© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 8 – PIX Security Appliance Contexts, Failover, and Management

© 2006 Cisco Systems, Inc. All rights reserved. Lesson 8.1 Configure a PIX Security Appliance to Perform in Multiple Context Mode Module 8 – PIX Security Appliance Contexts, Failover, and Management

© 2006 Cisco Systems, Inc. All rights reserved. Security Context Overview

© 2006 Cisco Systems, Inc. All rights reserved. You can partition a single security appliance into multiple virtual firewalls, known as security contexts. Each context has its own configuration that identifies the security policy, interfaces, and almost all the options you can configure on a standalone firewall. The system administrator adds and manages contexts by configuring them in the system configuration, which identifies basic settings for the security appliance. When the system needs to access network resources, it uses one of the contexts that is designated as the admin context. Security Context A Security Context B Security Context C Security Appliance Virtualization

© 2006 Cisco Systems, Inc. All rights reserved. You might want to use multiple security contexts in the following situations: When a service provider wants to sell firewall services to many customers When a large enterprise or a college campus wants to keep departments completely separate When an enterprise wants to provide distinct security policies to different departments When a network requires more than one firewall Security Context A Security Context B Security Context C Security Appliance Company A Company B Company C Common Uses for Security Contexts

© 2006 Cisco Systems, Inc. All rights reserved. Service Provider VFW3 Same service that is available with multiple security appliances Now available in smaller, more manageable package VFW2 VFW1 VFW4 Service Provider–Managed Security Appliance with Multiple Contexts Internet Customer

© 2006 Cisco Systems, Inc. All rights reserved. Context configuration files have the following characteristics: Each context has its own configuration file. The security appliance also includes a system configuration that identifies basic settings for the security appliance, including a list of contexts. Security Context Admin Security Context B Security Context C Security Context Admin Config Security Context B Config Security Context C Config System Config Security Appliance Context Configuration Files

© 2006 Cisco Systems, Inc. All rights reserved. Each packet that enters the security appliance must be classified so that the appliance can determine to which context to send a packet. The appliance checks for the following: Unique interfaces MAC addresses NAT configuration The appliance uses the characteristic that is unique and not shared across contexts. Routed mode allows shared interfaces Transparent mode does not allow shared interfaces. Security Context A Security Context B Security Context C Security Appliance C.F142.4CDA 000C.F142.4CDC 000C.F142.4CDB Packet Classification

© 2006 Cisco Systems, Inc. All rights reserved. Resource Management

© 2006 Cisco Systems, Inc. All rights reserved. –Limits the use of resources per context –Prevents one or more contexts from using too many resources and causing other contexts to be denied the use of resources –Enables you to configure limits for the following resources: ASDM connections Connections Hosts SSH sessions Telnet sessions Xlate objects Application inspections (rate only) Syslogs per second (rate only) Internet Context 1 Context 2 X Security Appliance SSH sessions limited to one for Context 2 SSH session 2 SSH session 1 Resource Management

© 2006 Cisco Systems, Inc. All rights reserved. Class Bronze (some limits set) Class Silver (some limits set) Default Class Context D Context C Context B Context A Class Gold (all limits set) The Default Resource Class

© 2006 Cisco Systems, Inc. All rights reserved. Configuring Resource Management Creates a name for a resource class and enters configuration mode for the class class name ciscoasa(config)# asa1(config)# class MEDIUM-RESOURCE-SET asa1(config-class)# limit-resource ASDM 4 asa1(config-calss)# limit-resource conns 20% Specifies a resource limit for a class limit-resource {{all 0} | {rate resource_name value} | {resource_name value[%]}} ciscoasa(config-class)# Limits the MEDIUM-RESOURCE-SET class to four ASDM sessions and 20 percent of the system connection limit asa1(config)# context TEST asa1(config-ctx)# member MEDIUM-RESOURCE-SET Assigns the Test context to the Medium-Resource-Set class

