is default
0:12:03	parameters here we can see default timeouts
0:12:06	notice that there is no interfaces here
0:12:09	because I have not yet allocated anything
0:12:13	So what I am going to do, is for the admin context
0:12:17	allocate it the management interface
0:12:20	then the two user context
0:12:22	that are going to be for the connections switch1
0:12:25	and then the connection to switch2
0:12:27	I am going to allocate
0:12:28	them both
0:12:30	the outside interface
0:12:32	So this will be our shared
0:12:34	outside interface
0:12:37	then these two sub interfaces
0:12:40	these are going to be allocated separately
0:12:42	as their inside links
0:12:45	So this would then mean, from system context, I need to say, on ethernet 0/0
0:12:49	make sure its not shut down
0:12:51	Same as ethernet0/1
0:12:54	no shut down
0:12:55	but then I would need to specify, what are the particular sub interfaces
0:13:00	what are the VLANs that are being encapsulated
0:13:04	So this ethernet0/1 is going to be a trunk link
0:13:07	and then additionally
0:13:09	for the interface management 0/0
0:13:13	that is not shut down as well
0:13:16	So, now if I look at the show interface
0:13:20	I just want to make sure here
0:13:22	that the link state is up and up
0:13:25	because this would be a property of the system context, not any of the user context
0:13:31	if the link is up down, or the link is down down
0:13:33	its not the fault of the user context, its going to be some sort of problem, you will need to
0:13:37	result in the system context
0:13:42	So now I know that the links themselves are fine
0:13:45	just the physical status of them
0:13:48	next thing I am going to do
0:13:49	is to actually create the different contexts
0:13:52	and I am going to give them
0:13:54	the different
0:13:55	configurations, the config urls, where the configure is going to be stored
0:13:59	and then do the allocation of the interface
0:14:03	now I do have some previous configuration that I did before
0:14:08	to setup a base config for this
0:14:10	So what I am going to do is to delete
0:14:13	from
0:14:15	the disk0
0:14:16	these two config files that I was using before
0:14:19	because if I reference these
0:14:22	as the config files for two different contexts
0:14:26	then the configuration will already be build
0:14:29	So you could potentially edit these config files offline
0:14:32	low demand to the flash
0:14:35	point the context at their file, and then its going to use that configuration
0:14:43	so next step I am going to, actually create the context or say context
0:14:48	and I am going to call the first one
0:14:50	switch1-VLAN-117
0:14:55	So in the case of our diagram this is going to be the
0:14:58	the portion up here this is sw1-vlan-117
0:15:06	Now its kind of a
0:15:08	a complicated naming scheme that I am using here
0:15:10	but since the top one and the bottom one
0:15:13	have after the 3rd character
0:15:16	they are unique names
0:15:19	when I change between the context from here and out
0:15:22	I can just say change the context as w1
0:15:25	or change the context sw2
0:15:28	I don't necessarily need to reference the entire name
0:15:31	once the context is actually created
0:15:34	So you can use some very descriptive name you want in the configuration
0:15:38	and then, you can still make it easy to change between them, once they are actually created
0:15:47	So again from here I am going to specify
0:15:50	where am I going to save the config, the config
0:15:54	I am going to save this on disk0 this is where the flash is on this platform
0:15:59	and I will say, just the context's name
0:16:05	.cfg
0:16:07	So now its fairly obvious
0:16:09	what context this configuration file is related to
0:16:13	if I were just to do a directory
0:16:15	listening on the flash
0:16:18	Now this message here, it says, its a warning message, it couldn't
0:16:21	fetch the url
0:16:23	this is normal,when the file does not already exist
0:16:28	So if already have the configuration from before
0:16:31	I could create the context and say, the configurations are already built, thats the file
0:16:36	it would instead of creating it
0:16:38	is just going to grab whatever file was on it
0:16:41	and this is the reason that I deleted it from flash
0:16:44	before I rebuilt
0:16:46	the configuration name
0:16:49	next step would be to allocate the interfaces
0:16:54	if you have the IPS
0:16:56	security service module
0:16:58	the AIPSSM installed
0:17:00	You can allocated different virtual sensors
0:17:02	to the sub contexts
0:17:04	in this case for this platform, I don't have that Module installed
0:17:07	So the only thing I am going to allocate is the interfaces
0:17:12	So the indicate the interface assigned to the context, this is going to be the physical link
0:17:17	So I want to allocate ethernet
0:17:19	0/0
0:17:21	but from the context point of view
