CCIE Security: Multiple context firewalls (Part 1)

Multi-context firewalls allow us to have a tenancy-like setup, we can have different “customers” all sharing one firewall.

To set this up we need change the firewall mode, from single to multiple, which leads to a reboot of the firewall:

ciscoasa(config)# hostname LA-FW
LA-FW(config)# mode ?

configure mode commands/options:
  multiple   Multiple mode; mode with security contexts
  noconfirm  Do not prompt for confirmation
  single     Single mode; mode without security contexts
LA-FW(config)# mode multiple 
WARNING: This command will change the behavior of the device
WARNING: This command will initiate a Reboot
Proceed with change mode? [confirm] 
Convert the system configuration? [confirm] 
The old running configuration file will be written to flash

Converting the configuration - this may take several minutes for a large configuration

The admin context configuration will be written to flash

The new running configuration file was written to flash
Security context mode: multiple 

*** --- SHUTDOWN NOW ---
*** Message to all terminals:
***   change mode
Process shutdown finished

Once the firewall has come back up again we can check the mode:

LA-FW# sh mode
Security context mode: multiple 

OK, so far so good! Can we connect up to the LA1 router?

LA-FW(config)# int e0
LA-FW(config-if)# ip add
ERROR: % Invalid input detected at '^' marker.
LA-FW(config-if)# ip add                            
LA-FW(config-if)# ?     

Interface configuration commands:
  channel-group  Etherchannel/port bundling configuration
  default        Set a command to its defaults
  description    Interface specific description
  duplex         Configure duplex operation
  exit           Exit from interface configuration mode
  help           Interactive help for interface subcommands
  lacp           LACP interface subcommands
  no             Negate a command or set its defaults
  shutdown       Shutdown the selected interface
  speed          Configure speed operation

Nope, not when in this mode we cannot. Time to hit the Google. This page use useful:

So, it looks like we need to do a bit of a redesign (again)…

We want to have two user contexts, as well as an admin one. These are done under VLANs, so we’ll use:

  • VLAN 10 – Admin – VLAN 11
  • VLAN 20 – C1 – VLAN 21
  • VLAN 30 – C2 – VLAn 31

It’s all VLAN based, so we need to throw an L2 switch between the FW and the LA1 router, then do more connections or sub-interfaces.

This is what I ended up with:

LA-FW(config-ctx)# sh run
ASA Version 8.4(2) 
hostname LA-FW
interface Ethernet0
interface Ethernet0.10
 vlan 10
interface Ethernet0.20
 vlan 20
interface Ethernet0.30
 vlan 30
interface Ethernet1
interface Ethernet1.21
 vlan 21
interface Ethernet2
interface Ethernet2.31
 vlan 31
class default
  limit-resource All 0
  limit-resource ASDM 5
  limit-resource SSH 5
  limit-resource Telnet 5
admin-context admin
context admin
  config-url disk0:/admin.cfg
context C1
  allocate-interface Ethernet0.20 outsideC1 
  allocate-interface Ethernet1.21 insideC1 
context C2
  allocate-interface Ethernet0.30 outsideC2 
  allocate-interface Ethernet2.31 insideC2 
  config-url disk0:/C2.cfg
prompt hostname context 

I ran into some issues here, notice that I do not have an entry for the the config URL for the C1 context. We do need this:

LA-FW(config-ctx)# changeto context C1
ERROR: Context hasn't been initialized with 'config-url'
LA-FW(config-ctx)# changeto context C2
LA-FW/C2(config)# exi
LA-FW/C2# changeto system
LA-FW(config)# context C1
LA-FW(config-ctx)# config-url disk0:/C1.cfg

WARNING: Could not fetch the URL disk0:/C1.cfg
INFO: Creating context with default config
LA-FW(config-ctx)# changeto context C1
LA-FW/C1(config)# interface outsideC1
LA-FW/C1(config-if)# nameif Outside
INFO: Security level for "Outside" set to 0 by default.
LA-FW/C1(config-if)# ip address
LA-FW/C1(config-if)# no shut

I still need to get the (new) switch set up:

