Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
SECURITY APPLIANCES
(ASA)
Hello!
I am ___________
I am here because I love to give presentations.
2
Introduction
Introduction
4
Introduction
- Supported Features:
- Only static routing
- Firewall features
- IPS
- Management
- Unsupported Features (for ASA pre 9 versions)
- VPN termination
- Dynamic Routing Protocol
- QoS
- New features introduced in ASA 9:
- Site-to-Site VPN in multiple context mode
- New resource type for site-to-site VPN tunnels
- Dynamic routing in Security Contexts
- New resource type for routing table entries
- Mixed firewall mode support in multiple context mode
5
Introduction
Note: The multiple context feature is not supported on the ASA 5505
Series Adaptive Security Appliance.
6
CONTEXT TYPES
7
Context Types
- System Context
- Admin Context
- Normal Context
8
System Context
9
Admin Context
- The admin context is like any other context, except that when a user logs in to the admin
context, that user will have system administrator rights, and can access the system and all
other contexts
- If you convert from a Single mode to the Multiple Context mode, the admin context is
created automatically and the configuration file will be created on the flash memory
- This context could be combined with any regular user context or be dedicated.
- Note: Admin context (when it is dedicated) is not counted in the context license. For
example, if you get the license for two contexts, you are allowed to have the admin context
and two other contexts.
10
Normal Context
11
CONFIGURATION
12
Configuration
13
Configuration
14
Configuration
- When you convert from single mode to multiple mode, the security
appliance converts the running configuration into two files:
1. New startup configuration that comprises the system
configuration.
2. admin.cfg that comprises the admin context (in the root
directory of the internal Flash memory).
- The original running configuration is saved as old_running.cfg (in the
root directory of the internal Flash memory).
- The original startup configuration is not saved.
- The security appliance automatically adds an entry for the admin
context to the system configuration with the name "admin.“
15
Configuration Steps
16
Configuration Steps
18
Configuration Steps
19
Configuration Notes
20
Configuration Notes
- If there is a shared physical interface between the contexts, each context could
generally have different IP and MAC addresses on this interface.
- It is possible to share the IP address as well, though. If you want to assign the same IP
address to the shared interfaces in multiple context mode you’ll need to give the logical
interfaces a separate MAC address.
- You may use non-overlapping subnets or simply different IPs on the same subnet.
- By default both contexts will inherit the same MAC address from the shared physical
interface. This might result in the firewall not being able to classify the incoming traffic
properly.
- Use the command mac-address auto in the system context to automatically generate a
MAC address for every new “virtual” interface.
21
Configuration
In order to enable multiple mode, enter this command:
hostname(config)# mode multiple
You are prompted to reboot the security appliance.
CiscoASA(config)# mode multiple
WARNING: This command will change the behavior of the device
WARNING: This command will initiate a Reboot
Proceed with change mode? [confirm]
Convert the system configuration? [confirm]
!
The old running configuration file will be written to flash
The admin context configuration will be written to flash
The new running configuration file was written to flash
Security context mode: multiple
***
*** −−− SHUTDOWN NOW −−−
***
*** Message to all terminals:
***
*** change mode
Rebooting....
22
Configuration
- You can’t rename the context, you will have to delete it, then create a new one
with the new name.
- Delete a Context:
No context ContextA
23
Example Scenario
24
FIREWALL CONTEXTS ROUTING
25
Firewall Context Routing
26
Firewall Context Routing
27
Firewall Context Routing
- Context Cascading
- Recall that physical interfaces could be
shared between the contexts.
- In some scenarios, you may even configure
the same physical interface as the inside
for one context and outside for another.
This is called context cascading. *Look at
the figure below:
28
FIREWALL CONTEXTS CLASSIFICATION
29
Firewall Contexts Classification
30
Firewall Contexts Classification
33
Resource Management
34
Resource Management
35
Resource Management
37
Resource Management
38
Resource Management
39
Q&A
40
Thank You
41
References
42