0:17:24	I am going to say that this is the outside
0:17:29	and we could also see it also says you have an optional flag for publishing or hiding their hardware properties
0:17:34	this would be things like interface corners
0:17:37	when we look at the show interface
0:17:40	So normally the user context would not be able to see this stuff
0:17:43	unless we specifically say visible
0:17:46	otherwise they are just going to see when I look at the show interface or show run
0:17:50	the name of the interface not the nameif
0:17:53	but the physical name that they would see is just interface outside
0:17:59	I will specify that for
0:18:01	this context, that e0/1.117
0:18:07	is going to be there inside interface
0:18:10	so the sub - interface
0:18:12	is their inside link
0:18:15	then I could also specify here
0:18:18	what is the particular
0:18:19	class that they are a member of
0:18:22	So this would be if I wanted to limit any of the resources
0:18:28	Now for the second context
0:18:30	the configuration is going to be
0:18:32	fairly similar to this
0:18:34	I just need to give this a unique name
0:18:36	and then allocate the interfaces little bit differently
0:18:40	I will say that this is
0:18:42	I have my fist context there
0:18:44	my second context
0:18:46	as a unique name
0:18:49	the outside interface is the same, so thats going to be sure
0:18:53	the inside inside interface has a different sub interface
0:18:56	and I am giving at a different
0:18:58	configuration url, different config file
0:19:07	then lastly for the admin context
0:19:11	I am going to allocate here
0:19:14	the management interface
0:19:17	so I will allocate interface
0:19:19	management 0/0
0:19:22	and I will say that
0:19:23	this is
0:19:27	management 0/0, and I will say, they are allowed to see the
0:19:31	the physical parameters
0:19:34	interface must start with a letter
0:19:36	end with a letter or digit or hyphen
0:19:38	ensured characters, only letters, digits and underscores, So I can't say 0/0
0:19:42	I could say 0
0:19:44	_0
0:19:51	and then I will exit out of the
0:19:53	context mode
0:19:55	So from here this is pretty much all I need to do in the system context
0:19:59	The only other change that I may need to make
0:20:01	again would be to define a new class
0:20:04	So may be I have a class that is for
0:20:06	context sw1
0:20:09	that here it says, lets say context sw1
0:20:16	that I want to limit the resources
0:20:19	for the number of
0:20:21	translations they can have, the number of xlates
0:20:24	or the number of
0:20:26	total connections
0:20:27	the number of
0:20:29	telnet sessions that they can have for management
0:20:32	then if I were to the context mode
0:20:35	by saying context
0:20:37	stp1-vlan-117
0:20:40	then I would put them as a number
0:20:43	of whatever class that I am defining
0:20:55	but at this point this is essentially the
0:20:59	the extent of all the changes I need to know in system mode
0:21:02	the only other case that you are going to make
0:21:04	additional changes here
0:21:06	is that if you are doing active-active failover
0:21:09	the majority of the failover configuration is going to go in the system context
0:21:14	not in the user context
0:21:16	and we look at that in detail in a little bit
0:21:18	because it can confusing
0:21:21	to figure out what specific options are supposed to go under the user context
0:21:25	which one are supposed to go under the system
0:21:27	where in general you can categorize them as
0:21:30	anything that is a physical function
0:21:33	of the box, to go into the system
0:21:36	anything that is larger called IP addressing
0:21:39	or security policies , that type of stuff is going to the user context
0:21:47	So the next thing I want to do here
0:21:49	is to make surer that my underline layer 2 network
0:21:52	thats configured correctly
0:21:54	to match for what I want in the topology
0:21:57	So for the physical connections to the asa1
0:22:00	whatever layer2 switches that I am using
0:22:02	I want to make sure that ethernet 0/1
0:22:06	is running as a
0:22:08	dot1q trunk
0:22:10	and on this trunk I want to make sure that VLAN117
0:22:14	and VLAN118 are forwarding over them
0:22:17	and like se talk about before
0:22:20	typically when you do this on a real design
0:22:23	that you would want to limit
0:22:24	the particular VLANs that are encapsulated on that interface
0:22:28	because I don't want the asa to receive unnecessary broadcasts
0:22:33	or unknown unicast , unknown multicast
0:22:35	or VLAN that is not actually encapsulated
0:22:39	than likewise on the outside interface I need to make sure, this is assigned to correct VLAN
0:22:45	then I am actually going to have the management interface
0:22:48	which is management 0/0
0:22:51	that is going to be for my admin context
0:22:55	Now I could put this where ever in the, the logical topology that I want .