Switch(config)#vlan 10
Switch(config-vlan)#name admin-vlan
Switch(config-vlan)#vlan 20
Switch(config-vlan)#name C1-vlan
Switch(config-vlan)#vlan 30
Switch(config-vlan)#name C2-vlan
Switch(config)#int gi0/1
Switch(config-if)#swi tru encap dot
Switch(config-if)#swi mo tru
Switch(config-if)#no sh
Switch(config-if)#hostname LA-SW

Should also get LA1 set up as well:

LA1(config)#int gi 0/0.10
LA1(config-subif)#encapsulation dot1Q 10
LA1(config-subif)#int gi 0/0.20
LA1(config-subif)#encapsulation dot1Q 20
LA1(config-subif)#int gi 0/0.30         
LA1(config-subif)#encapsulation dot1Q 30
LA1(config)#int gi 0/0
LA1(config-if)#no sh
LA1(config-if)#int gi 0/0.20
LA1(config-subif)#ip add
LA1(config-subif)#do sh ip int bri
Interface                  IP-Address      OK? Method Status                Protocol
GigabitEthernet0/0     YES NVRAM  up                    up      
GigabitEthernet0/0.10      unassigned      YES unset  up                    up      
GigabitEthernet0/0.20    YES manual up                    up      
GigabitEthernet0/0.30      unassigned      YES unset  up                    up      
GigabitEthernet0/1      YES NVRAM  up                    up      
GigabitEthernet0/2         unassigned      YES NVRAM  administratively down down    
GigabitEthernet0/3         unassigned      YES NVRAM  administratively down down    
Loopback0                 YES NVRAM  up                    up      
LA1(config-subif)#do ping                
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds:
Success rate is 80 percent (4/5), round-trip min/avg/max = 12/15/25 ms

Back to te C1 context to set up the inside:

LA-FW/C1(config-if)# int insideC1
LA-FW/C1(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
LA-FW/C1(config-if)# ip add
LA-FW/C1(config-if)# no shut

Because we are using ASA 8.4.2, we cannot use dynamic routing protocols with this version, only static routes:

LA-FW/C1(config)# route Outside

Because it’s ASA 8.4 we need to use the new NAT syntax, and thanks to Peter Revill over at CCIErants for this excellent post: it really helped.

LA-FW/C1(config)# object network InsideNetwork
LA-FW/C1(config-network-object)# subnet
LA-FW/C1(config-network-object)# nat (inside,outside) dynamic interface 

Again, we need to make sure we are working within the MPLS vrf:

LA1(config)#int GigabitEthernet0/0.20
LA1(config-subif)#ip vrf forwarding 802101
% Interface GigabitEthernet0/0.20 IPv4 disabled and address(es) removed due to disabling VRF 802101
LA1(config-subif)#ip address
LA1(config)#ip route vrf 802101
LA1(config)#router bgp 1
LA1(config-router)#address-family ipv4 vrf 802101
LA1(config-router-af)#red static metric 1
LA1(config-router-af)#redistribute connected metric 1

Now let’s set up the C1 router:

Router(config)#int gi0/0
Router(config-if)#ip add
Router(config-if)#no sh
Router(config)#ip route
Router(config)#hostname LA-C1

Thanks to the magic of redistribution, we have routes:

NY2#sh ip route eigrp | b Gate
Gateway of last resort is not set is subnetted, 1 subnets
D EX [170/2562816] via, 02:24:38, GigabitEthernet0/0 is subnetted, 1 subnets
D EX [170/2562816] via, 00:00:10, GigabitEthernet0/0 is subnetted, 1 subnets
D EX [170/2562816] via, 02:02:39, GigabitEthernet0/0 is subnetted, 1 subnets
D EX [170/2562816] via, 02:15:44, GigabitEthernet0/0

We can even get to NY2 from the LA-FW C1 context:

LA-FW/C1(config)# ping
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms

But this is pretty much as far as it goes. Most of the stuff revolved around NAT issues, but I got around these, and packet tracer gave a clean result.

Something is majorly wrong here, and at the most basic of levels:


ARP is failing.

So I tried throwing a switch in between the two LA routers and the LA-FW, little bit of reconfiguration later, and it looks like this:

However, it still does not work.

ARP is still failing, so I need to go and do some digging. Still, I like a challenge.