CISCO ADVANCED

SECURITY APPLIANCES
(ASA)
 Hello!
I am ___________
I am here because I love to give presentations.

2
Introduction
 Introduction

- ASA firewall supports software virtualization, by

means of so-called firewall contexts.
- Every context has its own set of routing,
filtering/inspection and address translation rules.
- All contexts must be in either routing or transparent
firewall mode – you cannot mix modes in different
contexts.

4
 Introduction

- Supported Features:
- Only static routing
- Firewall features
- IPS
- Management
- Unsupported Features (for ASA pre 9 versions)
- VPN termination
- Dynamic Routing Protocol
- QoS
- New features introduced in ASA 9:
- Site-to-Site VPN in multiple context mode
- New resource type for site-to-site VPN tunnels
- Dynamic routing in Security Contexts
- New resource type for routing table entries
- Mixed firewall mode support in multiple context mode

5
 Introduction

Where do we use Multiple context?

- In ISPs, were they sell security services to many
customers, they implement a cost-effective, space saving
solution.
- Large Enterprises who keeps their departments completely
separated.
- Basically, we use multiple context whenever there is a
network that requires more than one security appliance.

Note: The multiple context feature is not supported on the ASA 5505
Series Adaptive Security Appliance.

6
CONTEXT TYPES

7
 Context Types

- System Context
- Admin Context
- Normal Context

8
 System Context

- The System administrator adds and manages contexts by the

configuration of each context configuration location, allocated
interfaces, and other context operational parameters in the system
configuration.

- The system configuration identifies basic settings for the security

appliance. You cannot assign any IP addresses when you are under
the system context, with exception to the management interface.

- You can upgrade or downgrade the PIX/ASA software only in the

System EXEC mode, not in the other context modes.

9
 Admin Context
- The admin context is like any other context, except that when a user logs in to the admin
context, that user will have system administrator rights, and can access the system and all
other contexts

- Admin context configuration must reside on the Flash memory.

- If you convert from a Single mode to the Multiple Context mode, the admin context is
created automatically and the configuration file will be created on the flash memory

- This context could be combined with any regular user context or be dedicated.

- Note: Admin context (when it is dedicated) is not counted in the context license. For
example, if you get the license for two contexts, you are allowed to have the admin context
and two other contexts.

10
 Normal Context

- Is the actual partitioned firewall.

- Contexts can be accessed via Console, Telnet, SSH,

and ASDM

- If you log in to an non-admin context, you can only

access the configuration for that context

11
CONFIGURATION

12
 Configuration

Note: The ports on the

switch that are connected
to ASA must be in trunk
mode since multiple VLAN
traffic has to travel through
it once the ASA interfaces
are broken into
sub−interfaces.

13
 Configuration

- In order to turn the firewall to the multiple contexts mode,

you should enter the command mode multiple when logged
via the console port.
- Note: You may do this remotely but you risk losing
connection to the box.
- This will force mode change to multiple and reload the
appliance.
- If you connect to the appliance the console port, you are
logging into the system context after the reload.

14
 Configuration

- When you convert from single mode to multiple mode, the security
appliance converts the running configuration into two files:
1. New startup configuration that comprises the system
configuration.
2. admin.cfg that comprises the admin context (in the root
directory of the internal Flash memory).
- The original running configuration is saved as old_running.cfg (in the
root directory of the internal Flash memory).
- The original startup configuration is not saved.
- The security appliance automatically adds an entry for the admin
context to the system configuration with the name "admin.“

15
 Configuration Steps

- You should to do the following things while

logged into the system context:

1) Configure physical interfaces. You need to

un-shutdown the interfaces that you want to
allocate to the contexts. If you are creating
sub-interfaces using VLANs, you should do it
under the system context as well.

16
 Configuration Steps

2) Define the admin context.

