CCIE Security Lab: Multi-context Active/Standby ASA

It’s time for a topology change!

multi-context firewalls

 

The other topology was not suited to running the VPNs over it, so I created a new one. We don’t have any of the fun stuff like IPS, ACS, ISE, Wifi, or even the ability to run a GUI. It is just going to be CLI only.

I have just done the basic IP addressing so far. The ASAs all get an IP address of .254 for the respective subnet. The routers get an IP, which matches their loopback interface, so Local-1 gets the address 10.1.1.1 on its Gi0/0 interface, and DMVPN-Hub1 has the address 10.1.4.4, and so on.

I have not quite worked out the routing protocols yet; I’ll mull it over this weekend. For the moment we will get the ASAs up, mainly the Multicontext Failover ASA and the Transparent ASA.

Transparent ASA

I have already covered transparent ASA’s here, so here is just the config

ciscoasa(config)# firewall transparent 
ciscoasa(config)# hostname Transparent
Transparent(config)# int gi0/0
Transparent(config-if)# nameif Inside
INFO: Security level for "Inside" set to 100 by default.
Transparent(config-if)# bridge-group 1
Transparent(config-if)# no shut
Transparent(config-if)# int gi0/1
Transparent(config-if)# nameif Outside
INFO: Security level for "Outside" set to 0 by default.
Transparent(config-if)# bridge-group 1
Transparent(config-if)# no shut
Transparent(config-if)# exit
Transparent(config)# 
Transparent(config)# int bvi 1
Transparent(config-if)# ip add 10.1.7.254 255.255.255.0
Transparent(config-if)# 
Transparent(config-if)# end
Transparent# sh int ip bri
Interface                  IP-Address      OK? Method Status                Protocol
GigabitEthernet0/0         10.1.7.254      YES unset  up                    up  
GigabitEthernet0/1         10.1.7.254      YES unset  up                    up  
GigabitEthernet0/2         unassigned      YES unset  administratively down up  
GigabitEthernet0/3         unassigned      YES unset  administratively down up  
GigabitEthernet0/4         unassigned      YES unset  administratively down up  
GigabitEthernet0/5         unassigned      YES unset  administratively down up  
GigabitEthernet0/6         unassigned      YES unset  administratively down up  
Management0/0              unassigned      YES unset  administratively down up  
BVI1                       10.1.7.254      YES manual up                    up  
Transparent# 
Transparent# ping 10.1.7.1        
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.7.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
Transparent# ping outside 10.1.7.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.7.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
Transparent#

Moving swiftly on…

Multi-context Active/Standby ASAs

I haven’t looked at Active/Standby ASAs in Multi-context mode before, but let’s start with the failover stuff, then work out the rest.

ciscoasa(config)# hostname FO-ASA
FO-ASA(config)# failover
FO-ASA(config)# failover lan unit primary
FO-ASA(config)# failover lan interface fover eth3
INFO: Non-failover interface config is cleared on Ethernet3 and its sub-interfaces
FO-ASA(config)# failover key *****
FO-ASA(config)# failover replication http
FO-ASA(config)# failover link fover eth3
FO-ASA(config)# failover interface ip fover 10.1.250.254 255.255.255.0 standbFO-ASA(config)#

Now we just copy this, with a minor edit to the second ASA:

FO-ASA# sh run | i fail
failover
failover lan unit secondary
failover lan interface fover eth3
failover key *****
failover replication http
failover link fover eth3
failover interface ip fover 10.1.250.254 255.255.255.0 standby 10.1.250.252
FO-ASA#

Setting up failover first makes life a little easier.

FO-ASA(config)# mode noconfirm multiple
WARNING: This command will change the behavior of the device
WARNING: This command will initiate a Reboot
!
The old running configuration file will be written to flash

Converting the configuration - this may take several minutes for a large configuration

The admin context configuration will be written to flash

The new running configuration file was written to flash
Security context mode: multiple 



***
*** --- SHUTDOWN NOW ---
***
*** Message to all terminals:
***
***   change mode
Process shutdown finished

The primary ASA will then restart, and the secondary will take over:

FO-ASA#       
        Switching to Active

FO-ASA#

This does not mean that the secondary will have its mode changed, though:

FO-ASA> Mate's operating mode (Single) is not compatible with my mode (Multi). Failover will be disabled.

FO-ASA> 

FO-ASA# Mate's operating mode (Multi) is not compatible with my mode (Single). Failover will be disabled.

Let’s switch the secondary to multiple-context¬†mode and then failover should work again:

FO-ASA(config)# mode noconfirm multiple
WARNING: This command will change the behavior of the device
WARNING: This command will initiate a Reboot
!

