CCIE Security: Multiple context firewalls (Part 2)

After the issues in the previous post about Multiple context firewalls, I went off and made use of my INE All Access pass subscription, and watched the two videos on the subject. I really couldn’t see what I was doing wrong, the steps Brian went through did not look any different to the ones I was doing. Confusion still reigned.

So after a night’s sleep (well, a morning’s sleep as I stayed up till 1am playing Fallout 4), I decided to scale it back a bit, and (almost) start from scratch.

Now it works!

Multiple context firewalls
Here is the configuration for the Multiple context firewall:

LA-FW# sh run
ASA Version 8.4(2) 
!
hostname LA-FW
!
interface Ethernet0
!
interface Ethernet0.10
 vlan 10
!
interface Ethernet0.20
 vlan 20
!
interface Ethernet0.30
 vlan 30
!
interface Ethernet1
!
interface Ethernet2
!
interface Ethernet3
 shutdown
!             
class default
  limit-resource All 0
  limit-resource ASDM 5
  limit-resource SSH 5
  limit-resource Telnet 5
!
admin-context admin
context admin
  config-url disk0:/admin.cfg
!
context C1
  allocate-interface Ethernet0.20 outsideC1 
  allocate-interface Ethernet1 insideC1 
  config-url disk0:/C1.cfg
!             
context C2
  allocate-interface Ethernet0.30 outsideC2 
  allocate-interface Ethernet2 insideC2 visible 
  config-url disk0:/C2.cfg
!
prompt hostname context 
: end
LA-FW#

As you can see, the Ethernet1 interface is allocated to the C1 context, without any VLAN information (as it is NOT a shared interface). Similarly, Ethernet2 is allocated to the C2 context.

Here are the configurations for the contexts:

LA-FW# changeto con C1
LA-FW/C1# sh run
ASA Version 8.4(2) 
!
hostname C1
!
interface outsideC1
 nameif Outside
 security-level 0
 ip address 198.250.20.2 255.255.255.252 
!
interface insideC1
 nameif Inside
 security-level 100
 ip address 20.5.5.1 255.255.255.0 
!
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network INSIDE-NAT-SUBNETS
 network-object 20.5.5.0 255.255.255.0
 network-object 20.5.6.0 255.255.255.0
 network-object 20.5.7.0 255.255.255.0
access-list outside->in extended permit ip any any 
access-list outside->in extended permit icmp any any 
access-list outside->in extended permit icmp any any echo-reply 
access-group outside->in in interface Outside
route Outside 0.0.0.0 0.0.0.0 198.250.20.1 1
: end
LA-FW/C1# 
LA-FW/C1# changeto con C2
LA-FW/C2# 
LA-FW/C2# sh run
ASA Version 8.4(2) 
!
hostname C2
!
interface outsideC2
 nameif Outside
 security-level 0
 ip address 198.250.30.2 255.255.255.252 
!
interface insideC2
 nameif Inside
 security-level 100
 ip address 20.6.6.1 255.255.255.0 
!
object network Customer2
 subnet 20.6.6.0 255.255.255.0
access-list outside->in extended permit ip any any 
access-list outside->in extended permit icmp any any 
access-group outside->in in interface Outside
route Outside 0.0.0.0 0.0.0.0 198.250.30.1 1
: end
LA-FW/C2# 
LA-FW/C2# 
LA-FW/C2# changeto system
LA-FW#

Now we can ping from the routers in the different contexts to the LA-FW context IP addresses:

LA-C1#ping 20.5.5.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.5.5.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 5/7/16 ms
LA-C1#

LA-C2#ping 20.6.6.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.6.6.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/6 ms
LA-C2#

The LA1 router needs to be setup (again, I thought I had done this, but maybe I didn’t save the configuration!):

LA1(config-if)#int gi 0/0.20
LA1(config-subif)#ip vrf for 802101
LA1(config-subif)#encapsulation dot 20
LA1(config-subif)#ip add 198.250.20.1 255.255.255.252
LA1(config-subif)#no sh
LA1(config-subif)#
LA1(config-subif)#int gi 0/0.30
LA1(config-subif)#ip vrf for 802101
LA1(config-subif)#encap dot 30
LA1(config-subif)#ip add 198.250.30.1 255.255.255.252
LA1(config-subif)#

We now have connectivity from LA-FW to the LA1 router:

LA-FW/C1# ping 198.250.20.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 198.250.20.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/10 ms
LA-FW/C1# 
LA-FW/C1# changeto con C2
LA-FW/C2# ping 198.250.30.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 198.250.30.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/6/10 ms
LA-FW/C2#

A bit of redistribution

LA1(config)#router bgp 1
LA1(config-router)#address-family ipv4 vrf 802101
LA1(config-router-af)#red connect metric 1
LA1(config-router-af)#

And we have routes:

NY2#sh ip route eigrp | b Gate
Gateway of last resort is not set

      198.240.5.0/30 is subnetted, 1 subnets
D EX     198.240.5.0 [170/2562816] via 128.2.2.2, 00:00:16, GigabitEthernet0/0
      198.250.20.0/30 is subnetted, 1 subnets
D EX     198.250.20.0 
           [170/2562816] via 128.2.2.2, 00:00:16, GigabitEthernet0/0
      198.250.30.0/30 is subnetted, 1 subnets
D EX     198.250.30.0 
           [170/2562816] via 128.2.2.2, 00:00:16, GigabitEthernet0/0
NY2#