- This is a special context that allows
logging in the firewall remotely (via ssh,
telnet or https).
- This context should be configured first as
the firewall won’t let you create any other
contexts prior to designating the admin
context using the global command admin-
context <NAME>.
- As we have said this context is
automatically created When you convert
from the single-context mode.
17
 Configuration Steps

3) Define additional contexts if needed and allocate physical

interfaces to the contexts.
- Use the command allocate-interface <Physical-
Interface> [<Iface-Name>] under the context
configuration mode for interface allocation.
- Here <Physical-Interface> is the physical interface or
sub-interface name and <Iface-Name> is the name
that the context sees for this interface.
- Using this command you can hide the real interface
names from the context administrators (e.g. hide VLAN
numbers), in order to provide additional level of
isolation from the physical configuration.

18
 Configuration Steps

4) Change to the context configuration, and proceed

as usual.
- Assign interface names, security levels and IP
addresses.
- Set up static routes for subnets not directly
connected to the context – even for the
subnets connected to another contexts.

19
 Configuration Notes

- Physical interfaces could be shared among contexts, i.e. you

may assign the same interface to different contexts.

- Interface sharing is the unique feature of the ASA firewall

contexts, and this is what makes it stand apart from IOS VRF
technology.erface to different contexts.

- When an interface is shared between two contexts, certain

classification rules should be applied to determine which
context the incoming packets should use.

20
 Configuration Notes

- If there is a shared physical interface between the contexts, each context could
generally have different IP and MAC addresses on this interface.

- It is possible to share the IP address as well, though. If you want to assign the same IP
address to the shared interfaces in multiple context mode you’ll need to give the logical
interfaces a separate MAC address.

- You may use non-overlapping subnets or simply different IPs on the same subnet.

- By default both contexts will inherit the same MAC address from the shared physical
interface. This might result in the firewall not being able to classify the incoming traffic
properly.

- Use the command mac-address auto in the system context to automatically generate a
MAC address for every new “virtual” interface.

21
 Configuration
In order to enable multiple mode, enter this command:
hostname(config)# mode multiple
You are prompted to reboot the security appliance.
CiscoASA(config)# mode multiple
WARNING: This command will change the behavior of the device
WARNING: This command will initiate a Reboot
Proceed with change mode? [confirm]
Convert the system configuration? [confirm]
!
The old running configuration file will be written to flash
The admin context configuration will be written to flash
The new running configuration file was written to flash
Security context mode: multiple
***
*** −−− SHUTDOWN NOW −−−
***
*** Message to all terminals:
***
*** change mode
Rebooting....
22
 Configuration

- Creating a new context:

Ciscoasa(config)# Context ContextA

Ciscoasa(config-ctx)# description text
Ciscoasa(config-ctx)# Allocate-interface
<Physical_interface> [mapped name]
Ciscoasa(config-ctx)# Config-url url

- You can’t rename the context, you will have to delete it, then create a new one
with the new name.
- Delete a Context:
No context ContextA

23
Example Scenario

24
FIREWALL CONTEXTS ROUTING

25
 Firewall Context Routing

- As mentioned previously, in the multiple-context

mode the firewall supports only static routing.
- you need to configure a static route for every non-
directly connected subnet for a firewall context or set
up a static default route.
- All adjacent routers should be also configured with
static routes to allow for full connectivity.

26
 Firewall Context Routing

- Routing between contexts:

- firewall contexts do not share IP routing tables, and
thus if you want to establish communications
between the routing contexts you need either of the
following:
1. Configure each context with a set of static routes for
the subnets connected or located behind the other
context.
2. Use an external router that has full knowledge of the
subnets behind each of the contexts to provide
connectivity.

27
 Firewall Context Routing

- Context Cascading
- Recall that physical interfaces could be
shared between the contexts.
- In some scenarios, you may even configure
the same physical interface as the inside
for one context and outside for another.
This is called context cascading. *Look at
the figure below:

28
FIREWALL CONTEXTS CLASSIFICATION

29
 Firewall Contexts Classification

- It is easy to assign an input packet to the context if

the interface where it has been received is uniquely
allocated to the context.
- If the interface is shared, additional rules are needed.