0:22:59	does it necessarily have to be on the
0:23:02	the same logical segment that is part of the context, or part of the outside
0:23:07	where in this particular case
0:23:09	where I going to put it
0:23:10	is on this VLAN 10 segment
0:23:14	that connects to the ACS
0:23:18	So on this VLAN 10
0:23:21	I will have the management 0/0, which is going to be in VLAN 10
0:23:26	it will say that it has a address of 10.0
0:23:29	.0.11/24
0:23:33	so what this would then mean, if I wanted to SSH or wanted to telnet
0:23:37	into asa1
0:23:39	and you manage them into context
0:23:41	I can do that only if I log into admin context
0:23:46	again otherwise, I going to have to do is physically from the console
0:23:51	So next lets look at the
0:23:54	the layer2 switches, if we look at the show
0:23:58	interface status and I want to exclude the not connected links
0:24:04	I want to know what are the physical assignments for
0:24:08	these ASAs
0:24:10	and again this is based on my documentation of the network
0:24:16	So since the ASAs do not support CDP
0:24:19	you going to need some other method to figure out how are these actually physically wired
0:24:24	where in my case asa1's
0:24:27	ethernet0/0
0:24:29	is assigned to VLAN
0:24:32	113
0:24:34	So this is from
0:24:36	my previous configuration that was using the
0:24:40	the transparent firewall
0:24:42	So actually need to change this, I need say on this link fast ethernet 12
0:24:46	I want to be in
0:24:48	switch port access VLAN 111
0:24:51	thats the link that is going to the
0:24:53	the outside portion of the network
0:24:56	then I have the inside link
0:25:00	which is e0/1
0:25:03	this is configured as an access port, as an access port in VLAN 114
0:25:07	thats not what I want in this case
0:25:09	I want it to be a trunk
0:25:11	and I want the trunk to encapsulate VLANs 118 and 117
0:25:16	thats what I am using there on the
0:25:17	the inside on the two contacts
0:25:21	So I will say on fast ethernet 13
0:25:24	the switch port trunk
0:25:26	switch port mode is trunk
0:25:28	the encapsulation is already set to dot1q
0:25:32	and I want to say that the switch port
0:25:34	trunk allows VLANs
0:25:36	include only 117 and 118
0:25:40	this going to cut down any of the
0:25:42	unnecessary traffic
0:25:44	its going on in the layer 2 network
0:25:48	then lastly I want to allocate
0:25:50	my management interface
0:25:52	which here is on fast ethernet 0/12
0:25:56	I am going to put this in VLAN 10
0:25:59	which is the one where the
0:26:00	the ACS server is
0:26:02	So I will say switch port
0:26:04	mode access
0:26:06	switch port access VLAN 10
0:26:11	and I will say also
0:26:13	spanning tree portfast
0:26:16	so this an edge port for spanning tree
0:26:21	So once I actually do the context configuration
0:26:25	I know that the underlying layer2 network is not going to be a problem
0:26:28	if I have some issue where I can't get basic ICMP connectivity
0:26:33	lets say from
0:26:34	switch 2 I can ping the test PC but I
0:26:37	can't ping the asa
0:26:39	then most likely thats an indication of that there is a problem in
0:26:42	the actual context config
0:26:44	not the underlying layer 2 network
0:26:48	So I want to make sure to verify any other layer 2 stuff first
0:26:55	So now lets go to the management context or the admin context more specifically
0:27:00	and lets set up the link
0:27:02	?? 0/0 so I could telnet
0:27:04	or SSH or ASTN in
0:27:07	remotely
0:27:08	So we are going to say change to context admin
0:27:13	So we could see now the prompt changes it gives me the hostname
0:27:17	/ [forward slash] and then the context name, in this case its admin
0:27:20	if we look at the running config
0:27:23	notice now I have the
0:27:24	interface management 0
0:27:27	underscore 0
0:27:28	this is the alias that I give it
0:27:31	in the system context
0:27:33	now this link
0:27:36	and this is going to depend on the individual license that you have on the asa
0:27:40	by default the management link has this keyword which is management-only
0:27:45	it means that it will accept
0:27:46	telnet, SSH and ASTN
0:27:49	if you configured
0:27:50	or you cannot use it for actual transit of traffic
0:27:54	if you did want to use it as an
0:27:56	as a regular forwarding interface
0:27:58	you could say no management only
0:28:01	and then that would be used for regular
0:28:03	routed link
0:28:04	but this in case management only is fine, because I just want to be telnet in
0:28:09	So from here I will say the nameif is
0:28:12	inside
0:28:13	I am going to give it a security level 100
0:28:16	So that the traffic is allowed in on
0:28:18	otherwise I would have to
0:28:21	use an access-list to make sure I could get the telnet traffic to the asa itself
