In multiple security context mode we have three type of configuration file:
- The System Configuration is the startup configuration and is similar to a standard single-mode configuration except no network interfaces are defined other than a specialized failover interface. This system configuration is where the network administrator adds and manages the security contexts.
- The Admin Context is not restricted and can be used as any other security context. When logged in as admin, all other security contexts can be seen and administered including the system configuration. The Admin context must reside on flash memory.
- The Context Configurations are created for each separate security context. These configurations contain the security policies, interface configurations, etc., specific only to that context.
Senario:
Requirements:
-Context CustomerA interfaces Gi0.100 (insideA), Gi1 (dmz), Gi2(outside)
-Context CustomerB interfaces Gi0.200 (insideB), Gi1 (dmz), Gi2(outside)
-Context admin (separate context)
context CustomerA
allocate-interface GigabitEthernet0.100 insideA
allocate-interface GigabitEthernet1 dmz
allocate-interface GigabitEthernet2 outside
config-url disk0:/customerA.cfg
context CustomerB
allocate-interface GigabitEthernet0.100 insideB
allocate-interface GigabitEthernet1 dmz visible
allocate-interface GigabitEthernet2 outside
config-url disk0:/customerB.cfg
admin-context admin
context admin
config-url disk0:/admin.cfg
When you allocate interfaces to the context you can specify one of two optional flags:
invisible for hiding hardware property in context (default)
visible for publishing hardware property in context
Changing between contexts and the system execution space
When you connect with a console cable on the appliance, you will log in the system configuration (or the system execution space). The “system execution space” is the global appliance space from where you can then enter into specific security contexts. If you are logged in the “system execution space” and issue a “show run” command, this will ONLY show you the global system configuration and NOT the various security contexts configurations. You will need to log into a specific security context in order to change or see its configuration.
Admin context is a special context that allows logging in the firewall remotely (using ssh, telnet or https). This context must be configured first. The firewall don't let you create any other contexts until you configure the admin context.
ciscoasa# changeto context CustomerA
ciscoasa/CustomerA#
interface insideA
nameif insideA
security-level 100
ip address 10.100.100.1 255.255.255.0
!
interface dmz
nameif dmz
security-level 50
ip address 192.168.1.1 255.255.255.0
!
interface outside
nameif outside
security-level 0
ip address 192.168.223.100 255.255.255.0
ciscoasa/CustomerA# show interface ip brief
Interface IP-Address OK? Method Status Protocol
insideA 10.100.100.1 YES manual up up
dmz 192.168.1.1 YES manual up up
outside 192.168.223.100 YES manual up up
ciscoasa/CustomerA# show interface dmz
Interface dmz "dmz", is up, line protocol is up
MAC address 00ab.cd92.5201, MTU 1500
IP address 192.168.1.1, subnet mask 255.255.255.0
Traffic Statistics for "dmz":
41 packets input, 9527 bytes
8 packets output, 640 bytes
32 packets dropped
ciscoasa# changeto context CustomerB
ciscoasa/CustomerB#
interface insideB
nameif insideB
security-level 100
ip address 10.200.200.1 255.255.255.0
!
interface dmz
nameif dmz
security-level 50
ip address 192.168.1.2 255.255.255.0
!
interface outside
nameif outside
security-level 0
ip address 192.168.223.101 255.255.255.0
ciscoasa/CustomerB# show interface ip brief
Interface IP-Address OK? Method Status Protocol
insideB 10.200.200.1 YES manual up up
dmz 192.168.1.2 YES manual up up
outside 192.168.223.101 YES manual up up
ciscoasa/CustomerB(config-if)# show interface dmz
Interface dmz "dmz", is up, line protocol is up
System name GigabitEthernet1
MAC address 00ab.cd92.5201, MTU 1500
IP address 192.168.1.2, subnet mask 255.255.255.0
Traffic Statistics for "dmz":
0 packets input, 0 bytes
2 packets output, 56 bytes
0 packets dropped
Save Configuration Changes in Multiple Context Mode
You can save each context (and system) configuration separately(write memory), or you can save all context configurations at the same time (write memory all).
Security Appliance Context Packets Classification
- Unique Interfaces - happens when one interface is allocated only to one context.
- Unique MAC Addresses - if multiple contexts share an interface, then the classifier uses the interface MAC address. The security appliance lets you assign a different MAC address in each context to the same shared interface, whether it is a shared physical interface or a shared subinterface. By default, shared interfaces do not have unique MAC addresses; the interface uses the physical interface burned-in MAC address in every context.
- NAT configuration - if you do not have unique MAC addresses, then the classifier intercepts the packet and performs a destination IP address lookup. All other fields are ignored; only the destination IP address is used. To use the destination address for classification, the classifier must have knowledge about the subnets located behind each security context. The classifier relies on the NAT configuration to determine the subnets in each context.
No comments:
Post a Comment