We still need to reenable failover, though (notice that in the second line failover says “off”):

FO-ASA# sh fail
Failover Off 
Failover unit Primary
Failover LAN Interface: fover Ethernet3 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 0 of 60 maximum
failover replication http
FO-ASA# conf t
FO-ASA(config)# failover 
FO-ASA(config)# end
FO-ASA# sh failover
Failover On 
Failover unit Primary
Failover LAN Interface: fover Ethernet3 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 0 of 60 maximum
failover replication http
Version: Ours 9.1(5)16, Mate 9.1(5)16
Last Failover at: 19:17:10 UTC Jun 24 2016
        This host: Primary - Negotiation 
                Active time: 0 (sec)
        Other host: Secondary - Not Detected 
                Active time: 0 (sec)
       
FO-ASA#

We need to do this on the mate as well:

FO-ASA# conf t
FO-ASA(config)# failover
FO-ASA(config)# exit
FO-ASA# .

        Detected an Active mate

FO-ASA# Beginning configuration replication from mate.

FO-ASA# 
FO-ASA# ERROR: Password recovery was not changed, unable to access 
the configuration register.
Removing context 'admin' (1)... Done
INFO: Admin context is required to get the interfaces
INFO: Admin context is required to get the interfaces
Creating context 'admin'... Done. (2)

WARNING: Skip fetching the URL disk0:/admin.cfg
INFO: Admin context will take some time to come up .... please wait.
Crashinfo is NOT enabled on Full Distribution Environment

FO-ASA# End configuration replication from mate.

FO-ASA#

All in all, it is probably quicker to set up the mode then set up the failover. Nevertheless, we got there in the end. Let’s crack on and build the multi-context part. We will need to use sub-interfaces and trunk the switch.

FO-ASA(config)# failover group 1
ERROR: Failover group can only be created or removed when failover is disabled
FO-ASA(config)# no failover
FO-ASA(config)# failover group 1
FO-ASA(config-fover-group)# primary
FO-ASA(config-fover-group)# preempt
FO-ASA(config-fover-group)# exit
FO-ASA(config)# failover group 2
FO-ASA(config-fover-group)# primary
FO-ASA(config-fover-group)# preempt
FO-ASA(config-fover-group)# exit
FO-ASA(config)# failover
FO-ASA(config)# context C1
FO-ASA(config-ctx)# join-failover-group 1
FO-ASA(config-ctx)# exit
FO-ASA(config)# context C2
FO-ASA(config-ctx)# 
FO-ASA(config-ctx)# join-failover-group 2
FO-ASA(config-ctx)# exit
FO-ASA(config)# context C1
FO-ASA(config-ctx)# config-url disk0:/C1.cfg
FO-ASA(config-ctx)# allocate-interface e1
FO-ASA(config-ctx)# allocate-interface e0.1
FO-ASA(config-ctx)# exit
FO-ASA(config)# context C2
FO-ASA(config-ctx)# config-url disk0:/C2.cfg
FO-ASA(config-ctx)# allocate-interface e2
FO-ASA(config-ctx)# allocate-interface e0.2
FO-ASA(config-ctx)# exit
FO-ASA(config)#

We will have to make a slight change to the main interface to account for the sub-interfaces, by way of setting the VLAN information:.

FO-ASA(config)# int e0.1
FO-ASA(config-subif)# vlan 16
FO-ASA(config-subif)# exit
FO-ASA(config)# 
FO-ASA(config)# int e0.2
FO-ASA(config-subif)# vlan 26
FO-ASA(config-subif)# exit
FO-ASA(config)#
FO-ASA(config)# changeto con C1
FO-ASA/C1(config)# interface ethernet 1 
FO-ASA/C1(config-if)# nameif Inside
FO-ASA/C1(config-if)# ip add 10.1.4.254 255.255.255.0 stand 10.1.4.252
FO-ASA/C1(config-if)# no shut
FO-ASA/C1(config-if)# int e0.1
FO-ASA/C1(config-if)# nameif outside
FO-ASA/C1(config-if)# ip add 10.1.16.254 255.255.255.0 stand 10.1.16.252
FO-ASA/C1(config-if)# no shut
FO-ASA/C1(config-if)# exit
FO-ASA/C1(config)# changeto con C2
FO-ASA/C2(config)# int e2
FO-ASA/C2(config-if)# nameif inside
FO-ASA/C2(config-if)# ip add 10.1.5.254 255.255.255.0 stand 10.1.5.252
FO-ASA/C2(config-if)# no shut
FO-ASA/C2(config-if)# int e0.2
FO-ASA/C2(config-if)# nameif outside
FO-ASA/C2(config-if)# ip add 10.1.26.254 255.255.255.0 stand 10.1.26.252
FO-ASA/C2(config-if)# no shut
FO-ASA/C2(config-if)# end
FO-ASA/C2#