We have connectivity from the LA-FW to the 3.3.3.3 loopback:

LA-FW/C2# ping 3.3.3.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/10 ms
LA-FW/C2# changeto con C1
LA-FW/C1# ping 3.3.3.3   
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/6/10 ms
LA-FW/C1#

But I do need to fix something (either NAT or routing on the context “hosts”), and packet-tracer is where to start. Unfortunately, I did a packet-tracer, and the router crashed. Second time around, packet tracer gave the all-clear:

LA-FW/C1# packet-tracer input Inside icmp 20.5.5.2 0 0 3.3.3.3 det
Phase: 1
Type: ACCESS-LIST
Subtype: 
Result: ALLOW
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xbd1373a0, priority=1, domain=permit, deny=false
        hits=0, user_data=0x0, cs_id=0x0, l3_type=0x8
        src mac=0000.0000.0000, mask=0000.0000.0000
        dst mac=0000.0000.0000, mask=0100.0000.0000
        input_ifc=Inside, output_ifc=any

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         Outside

Phase: 3
Type: IP-OPTIONS
Subtype:      
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xbd13b298, priority=0, domain=inspect-ip-options, deny=true
        hits=0, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=Inside, output_ifc=any

Phase: 4
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
 match default-inspection-traffic
policy-map global_policy
 class inspection_default
  inspect icmp 
service-policy global_policy global
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xbd47d5a8, priority=70, domain=inspect-icmp, deny=false
        hits=1, user_data=0xbd47c588, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
        src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, dscp=0x0
        input_ifc=Inside, output_ifc=any

Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xbd13ae70, priority=66, domain=inspect-icmp-error, deny=false
        hits=1, user_data=0xbd13a488, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
        src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, dscp=0x0
        input_ifc=Inside, output_ifc=any

Phase: 6
Type: FLOW-CREATION
Subtype: 
Result: ALLOW
Config:
Additional Information:
New flow created with id 1, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_inspect_icmp
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...

Result:
input-interface: Inside
input-status: up
input-line-status: up
output-interface: Outside
output-status: up
output-line-status: up
Action: allow

LA-FW/C1#

Do you notice anything missing, though? Yep, no NAT… It looks like when I reconfigured the interfaces, the NAT command was removed. Let’s put it back in:

LA-FW/C1(config)# nat (Inside,Outside) after-auto source dynamic INSIDE-NAT-SU$
LA-FW/C1(config)# sh run | i nat
nat (Inside,Outside) after-auto source dynamic INSIDE-NAT-SUBNETS interface
LA-FW/C1(config)#

Now we have success!!!!

LA-C1#ping 3.3.3.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 9/14/22 ms
LA-C1#

Let’s fix the other context:

LA-FW/C2(config)# object-group network INSIDE-NAT-SUBNETS
LA-FW/C2(config-network-object-group)# network-object 20.6.6.0 255.255.255.0
LA-FW/C2(config-network-object-group)# network-object 20.6.7.0 255.255.255.0
LA-FW/C2(config-network-object-group)# network-object 20.6.8.0 255.255.255.0
LA-FW/C2(config-network-object-group)# exi
LA-FW/C2(config)# nat (Inside,Outside) after-auto source dynamic INSIDE-NAT-SU$
LA-FW/C2(config)# sh run | i nat
nat (Inside,Outside) after-auto source dynamic INSIDE-NAT-SUBNETS interface
LA-FW/C2(config)#

It works for the second context as well:

LA-C2#ping 3.3.3.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/21/26 ms
LA-C2#

Wonderful! As it turns out, multiple context configuration is not all that hard, it’s just a couple of commands per-context, and after that, it’s no different to setting up a regular ASA. I am glad it worked today if it had not then I am not sure what my next steps were going to be (apart from asking other people). But now I have end-to-end connectivity between the two contexts, and the NY2 loopback(s), from different ASA contexts, through the MPLS cloud, through a transparent firewall, and onto the end destination.

Things are shaping up pretty well, and I haven’t had to resort to ASDM (yet). Usually, I hardly ever touch the ASA CLI, and now this is really starting to push me more, which it the whole idea behind these studies.

Next up will be the configuration of the London firewalls, but not today. My boys need Lego building and I need another coffee.

Happy weekend all!

Oh, one final tip I picked up from the INE videos – use “wr mem all” under the system context to save everything:

LA-FW# wr mem all
Building configuration...
Saving context :           system : (000/003 Contexts saved) 
Cryptochecksum: 71b164a0 daea0c41 451c6344 3f3803aa 

1765 bytes copied in 0.160 secs
Saving context :            admin : (001/003 Contexts saved) 
Cryptochecksum: 1fa07e8d c5853280 5cc9f91f 7db4eb43 

1525 bytes copied in 0.170 secs
Saving context :               C1 : (002/003 Contexts saved) 
Cryptochecksum: cc1f9db0 56a702be 6112fb7b 71b13455 

2405 bytes copied in 0.160 secs
Saving context :               C2 : (003/003 Contexts saved) 
Cryptochecksum: 3f8ba835 ca4016d9 7770dcfe e3a4d37d 

2168 bytes copied in 0.170 secs
[OK]                                                         
LA-FW#

As you can see, multiple context firewalls can be done, with a little trial and error!