30
 Firewall Contexts Classification

- Shared interfaces classification rules:

1) The firewall looks at the destination MAC address of the packet – the
destination MAC designated the “next-hop” for the packet.*
2) If the MAC address is the same in both contexts for the same interface,
the firewall attempts to use NAT configuration in every context to resolve
the “conflicts”.
- This may happen if you intentionally assign the same IP address to
both contexts or did not assign different MAC addresses to the
shared interfaces.
- The firewall attempts to match the destination IP address and
TCP/UDP port information in the packet with the active
translation slots in every context. The context with the
matching translation slot is selected as the target context.
- This type of classification allows sharing the same IP subnet or
even IP address on the shared interface.
- You are not required to have unique MAC addresses in each
context, as the translation slots are used for traffic
classification.
31
 Firewall Contexts Classification

- Shared interfaces classification rules:

3) If all contexts on the shared interface use the same
IP address/MAC then you cannot access the
contexts on the shared interface.
- Why? Because for traffic destined to the
firewall itself, it classifies based on the
destination IP address.
- So it is generally recommended to use
separate IP addresses (MAC could be the
same) on the shared interfaces. 32
RESOURCE MANAGEMENT

33
 Resource Management

- The firewall has limited resources, shared between the

contexts.
- The resources include concurrent connections,
inspections, translation slots, management sessions
(telnet, ssh and https) number of inside hosts and so on.
- Some of those resources are limited based on the
licensing option – e.g. the number of inside hosts. Others
are limited by the firewall hardware.

34
 Resource Management

- In order to avoid resource contention and exhaustion, the

firewall allows limiting per-context resources using the
resource class concept.
- Every class specifies the amount of resource available to a
context. Classes are assigned to the contexts to enforce
the limits.
- By default, all contexts are assigned class “default”.
- Note that contexts do not “share” the particular class
resources. They only inherit the resource limits set by a
class.

35
 Resource Management

- When you create a new class, it inherits all limits

from the “default” resource class.
- When you re-define any particular limit in the new
class, you automatically override the default setting
for this limit.
- You may also configure the default class settings and
all classes will inherit these values, unless they
redefine them.
36
Resource Management

37
 Resource Management

- The appliance never “reserves” any resources for classes. It simply

uses them to compute the resource limits and satisfies any request
that is within the limit for a given class.
- For example, suppose the system supports up to 1000 connection
maximum, and you create new class with the limit of 500
connections. You assign this class to 3 contexts. At the peak of
their usage every context may request up to 500 connections,
exceeding the total limit of 1000. Thus it is up to the administrator
to properly set limits and prevent resource starvation.
- You may set resource limits in absolute values (e.g. number of
connections or hosts) or in percent's of the maximum resource
available.

38
 Resource Management

- The syntax is:

class <NAME>
limit-resource <Resource> [<Value>|{1-100%}]

- Some resources, like Conns, Inspects and Syslogs

support rate limiting, using the command:
limit-resource rate [{Conns|Inspects|Syslogs}|{1-100%}]

39
Q&A

40
Thank You

41
 References

- Cisco ASA 5500-X Series with FirePOWER Services. (2019, March

05). Retrieved from
https://www.cisco.com/c/en/us/products/security/asa-firepower-
services/index.html.
- CXtec. (2019). What is the Cisco ASA?. [online] Available at:
https://www.cxtec.com/resources/blog/what-is-cisco-asa-
security-appliance/ [Accessed 7 Mar. 2019].
- https://www.router-switch.com/Price-cisco-firewalls-security-
cisco-asa-5500-series_c26
- CXtec. (2019). What is the Cisco ASA?. [online] Available at:
https://www.cxtec.com/resources/blog/what-is-cisco-asa-
security-appliance/ [Accessed 7 Mar. 2019].

42