0:28:27	the ip address will be 10.0.0.11
0:28:31	/24
0:28:36	I will have the user name
0:28:38	cisco, password - cisco
0:28:42	my enable password also cisco
0:28:45	So this type of information, this is on a
0:28:47	per context basis
0:28:49	So the
0:28:50	authentication and authorization I am doing in one context
0:28:53	completely different that other one
0:28:55	because again these are the logical options of its configurations
0:29:00	then I want to specify on the
0:29:02	the inside interface
0:29:05	I am going to allow
0:29:06	anyone to telnet
0:29:08	So here telnet 0 0 this means don't check the addresses
0:29:11	that are coming in the line
0:29:14	So in a real design, typically this would be
0:29:16	the
0:29:17	the subnet or the individual addresses
0:29:20	of where your management stations are located
0:29:22	So who do you want to be able to telnet into the asa, who do you want to be able to SSH
0:29:27	this is kind of like a vty access-list
0:29:30	that you would apply on the router
0:29:35	So now if we look at the show IP
0:29:38	we see management 0
0:29:40	0 is named inside, it has a address
0:29:43	10.0.0.11
0:29:45	and ideally now
0:29:47	I should be able to send traffic to
0:29:49	to the devices that are around that segment
0:29:51	like the ACS server and then
0:29:54	the ASA2, actually ASA2 is unconfigured, because we are going to use that for something else later
0:30:02	but now by looking at the
0:30:04	the overall diagram
0:30:06	what I want to do now
0:30:08	to make sure that the admin context is working
0:30:10	is I am going to go to the windows command line here
0:30:14	and see if I actually telnet to that .11 address
0:30:18	so from the admin context if I am allowed access in there
0:30:22	then I can do whatever administration changes that I want to
0:30:26	because again the admin context is like the system context
0:30:30	but its for remote management, not for
0:30:33	local console access
0:30:42	So from the window machine's
0:30:43	console, I am going to telnet to 10.0.0.11
0:30:49	password is cisco
0:30:51	the enable password is cisco, we can see now it sends me to admin context
0:30:56	so from here I could change to system
0:31:04	which we can see now sends us back
0:31:06	to the system context
0:31:08	or I could change to whatever other user context I want, so
0:31:12	switch1
0:31:14	change to context
0:31:16	switch1 now that puts me in the VLAN 117 config
0:31:20	I said change the context
0:31:22	context sw2
0:31:23	thats going to move me into the other one
0:31:25	I could also change back to
0:31:27	change to context admin
0:31:33	So this is whats making the difference, so the admin context
0:31:36	is allowed to use that change to command, the other user context cannot
0:31:44	So, now lets take a look at the rest of the configurations, in the actual user context
0:31:49	first thing I want to do is the basic normal initialization of the firewall
0:31:54	which is going to be to
0:31:55	assign the names to the interfaces
0:31:57	assign the security levels
0:31:59	assign the IP addresses
0:32:01	and then get any basic routing working that I need
0:32:04	Now again with the multiple context mode
0:32:07	we can only use static routing, we cannot use dynamic routing
0:32:11	So essentially what I am going to do
0:32:13	Is on both of these context individually
0:32:16	simply say that I am
0:32:17	going to want a default route out towards router1
0:32:22	Now for the return traffic router1 would then need a route back
0:32:26	to these individual segments
0:32:29	because they are not doing any dynamic routing exchange
0:32:32	So if were to look at the router1
0:32:35	and the show IP route static
0:32:37	I already have these two routes configured
0:32:41	So one of them is for the VLAN 118 context
0:32:44	one is for the VLAN 117
0:32:48	Now these particular next hop values that I am using
0:32:51	these would be the addresses that I would want to allocate
0:32:54	on the outside interface
0:32:57	of the individual user contexts
0:33:01	So the addresses here
0:33:03	would be
0:33:07	for context VLAN
0:33:10	now 117, the asa is going to have the address 200.0.111.117
0:33:17	where for the same
0:33:19	physical link but the different logical context
0:33:22	of the VLAN 118 is going to be 200.0.111.118/24
0:33:31	So I need individual unique
0:33:33	outside addresses
0:33:34	for each of the context
0:33:36	the inside addresses, it doesn't matter what I configure
0:33:39	these can be overlapping
0:33:41	because when we go through Network Address Translation
0:33:44	the classifier is always going to be unique
0:33:47	since I am going from the same
0:33:50	inside addresses
0:33:52	to unique outside addresses, like the 118 or the 117
