Shulou(Shulou.com)06/01 Report--

Security environment (Security Context)

1. Overview of the security environment

ASA has supported virtual firewalls since version 7. 0, also known as a security environment within a single device. Multiple environments are similar to having multiple independent devices, and each environment has its own set of security policies (NAT, ACL, routing, etc.). Multi-context mode supports almost all the options that can be configured on stand-alone devices, but does not support some features, such as × ×, dynamic routing protocols, and so on.

ASA 5505 does not support multiple environments, models 5510 and above support multiple environments, but only 2 environments are available free of charge.

ASA is in single mode by default, and you need to switch to multiple modes to use multiple environments.

(1) system execution space

When switching to multi-mode, the system execution space is entered. The system execution space is used for some global configuration, such as the physical properties of the interface, configuring TRUNK, limiting the use of resources, creating an environment, and so on.

(2) Environmental characteristics

Each environment needs to have a name, interface assignment, and configuration file to store the configuration and the configuration of the environment itself. ASA automatically creates an environment called admin context to manage features.

2 configuration of security environment

(1) switch to multi-mode

Ciscoasa (config) # mode multiple

WARNING: This command will change the behavior of the device

WARNING: This command will initiate a Reboot

Proceed with change mode? [confirm]

Convert the system configuration? [confirm]

The old running configuration file will be written to disk0

The admin context configuration will be written to disk0

The new running configuration file was written to disk0

Security context mode: multiple

... .

ASA needs to be restarted after switching to multimode.

The default configuration after reboot is as follows.

Ciscoasa# show run

: Saved

:

ASA Version 8.0 (2)

Hostname ciscoasa

Enable password 8Ry2YjIyt7RRXU24 encrypted

No mac-address auto

Interface Ethernet0/0

Shutdown

Interface Ethernet0/1

Shutdown

Interface Ethernet0/2

Shutdown

Interface Ethernet0/3

Shutdown

Interface Management0/0

Shutdown

Class default

Limit-resource All 0

Limit-resource ASDM 5

Limit-resource SSH 5

Limit-resource Telnet 5

Ftp mode passive

Pager lines 24

No failover

Asdm p_w_picpath disk0:/asdm-602.bin

No asdm history enable

Arp timeout 14400

Console timeout 0

Admin-context admin

Context admin

Config-url disk0:/admin.cfg

Prompt hostname context

Cryptochecksum:410be16e875b7302990a831a5d91aefd

: end

View the current mode

Ciscoasa# show mode

Security context mode: multiple

(2) configuration of system execution space

1) configure the interface

An interface is a physical interface or subinterface. TRUNK is supported from version 6.3, but only 802.1q encapsulation is supported. ASA 5510 and above configure TRUNK through subinterfaces, and ASA 5505 does not support subinterfaces.

Configuration example

Ciscoasa (config) # interface ethernet0/1

Ciscoasa (config-subif) # no shutdown

Ciscoasa (config) # interface ethernet0/1.10

Ciscoasa (config-subif) # vlan 10

Ciscoasa (config) # interface ethernet0/1.20

Ciscoasa (config-subif) # vlan 20

2) MAC address of the shared interface

Multiple environments can share the same interface (physical interface or subinterface), in which case each environment should assign a different MAC address to the shared interface, either manually or automatically.

Multiple environments of route patterns can share interfaces, while transparent mode does not allow sharing interfaces.

Commands for automatically assigning MAC addresses

Ciscoasa (config) # mac-address auto

3) create an environment

ASA automatically creates an admin context when you switch to multimode, as you can see in the default configuration described earlier. Administrators can create other environments as needed.

N create an environment named context_name

Ciscoasa (config) # context context_name

N assign an interface to the environment

Ciscoasa (confix-ctx) # allocate-interface physical_if_name [.subif] [map_name]

The parameter map_name allows you to configure an alias for the interface for use in the environment.

N specify profile

Ciscoasa (config-ctx) # config-url URL

Configuration example

Ciscoasa (config) # context CTX1

Ciscoasa (config-ctx) # allocate-interface ethernet0/1.10 int1

Ciscoasa (config-ctx) # allocate-interface ethernet0/1.20 int2

Ciscoasa (config-ctx) # config-url disk0:/CTX1.cfg

N View environment configuration

Ciscoasa# show context

4) restrict the use of resources

All environments share the resources of devices, which can limit the use of resources in each environment and prevent each environment from affecting each other.

Resource restrictions are defined by classes, and all environments use default classes, but you can define a specific class for an environment that overrides the default class.

