Shulou(Shulou.com)06/01 Report--

Multimode firewall

Deployment recommendation

1. One ASA virtual multiple firewalls Security context

two。 Subwalls can share physical interfaces (or molecular interfaces to different firewalls)

3. Each subwall has a profile, and ASA has a system profile (about each subwall assignment)

4. Firewall mode settings affect the entire Cisco firewall, not partially routed and partly transparent

5. Change the firewall mode (such as transparent mode) before creating a subwall

6. Firewalls in transparent mode cannot use shared interfaces

7. When using a shared interface, specify a different MAC address for the shared interface of each subwall

8. Pay attention to resource management to prevent a subwall from running out of resources

Limitation

Using subwalls (multi-mode), the following features are not supported:

-Dynamic routing protocol (dynamic routing protocol)

-Multicast IP routing (Multicast routing)

-Threat detection (threat detection)

-× × ×

-Phone proxy (telephone agent)

Configuration

For more than one turn, the single-mode running configuration will be converted to system configuration (system configuration) and admin.cfg (admin subwall configuration, applying single-mode running configuration), and the original configuration file will be saved as old_running.cfg.

The active interface is assigned to admin context in single mode. Interfaces that are turned off in single mode will not be assigned to any subwalls.

A new subwall with no associated interface by default. Interfaces must be assigned to subwalls under system configuration. Activate an interface in the system configuration. In route mode, you can assign the same interface to multiple subwalls.

A new subwall cannot be operated until you specify the startup configuration save location (disk0,ftp,tftp,https)

Admin context can manage other subwalls and the entire system, or it can be used as an ordinary firewall, usually as a manager

A shared interface that classifies packets to different subwalls

Exclusive

Shared out interface-PAT the source ip of packets coming out of this interface. When you come back, you can classify according to the destination IP.

Shared entry interface-set mac manually or dynamically for each subwall, and enter different subwalls according to different mac

ASA-1ASA/stby/pri (config) # show runn failoverfailoverfailover lan unit primary / / use ASA-1 as primary device failover lan interface fo GigabitEthernet3failover key * failover mac address GigabitEthernet1 0001.0001.0001 0001.0001.0002failover mac address GigabitEthernet0 0001.0002.0001 0001.0002.0002failover mac address GigabitEthernet2 0001.0003.0001 0001.0003.0002failover link fo GigabitEthernet3failover interface ip fo 10.1.1.11 255.255.255.0 standby 10.1.1.22failover group 1 secondary preemptfailover group 2 preempt-ASA-2ASA/act/sec (config) # show runn failoverfailoverfailover lan unit secondary / / use ASA-2 as secondaryfailover lan interface fo GigabitEthernet3failover key * Failover link fo GigabitEthernet3failover interface ip fo 10.1.1.11 255.255.255.0 standby 10.1.1.22failover group 1 / / Note primary of group 1 is ASA-1 secondary preemptfailover group 2 / / primary of group 2 is ASA-2 primary preempt

When it's over, we have to make a choice. I'm a little reluctant to continue or follow the boom.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.