0:33:57	when the return traffic comes back in
0:34:00	the NAT process or the
0:34:01	xlates tables specifically
0:34:03	would know which context to return the traffic to
0:34:07	whether its really going to VLAN 118 or VLAN 117
0:34:12	Now if I didn't want to do the NAT translation again
0:34:15	I could change the MAC addresses
0:34:18	to make sure that these
0:34:19	unique ip addresses, the .117 and .118
0:34:23	they would need to resolve to different layer2 addresses, different MAC addresses
0:34:28	and again I could do that either under the
0:34:31	system context with the MAC address auto
0:34:34	or under the individual user context we can just specify MAC address manually
0:34:41	So, next lets look at the VLAN
0:34:44	117 config
0:34:46	I am going to say change to
0:34:50	change to system
0:34:52	and before I am going to make any other changes, I am going to save my config
0:34:56	Now normally you would say like
0:34:59	copy run start or
0:35:02	write mem or just wr
0:35:06	but in the case that you are in multiple context mode
0:35:10	If you want to save the system context
0:35:13	plus all the user context
0:35:16	we want to say write mem all
0:35:21	So this is going to save the files for the system, for the admin
0:35:25	and for sw1's VLAN 117 and sw2's VLAN 118
0:35:32	so this is a general good practice to make sure that
0:35:34	all the context configs are saved
0:35:37	is to do this from the system mode and just say write mem all
0:35:41	otherwise once I change to context
0:35:45	sw1 or sw2
0:35:47	when I issue the writes or copy run start here
0:35:50	its going to save that individual file
0:35:53	but can not call all of the same time if I just say write mem all from the system context
0:36:00	So next step from VLAN 117 lets look at the show interface
0:36:04	and we see the interface outside and interface inside
0:36:09	now these values here
0:36:11	the actual strings of outside and inside
0:36:14	these are not the nameifs
0:36:18	these are the aliases
0:36:20	that this particular user context is seeing for those links
0:36:24	or in reality, these are interfaces ethernet 0/0
0:36:28	and ethernet 0/1.117 respectively
0:36:32	but from the context perspective they don't know that
0:36:36	If I were to look at the show
0:36:38	interface outside
0:36:41	this is all the information that I got
0:36:43	So I don't see any of the physical information
0:36:46	if I were to change to context
0:36:50	for the admin context
0:36:53	and show interface
0:36:55	for management 0/0
0:36:57	notice that in this case I do have the physical statistics
0:37:02	because from the system context
0:37:05	when I allocated the interfaces
0:37:09	I say for admin
0:37:11	It is visible to them to have the physical
0:37:15	corners of the link or the physical information about the
0:37:18	the rest of the interface
0:37:20	where the default on these ones is that it is invisible
0:37:25	so any of the administrators of the user context
0:37:29	they are normally not going to see those information
0:37:33	So again lets go back to
0:37:37	change to context
0:37:40	sw1
0:37:42	and now we are going to do our interface configurations
0:37:45	so on our interface outside
0:37:48	this will be my nameif outside
0:37:51	the ip address
0:37:53	will be 200.0.111.117
0:38:01	and at this point assuming that the layer 2 network is working
0:38:05	I should be able to get IP connectivity
0:38:07	to router1's address which I can
0:38:11	then for my interface inside
0:38:14	this will be nameif inside
0:38:18	this has an address, 192.168.117.11
0:38:26	for the diagram
0:38:31	and assuming this is working, I should be able to ping 192.168.117.7
0:38:40	where this address is a VLAN interface
0:38:45	a VLAN interface of switch1
0:38:50	and likewise switch2
0:38:52	has interface VLAN interface 118
0:38:56	this is one of the host that we have on that end
0:38:59	segment, on the VLAN 118
0:39:05	So now from the context I have
0:39:08	just my basic options configured, I have the interfaces up
0:39:11	their names, their security levels, their addresses
0:39:15	I don't have any routing configured yet
0:39:18	So I am not actually going to able to
0:39:21	to transit traffic between the interfaces
0:39:24	because I don't know any of the other destinations on the rest of the network
0:39:28	Now of traffic we are going to a connected destination
0:39:32	when the case of switch1
0:39:35	it is already pre configured with a static default route
0:39:38	out towards the asa, towards that .11 address
0:39:44	then I would
0:39:45	for example, I telnet to router1's address
0:39:52	I could see that traffic is going through that individual context
0:39:57	So from the context mode
0:40:00	for switch1's VLAN 117
0:40:02	if we look at the show connections