N define and configure classes

Ciscoasa (config) # class {default | resource_class_name}

Ciscoasa (config-class) # limit-resource all 0

Ciscoasa (config-class) # limit-resource asdm sessions

Ciscoasa (config-class) # limit-resource ssh sessions

Ciscoasa (config-class) # limit-resource telnet sessions

Ciscoasa (config-class) # limit-resource hosts hosts

Ciscoasa (config-class) # limit-resource mac-addresses addresses

Ciscoasa (config-class) # limit-resource rate inspect inspects/second

Ciscoasa (config-class) # limit-resource [rate] conns {conns | xx%}

Ciscoasa (config-class) # limit-resource rate syslogs logs/second

Ciscoasa (config-class) # limit-resource xlates {xlates | xx%}

Limit-resource all 0 means that all resources are unrestricted.

The default maximum number of sessions for Telnet and SSH is 5, and the maximum number of entries for MAC address is 65535 by default.

N assign a custom class to an environment

Ciscoasa (config) # context context_name

Ciscoasa (config-ctx) # member resource_class_name

Configuration example

Ciscoasa (config) # class resource-CTX1

Ciscoasa (config-class) # limit-resource asdm 3

Ciscoasa (config-class) # limit-resource ssh 3

Ciscoasa (config-class) # limit-resource conns 40%

Ciscoasa (config) # context CTX1

Ciscoasa (config-ctx) # member resource-CTX1

(3) Environmental management

Once you have created the environment, you can switch to the environment for configuration.

1) switch between the system execution space and the environment

Ciscoasa# changeto {system | context context_name}

Configuration example

Ciscoasa# changeto context CTX1

Ciscoasa/CTX1#

Ciscoasa/CTX1# changeto system

Ciscoasa#

2) Save the configuration

Using the command write memory or copy running-config startup-config in a specific environment can only save the configuration of the current environment. To save the configuration of all environments and system execution space, you need to use the following command in the system execution space.

Ciscoasa# write memory all

3) delete the environment

To delete a specific environment, you need to use the following command in the system execution space.

Ciscoasa (config) # no context context_name

To delete all environments, you can use the command clear configure context.

3 configuration cases of security environment

As shown in figure 5.3, ASA 5510 is configured as multiple environments in routing mode, with different policies configured for different environments. The address pool used for NAT translation is 209.165.201.0lap29.

Figure 5.3 ASA multi-environment network topology diagram

The configuration steps for ASA 5510 are as follows.

(1) switch to multi-mode

Ciscoasa (config) # mode multiple

(2) configure the interface

Ciscoasa (config) # interface e0Universe 0

Ciscoasa (config-if) # no shutdown

Ciscoasa (config) # interface e0bin1

Ciscoasa (config-if) # no shutdown

Ciscoasa (config) # interface e0plus 0.1

Ciscoasa (config-subif) # vlan 2

Ciscoasa (config) # interface e0plus 0.2

Ciscoasa (config-subif) # vlan 4

Ciscoasa (config) # interface e0and0.3

Ciscoasa (config-subif) # vlan 6

Ciscoasa (config) # interface e0on1.1

Ciscoasa (config-subif) # vlan 3

Ciscoasa (config) # interface e0bin1.2

Ciscoasa (config-subif) # vlan 5

Ciscoasa (config) # interface e0and1.3

Ciscoasa (config-subif) # vlan 7

Ciscoasa (config-subif) # exit

(3) create an environment

Need to create context1 and context2,admin context have been created automatically, just assign the interface.