© 2006 Cisco Systems, Inc. All rights reserved. Enabling Multiple Context Mode

© 2006 Cisco Systems, Inc. All rights reserved. When you convert from single mode to multiple mode, the running configuration is converted into two files: –New startup configuration that comprises the system configuration –Admin.cfg that comprises the admin context The original running configuration is saved as old_running.cfg (in disk). Security Context Admin Security Appliance Multimode Admin Configuration System Configuration Security Appliance Single Mode Running Configuration old_running.cfg Configuration Backing Up the Single-Mode Configuration

© 2006 Cisco Systems, Inc. All rights reserved. The Admin Context The admin context has the following characteristics: The system execution space has no traffic- passing interfaces, Uses the policies and interfaces of the admin context to communicate with other devices. Used to fetch configurations for other contexts and send system-level syslogs. Users logged in to the admin context are able to change to the system context and create new contexts. Aside from its significance to the system, it could be used as a regular context. Security Context Admin Security Appliance Multimode System Configuration Admin Configuration Security Context ASecurity Context B

© 2006 Cisco Systems, Inc. All rights reserved. Enabling and Disabling Multiple Context Mode Selects the context mode as follows: multiple: Sets multiple context mode (mode with security contexts) single: Sets single context mode (mode without security contexts) noconfirm: Sets the mode without prompting you for confirmation mode {single | multiple} [noconfirm] ciscoasa(config)# asa1(config)# mode multiple Before you convert from multiple mode to single mode, copy the backup version of the original running configuration to the current startup configuration.

© 2006 Cisco Systems, Inc. All rights reserved. show mode ciscoasa# Shows the current firewall mode asa1# show mode Firewall mode: multiple The flash mode is the SAME as the running mode. Viewing the Current Context Mode

© 2006 Cisco Systems, Inc. All rights reserved. Configuring a Security Context

© 2006 Cisco Systems, Inc. All rights reserved. ciscoasa(config)# Adds or modifies a context –The name is a case-sensitive string up to 32 characters long. –System and Null (in uppercase or lowercase letters) are reserved names and cannot be used. asa1(config)# context CONTEXT1 Creating context CONTEXT1'... Done. (4) asa1(config-ctx)# context name Adding a Context

© 2006 Cisco Systems, Inc. All rights reserved. allocate-interface physical_interface.subinterface[- physical_interface.subinterface] [map_name[-map_name]] [visible | invisible] ciscoasa(config-ctx)# Allocates interfaces to a security context –Interfaces must initially be enabled in system configuration mode before being allocated to a context. –Initially the context created will not have access to any interfaces. asa1(config-ctx)# allocate-interface gigabitethernet0/1 asa1(config-ctx)# allocate-interface gigabitethernet1/1.100 int1 Config Context Submode: Allocating Interfaces

© 2006 Cisco Systems, Inc. All rights reserved. Security Context A Security Context B Security Appliance C.F142.4CDA 000C.F142.4CDC g0/1 Automatically generates MAC addresses for shared interfaces in contexts mac-address auto ciscoasa(config)# mac-address mac_address [standby mac_address] asa1/CONTEXTA(config-if)# mac-address 000C.F142.4CDA Enables the security appliance to easily classify packets into the appropriate context ciscoasa/CONTEXT1(config-if)# Assigns a different MAC address for each context to a single interface Assigning Context-Specific MAC Addresses to an Interface

© 2006 Cisco Systems, Inc. All rights reserved. Configuration of Contexts Each context has its own configuration file, which is specified using the config-url command. Until the config-url command has been entered, the context is not operational. The config-url command accepts the following URL types: disk0/flash: Configurations stored on the flash file system of the device disk1: Configurations stored on the compact flash memory card of the device tftp: TFTP server-based configurations ftp: FTP server-based configurations https: Webserver-based configurations (read-only)

© 2006 Cisco Systems, Inc. All rights reserved. Config Context Submode: Designating the Configuration File Identifies the URL from which the system downloads the context configuration When adding a context URL, system immediately loads the context so that it is running. If system cannot retrieve the context configuration file, it creates a blank context. config-url url ciscoasa(config-ctx)# asa1(config-ctx)# config-url disk0:/CONTEXT3.cfg asa1(config-ctx)# show run … context CONTEXT3 allocate-interface GigabitEthernet0/0 allocate-interface GigabitEthernet0/1 config-url disk0:/CONTEXT3.cfg …