0:40:05	or the show connections detail
0:40:07	this is going to show the individual inspections
0:40:10	just for that context
0:40:14	So now however I change my Modular Policy Framework
0:40:17	may be I want to do application inspections different for VLAN 117 than VLAN 118
0:40:23	thats going to be fine
0:40:25	because they are different virtual firewalls
0:40:27	so the configurations of one is not going to effect the other one
0:40:33	Now what I did not do here
0:40:35	was to change the MAC addresses on the links
0:40:39	so from router1's perspective, if I look at the show arp
0:40:44	the 117 address
0:40:46	so this is the outside interface of the asa
0:40:49	has this address that ends in ab22
0:40:54	Now if we go to the second context, lets change to
0:40:58	context switch2
0:41:01	and going to make the same type of changes that I did here with the
0:41:05	the switch1 context
0:41:08	but the main difference is just that somebody addressing is
0:41:11	different, so I will say that, on outside this is the 118
0:41:16	on inside its 192.168.118.111
0:41:40	and from here now I should be able to ping 192.168.118.8
0:41:49	hey so this is working fine on the inside
0:41:51	if I now try to send traffic to the outside
0:41:55	lets say 111.1
0:41:58	I do have reachability to router1
0:42:01	and if I try to
0:42:03	from switch2, telnet out
0:42:06	because we know the TCP traffic is inspected automatically
0:42:10	this is where we start to run into a problem
0:42:14	because at this point
0:42:16	the interfaces are shared on the outside interface
0:42:22	there are unique IP addresses
0:42:24	for the context
0:42:26	but they are sharing the same layer2 address
0:42:30	So this now means from router1's perspective
0:42:34	if we look at the arp cache
0:42:36	the 117 and the 118
0:42:40	have the same layer2 address
0:42:43	this means that when router1 goes to reply
0:42:47	to traffic that is originated from switch2
0:42:52	or to traffic that is originated by switch1
0:42:56	when it actually builds its layer2 header
0:42:59	its going to be using the same address
0:43:03	were guard this where the packet is going to
0:43:07	and this is where we run into trouble with the classifier
0:43:10	because now asa1
0:43:12	when it is actually receiving traffic in the system context
0:43:16	because the physical packets were always received on the physical interface
0:43:20	the logical divisions is just inside
0:43:23	for to figure out what process internally do I send it to
0:43:26	do I send it to the routing process that is related to the switch1 context
0:43:31	or the separate routing process thats related to the switch2 context
0:43:35	but it needs to make that decision where is it really going internally to my CPU
0:43:41	but the problem is now it doesn't know how to do that, because it can tell
0:43:45	based on this layer2 header
0:43:47	where is the traffic really going to
0:43:50	and the end result to this sometimes it can be
0:43:52	a little bit unpredictable
0:43:54	where sometimes the packets are going to go through
0:43:58	sometimes the packets are not going to go through
0:44:01	Now lets look at this in the case of
0:44:03	lets say ICMP
0:44:05	where for
0:44:07	both of these
0:44:09	contexts, so the switch1 and switch2 context
0:44:12	just for simplicity, I am going to say
0:44:15	access-list outside in
0:44:17	permit icmp any any
0:44:20	and access-group outside in
0:44:25	in interface outside
0:44:29	additionally I need a route
0:44:31	out the outside link, so this a default route
0:44:35	thats pointing towards router1
0:44:39	so this config, this is going to be identical, between the two of them
0:44:42	So change to context switch1
0:44:47	So I am serving the routing
0:44:49	which again is independent of the application inspection or any other security
0:44:54	and then just for testing I am allowing all of the ICMP in
0:44:58	So I could go to
0:45:00	any one behind router1
0:45:03	and ideally I should be able to ping switch2
0:45:06	or I should be able to ping switch1
0:45:09	So if this is working, then its going to tell me that the both context
0:45:14	are correctly configured on asa1
0:45:20	So now lets actually try this, lets go to switch1
0:45:23	and I am going to debug IP ICMP
0:45:26	same thing on switch2
0:45:30	then from the outside network
0:45:33	now router2 already has the
0:45:36	route to these destinations
0:45:39	so those static routes that I configured on router1
0:45:42	I have had advertised those into the dynamic routing domain, the ospf
0:45:47	So, specifically I am router1 if we show run
0:45:50	section router
0:45:54	or show run
0:45:56	include ip route
0:45:59	I have those static routes for VLAN 117 and VLAN 118 networks