Ciscoasa (config) # context context1

Ciscoasa (config?ctx) # allocate?interface Ethernet0/0.1 outside_context1

Ciscoasa (config?ctx) # allocate?interface Ethernet0/1.1 inside_context1

Ciscoasa (config?ctx) # config?url disk0:/context1.cfg

Ciscoasa (config?ctx) # exit

Ciscoasa (config) # context context2

Ciscoasa (config?ctx) # allocate?interface Ethernet0/0.2 outside_context2

Ciscoasa (config?ctx) # allocate?interface Ethernet0/1.2 inside_context2

Ciscoasa (config?ctx) # config?url disk0:/context2.cfg

Ciscoasa (config) # context admin

Ciscoasa (config?ctx) # allocate?interface Ethernet0/0.3 outside_admin

Ciscoasa (config?ctx) # allocate?interface Ethernet0/1.3 inside_admin

(4) configure Admin Context

Ciscoasa (config) # changeto context admin

Ciscoasa/admin (config) # interface outside_admin

Ciscoasa/admin (config-if) # nameif outside

Ciscoasa/admin (config-if) # security-level 0

Ciscoasa/admin (config-if) # ip address 192.168.6.1 255.255.255.0

Ciscoasa/admin (config-if) # no shutdown

Ciscoasa/admin (config-if) # exit

Ciscoasa/admin (config) # interface inside_admin

Ciscoasa/admin (config-if) # nameif inside

Ciscoasa/admin (config-if) # security-level 100

Ciscoasa/admin (config-if) # ip address 192.168.7.1 255.255.255.0

Ciscoasa/admin (config-if) # no shutdown

Ciscoasa/admin (config-if) # exit

Ciscoasa/admin (config) # route outside 0 0 192.168.6.2

Ciscoasa/admin (config) # nat-control

Ciscoasa/admin (config) # nat (inside) 1 0 0

Ciscoasa/admin (config) # global (outside) 1 209.165.201.1

Ciscoasa/admin (config) # access-list ACLoutside permit icmp any any

Ciscoasa/admin (config) # access-group ACLoutside in interface outside

(5) configure Context1 Context

Ciscoasa/admin (config) # changeto context context1

Ciscoasa/context1 (config) # interface outside_context1

Ciscoasa/context1 (config-if) # nameif outside

Ciscoasa/context1 (config-if) # security-level 0

Ciscoasa/context1 (config-if) # ip address 192.168.2.1 255.255.255.0

Ciscoasa/context1 (config-if) # no shutdown

Ciscoasa/context1 (config-if) # exit

Ciscoasa/context1 (config) # interface inside_context1

Ciscoasa/context1 (config-if) # nameif inside

Ciscoasa/context1 (config-if) # security-level 100

Ciscoasa/context1 (config-if) # ip address 192.168.3.1 255.255.255.0

Ciscoasa/context1 (config-if) # no shutdown

Ciscoasa/context1 (config-if) # exit

Ciscoasa/context1 (config) # route outside 0 0 192.168.2.2

Ciscoasa/context1 (config) # nat-control

Ciscoasa/context1 (config) # nat (inside) 1 0 0

Ciscoasa/context1 (config) # global (outside) 1 209.165.201.2-209.165.201.4

(6) configure Context2 Context

Ciscoasa/context1 (config) # changeto context context2

Ciscoasa/context2 (config) # interface outside_context2

Ciscoasa/context2 (config-if) # nameif outside

Ciscoasa/context2 (config-if) # security-level 0

Ciscoasa/context2 (config-if) # ip address 192.168.4.1 255.255.255.0

Ciscoasa/context2 (config-if) # no shutdown

Ciscoasa/context2 (config-if) # exit

Ciscoasa/context2 (config) # interface inside_context2

Ciscoasa/context2 (config-if) # nameif inside

Ciscoasa/context2 (config-if) # security-level 100

Ciscoasa/context2 (config-if) # ip address 192.168.5.1 255.255.255.0

Ciscoasa/context2 (config-if) # no shutdown

Ciscoasa/context2 (config-if) # exit

Ciscoasa/context2 (config) # route outside 0 0 192.168.4.2

Ciscoasa/context2 (config) # nat-control

Ciscoasa/context2 (config) # nat (inside) 1 0 0

Ciscoasa/context2 (config) # global (outside) 1 209.165.201.5-209.165.201.6

Ciscoasa/context2 (config) # access-list INTERNET remark Inside users only access HTTP and HTTPS servers on the outside

Ciscoasa/context2 (config) # access-list INTERNET permit tcp any any eq http

Ciscoasa/context2 (config) # access-list INTERNET permit tcp any any eq https

Ciscoasa/context2 (config) # access-group INTERNET in interface inside

(7) Save the configuration

Ciscoasa/context2 (config) # changeto system

Ciscoasa (config) # write memory all

(8) other configurations and verification

1) the TRUNK interface of the edge router is also implemented by configuring subinterfaces, and you also need to configure a detail route to address pool 209.165.201.0 bank 29 and a default route to access Internet.

2) verify that Internet is accessible on all three hosts.

3) View FLASH in the system execution space of ASA

Ciscoasa# sh flash

...

11-rw- 1973 00:42:03 Sep 16 2009 old_running.cfg

12-rw- 1733 07:52:20 Sep 16 2009 admin.cfg

15-rw- 1680 07:52:21 Sep 16 2009 context1.cfg

18-rw- 1680 07:52:23 Sep 16 2009 context2.cfg

You can see the configuration files saved by each environment. Where old_running.cfg is the automatically saved configuration file in the original single mode.

4) restore to single mode

Ciscoasa (config) # copy flash:old_running.cfg startup-config

Ciscoasa (config) # mode single

Then ASA will restart.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.