© 2006 Cisco Systems, Inc. All rights reserved. Assigns a context to a resource class member class_name ciscoasa(config-ctx)# asa1(config)# class MEDIUM-RESOURCE-SET asa1(config-class)# limit-resource ASDM 4 asa1(config-class)# limit-resource conns 20% asa1(config-class)# exit asa1(config)# context CONTEXT1 asa1(config-ctx)# member MEDIUM-RESOURCE-SET As a member of class MEDIUM-RESOURCE-SET, CONTEXT1 has the following limits: ASDM sessions: Four Connections: 20% Assigning Resources to Contexts

© 2006 Cisco Systems, Inc. All rights reserved. Saving Context Configurations After the context has been activated, it is configured much the same as any security appliance standalone device, as follows: Once in a context, you can enter the configuration mode to modify the context configuration. The startup configuration for a context resides where the config-url command specifies. The location of the startup configuration cannot be changed from within the context. Commands such as write mem and copy run start manipulate the configuration location specified by the config-url command. You can use the write memory all command to save all context configurations, including the system configuration, at the same time.

© 2006 Cisco Systems, Inc. All rights reserved. Managing Security Contexts

© 2006 Cisco Systems, Inc. All rights reserved. ciscoasa(config)# no context name asa1(config)# no context CONTEXT3 WARNING: Removing context CONTEXT3' Proceed with removing the context? [confirm] You can only remove a context by editing the system configuration. You cannot remove the current admin context unless you remove all contexts. A reboot is not required when creating or removing a context. ciscoasa(config)# clear configure context Removes all contexts, including the administrative context. Removing a Security Context

© 2006 Cisco Systems, Inc. All rights reserved. ciscoasa(config)# admin-context name asa1(config)# admin-context CONTEXT2 asa1(config)# show run … admin-context CONTEXT2 context CONTEXT2 allocate-interface GigabitEthernet0/0 allocate-interface GigabitEthernet0/1 allocate-interface GigabitEthernet0/3 config-url disk0:/CONTEXT2.cfg … Sets any context as the admin context Changing the Admin Context

© 2006 Cisco Systems, Inc. All rights reserved. ciscoasa# changeto {system | context name} asa1# changeto context CONTEXT1 asa1/CONTEXT1# Changes the environment to the system execution space or to the context specified asa1/CONTEXT1# changeto system asa1# Changes the environment to Context 1 Changes the environment to the system execution space Changing Between Contexts

© 2006 Cisco Systems, Inc. All rights reserved. Viewing Context Information ciscoasa# show context [name | detail | count] asa1# show context Context Name Interfaces URL *admin GigabitEthernet0/0disk0:/admin.cfg GigabitEthernet0/1 CONTEXT1 GigabitEthernet0/0disk0:/CONTEXT1.cfg GigabitEthernet0/2 CONTEXT2GigabitEthernet0/0 disk0:/CONTEXT2.cfg GigabitEthernet0/3 Total active Security Contexts: 3… Displays contexts and context information An asterisk (*) designates an admin context.

© 2006 Cisco Systems, Inc. All rights reserved. Viewing Context Information (Cont.) ciscoasa# show context [name | detail | count] asa1# show context detail Context "admin", has been created, but initial ACL rules not complete Config URL: disk0:/admin.cfg Real Interfaces: GigabitEthernet0/0, GigabitEthernet0/1 Mapped Interfaces: GigabitEthernet0/0, GigabitEthernet0/1 Flags: 0x , ID: 1 … The detail option shows additional information. The count option shows the total number of contexts.

© 2006 Cisco Systems, Inc. All rights reserved. Summary

© 2006 Cisco Systems, Inc. All rights reserved. Summary Virtual firewalls allow you to separate the security appliance into multiple independent firewalls called security contexts. Packets can be classified by: Unique interfaces MAC addresses NAT configuration You can assign a different MAC address to each context that uses a shared interface. You can configure resource management to limit the use of resources per context. Security contexts can be managed and configured independently.

© 2006 Cisco Systems, Inc. All rights reserved. Q and A

© 2006 Cisco Systems, Inc. All rights reserved.