0:46:04	and then I am advertising them into the dynamic routing domain
0:46:09	because again we always need to think about basic layer2 reachability
0:46:13	and basic layer3 reachability
0:46:15	before we talk about any advanced applications on top of it
0:46:18	where in the case of security, these filterings
0:46:21	are these are advanced applications, its not basic layer2 layer3 reachability
0:46:28	So now lets, from router1, if I ping
0:46:30	the 117.7 address
0:46:34	and I will give it a high repeat count
0:46:37	then from router2
0:46:42	I will ping the 118 address
0:46:46	I want to see, are these packets even arriving
0:46:50	on either of the devices or they are not
0:46:55	Now if I look at the asa and lets
0:46:58	change to system
0:47:02	and we will turn logging on, logging console 7
0:47:05	and logging on
0:47:27	and I may need to do this from
0:47:30	admin then, lets say
0:47:34	change to context switch1
0:47:37	lets say logging on and logging console 7
0:47:41	change context switch2
0:47:45	logging on
0:47:47	and then change to context admin
0:47:56	and we will change to system
0:47:59	so ideally the system should get all of the logs
0:48:02	if we were sending them to the console
0:48:08	but its looks like that they are not even the classifier
0:48:11	lets try it from the inside out, lets ping
0:48:14	200.0.111.1
0:48:20	and we dig at log , built outbound icmp connections
0:48:24	for the address 200.0.111.1
0:48:27	the gateway address is 117.7, so thats where it came from
0:48:34	if we were to go to router1
0:48:37	and lets say
0:48:39	debug ip icmp
0:48:41	or debug, lets debug ip packet detail
0:48:46	and switch1 were to ping that address
0:48:49	or switch1 were to
0:48:52	telnet to that address
0:48:54	we will see on router1
0:48:56	that the packets are being received in
0:48:59	and it is replying
0:49:02	so the packet came from 117.7
0:49:04	source port was 23
0:49:07	its going to, this is actually replying
0:49:13	but the problem is, the asa
0:49:15	is not doing any of the logging, so its says I am trying to built the connection out
0:49:21	but then something wrong is happening when its coming back in
0:49:25	and again this is a problem with the classifier
0:49:30	where there is three possible ways
0:49:32	that we can do the classification
0:49:36	we can do it either with the unique physical
0:49:39	interfaces or the sub interfaces
0:49:42	the unique MAC addresses
0:49:44	for the shared context
0:49:45	or we could do it with the NAT translations
0:49:49	So lets look at the third one using the NAT translations
0:49:53	and then we will fall back to using the MAC addresses, we will leave it as the MAC addresses for the rest of the exercises
0:49:59	is that what is going to be the easiest
0:50:02	when we are doing the shared interfaces
0:50:04	Now again ideally you would separate these as physical links
0:50:08	but thats just an issue of the
0:50:10	of the physical resources you have, if the asa only has 3 links
0:50:14	then if you want 2 on the inside, 1 on the outside, you are going to have to share that outside link
0:50:22	So lets now go to
0:50:27	change to context switch1
0:50:33	lets say no logging
0:50:36	on console
0:50:38	in global config, no logging console
0:50:41	and lets just do a very basic NAT translation
0:50:45	I am going to say as traffic comes in on the inside
0:50:48	and it goes out
0:50:50	I am going to translate it to the outside interface
0:50:53	So we will say NAT as it comes in inside
0:50:57	say this is roll number 1, I don't care where it is coming from
0:51:01	the global pool is the outside
0:51:04	this is roll number 1 and I am simply translating to my interface
0:51:09	so this would be your simplest NAT configuration
0:51:13	where I want to say for all traffic that comes in inside and leaves outside
0:51:20	simply do an overload translation to that interface
0:51:25	so if the asa is going to a cable modem or dsl modem
0:51:29	usually this is what your NAT configuration would look like
0:51:32	then you are just overloading everything to whatever addresses are on the outside
0:51:38	So now on switch1
0:51:41	we could see now the traffic is going through the router1
0:51:44	we look at the show users, we can see
0:51:46	the traffic is coming from the 117
0:51:50	but from the asa's perspective when the flow comes back in
0:51:55	it knows where to associate this
0:51:57	because there is a unique xlate in the table
0:52:01	So if we look at the detail here, show xlate detail
0:52:05	based on the fact that there are always going to be
0:52:09	unique port numbers that are assigned
0:52:13	So if we look at
0:52:15	this output of the show, xlate detail
0:52:18	in addition to the show connection detail
0:52:23	I must say look at that begin TCP