Let’s make sure the interfaces are up:

FO-ASA# conf t
FO-ASA(config)# int e0
FO-ASA(config-if)# no shut
FO-ASA(config-if)# int e1
FO-ASA(config-if)# no shut
FO-ASA(config-if)# int e2
FO-ASA(config-if)# no shut
FO-ASA(config-if)# end
FO-ASA# wr mem
Building configuration...
Cryptochecksum: 6d25f26b f839667a 12e15d7c 54dff20a 

2017 bytes copied in 0.230 secs
[OK]
FO-ASA#

Now a little testing:

FO-ASA/C1# ping 10.1.4.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.4.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
FO-ASA/C1# 

FO-ASA/C2# ping 10.1.5.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.5.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
FO-ASA/C2#

Next, we need to set up ISP-1, and add the VLANs to the intermediate switch, and then test from the ASA:

ISP-1(config)#int gi0/0
ISP-1(config-if)#no ip add
ISP-1(config-if)#exit
ISP-1(config)#int gi0/0.1
ISP-1(config-subif)#encap dot 16
ISP-1(config-subif)#no sh
ISP-1(config-subif)#ip add 10.1.16.1 255.255.255.0
ISP-1(config)#int gi 0/0.2
ISP-1(config-subif)#no sh
ISP-1(config-subif)#enc dot 26
ISP-1(config-subif)#ip add 10.1.26.1 255.255.255.0
ISP-1(config-subif)#exit
ISP-1(config)#end
ISP-1#
ISP-1#sh ip int bri
Interface                  IP-Address      OK? Method Status                Protocol
GigabitEthernet0/0         unassigned      YES manual up                    up      
GigabitEthernet0/0.1       10.1.16.1       YES manual up                    up      
GigabitEthernet0/0.2       10.1.26.1       YES manual up                    up      
GigabitEthernet0/1         10.1.7.1        YES manual up                    up      
GigabitEthernet0/2         unassigned      YES NVRAM  administratively down down    
GigabitEthernet0/3         unassigned      YES NVRAM  administratively down down    
ISP-1#

SW1(config)#vlan 16,26
SW1(config-vlan)#exit
SW1(config)#do sh vlan bri

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Gi0/0, Gi0/1, Gi0/2, Gi0/3
16   VLAN0016                         active    
26   VLAN0026                         active    
1002 fddi-default                     act/unsup 
1003 token-ring-default               act/unsup 
1004 fddinet-default                  act/unsup 
1005 trnet-default                    act/unsup 
SW1(config)#int gi0/0
SW1(config-if)#swi trun enc dot
SW1(config-if)#swi mo tru
SW1(config-if)#no sh
SW1(config-if)#
SW1(config-if)#int gi0/1
SW1(config-if)#swi trun enc dot
SW1(config-if)#swi mo tru
SW1(config-if)#no sh
SW1(config-if)#int gi0/2
SW1(config-if)#swi trun enc dot
SW1(config-if)#swi mo tru
SW1(config-if)#no sh

FO-ASA/C1# ping outside 10.1.16.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.16.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
FO-ASA/C1# 

FO-ASA/C2# ping 10.1.26.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.26.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
FO-ASA/C2# 

ISP-1#ping 10.1.16.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.16.254, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/6/8 ms
ISP-1#ping 10.1.26.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.26.254, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/8/17 ms
ISP-1#

This is pretty much the very basics done. I won’t be overly permissive with the ASA access-lists this time around. Instead, we will be making use of the default deny, and being very strict by allowing just the source and destination IP addresses and relevant ports.

All the IGPs (when I figure out what I will be using and where) will be using authentication, but at least I am in good stead to get started learning the different VPNs.

We will start by getting Local-1 connected to RTD-ASA, which in turn will be connected to CA-Flex, which connects to DMVPN-Hub2. This will use OSPF to propagate the routes and join RTD-ASA and DMVPN-Hub2 by way of secured OSPF. Once this is done, we’ll set up an IPSec VPN between the ASA and DMVPN-Hub1.

But that won’t be until next week because I am taking the kids and wife away for the weekend.

Have a good weekend.

Part 2 is here.

One Response

  1. Sujeet Singh January 12, 2017

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.