0:52:28	and show connection detail, excuse me, show
0:52:32	show connection detail begin tcp and show xlate detail
0:52:38	so if we look at the two of these combined
0:52:41	the asa knows that there is a connection from
0:52:45	117.7
0:52:48	that, and actually lets clear this out to make it a little bit
0:52:51	easier to read, lets say clear connection all
0:52:55	and clear xlate
0:53:06	so we will look at show xlate detail and then show
0:53:11	connection detail, so when we look at the combination of these two together
0:53:16	it says that there is a host on the inside
0:53:19	who came from 117.7
0:53:22	and this is being translated to 1... 17, 111.117
0:53:30	for this particular flow its going to the address 111.1
0:53:35	its using port number 123
0:53:38	now this random source port
0:53:42	this is how the xlate table
0:53:45	is going to keep them separate
0:53:47	So assuming that you don't have
0:53:49	over 65000 hosts, all trying to telnet at the same time
0:53:55	then you are never going to have a problem
0:53:58	because for tcp and udp we have ports in the range of 1 to 65535
0:54:04	So its possible values, 65536 possible values
0:54:10	so this means that every time I allocate a translation
0:54:14	as long as the combination of this
0:54:17	this and this and of being unique
0:54:22	then the classifier can figure out, when the traffic comes back in who is it really going to
0:54:31	okay there is a question here, how do you kill a single connection of show connections or show
0:54:36	show connections or show xlate
0:54:39	so lets look at, lets say show connections
0:54:43	if I say clear connection
0:54:47	I could say for the specific address
0:54:50	So for
0:54:56	200.0.111.1
0:55:03	thats going to delete it, we could say like
0:55:06	that particular address and then the second address, this would be the
0:55:11	destination of the connection
0:55:14	So if there is a very specific one that you need to delete you could match
0:55:17	pretty much everything, the address, the mask, the protocol the port
0:55:21	the same will be true of the
0:55:23	clear xlate
0:55:26	or I could say whats the interface, interface's inside
0:55:30	then whats the, the local port, whats the remote port
0:55:34	you would have some unique information that you can use to match against it
0:55:41	okay so again this is one of the ways by using the Network Address Translation
0:55:46	Now from switch2 perspective
0:55:49	I am still not able to send that traffic out
0:55:51	because there is no way
0:55:53	for the classifier to figure out
0:55:55	whats going on in the switch2, VLAN 118 context
0:56:04	So again the other method we could change to
0:56:10	No logging console
0:56:14	change to context sw2
0:56:19	I will now say on interface outside
0:56:22	I will just give it a new MAC address
0:56:27	so lets see if it will take any random formula, lets say 0 0 0 0
0:56:31	0 0 0 0 . 0 0 0 1
0:56:37	So now from switch2
0:56:40	we could see immediately the traffic flows that were
0:56:43	trying to work before now they are working
0:56:47	so switch2, if i were to telnet out
0:56:55	lets telnet to 200.0.111.1
0:57:01	and router1, if we look at the show arp
0:57:04	since now the 117 and the 118
0:57:08	have unique mac addresses
0:57:12	when I send a layer2 frame back to the asa
0:57:15	and its really trying to get the context sw2 VLAN 18
0:57:20	the asa is going to know that the destination mac address
0:57:23	should be all 0s and a 1
0:57:26	but if anything comes in for ab22
0:57:29	thats really going in for the sw1 context
0:57:36	So again you could allocate these manually
0:57:39	or you could go to the system context, we could say change to system
0:57:42	and then in global config say mac address auto
0:57:47	so then this is just going to
0:57:49	automatically generate them
0:57:52	again at router1, if we look at the show arp now
0:57:56	we could see this is the
0:57:59	the automatic address that it allocated
0:58:02	but the one that I am configuring, in the second context, this is overriding
0:58:06	its automatic allocation

Now Viewing

CCIE Security Advanced Technologies Class
Title:	CCIE Security Advanced Technologies Class
Duration:	39h 19m
The CCIE Security Advanced Technologies Class is the first step in understanding CCIE level technologies and is a companion to the Advanced Technologies Lab Workbook. Each technology you need to know for the CCIE Security lab will be described in detail using an instructor led hands on demonstration. The class consists of over 40 hours of in depth explanations and examples.
Get instant access to our entire library!
$159/month	Add to Cart
Download this Course
$299.00	Add to Cart

ASA Multiple Context Mode Configuration

Create Bookmark