Information about Security Context

We can partition a single ASA into multiple virtual devices, known as security contexts. Each context is an independent device, with its own security policy, interfaces, and administrators. Multiple contexts are similar to having multiple standalone devices. Many features are supported in multiple context mode, including routing tables, firewall features, IPS, and management. Some features are not supported, including VPN and dynamic routing protocols.

Note:- When the ASA is configured for security contexts (for example, for Active/Active Stateful Failover), IPsec or SSL VPN cannot be enabled. Therefore, these features are unavailable.

We will be working on a small topology made on Gns3 just to understand the concept and functionality of ASA in multiple context mode.

Asa multiple context

There are three types of contexts.

  • The custom made context , that we are going to make,like SECURE or LEGACY.
  • The Admin context , It is just like any other context, except that when a user logs in to the admin context, then that user has system administrator rights and can access the system and all other contexts.Normally in production network “Management 0” interface is assigned to this context.
  • The System context, The system administrator adds and manages contexts by configuring each context configuration location, allocated interfaces, and other context operating parameters in the system configuration, which, like a single mode configuration, is the startup configuration. The system configuration identifies basic settings for the ASA. The system configuration does not include any network interfaces or network settings for itself; rather, when the system needs to access network resources (such as downloading the contexts from the server), it uses one of the contexts that is designated as theadmin context. The system configuration does include a specialized failover interface for failover traffic only.

Here in the above figure R1 and R3 are on 13.13.13.0/24 subnet and will use Context LEGACY and R2 and R4 are on 24.24.24.0/24 subnet and will use Context SECURE inside ASA to communicate between each other. We will assign 13.13.13.254 and 24.24.24.254 on ASA1 interface inside particular context and provide default route on particular device towards ASA1 interface inside context, to check the connectivity.

The physical topology is mentioned below. Sorry for my bad drawing skills.

Asa multiple context Physical

R1 and R3 are part of Vlan 13 and R2 and R4 are part of Vlan 24. And GigE1 is connected to SW1 and GigE2 is connected to SW2 and there is trunk in between SW1 and SW2. We will first configure our switch as mentioned above. Ip addressing is mentioned above.

 Task Flow for Configuring Multiple Context Mode

To configure multiple context mode, perform the following steps:

  • Step 1    Enable multiple context mode.
  • Step 2    (Optional) Configure classes for resource management.
  • Step 3    Configure interfaces in the system execution space.
  • Step 4    Configure security contexts.
  • Step 5    (Optional) Automatically assign MAC addresses to context interfaces.
  • Step 6    Complete interface configuration in the context.

Step 1:-Enabling Multiple Context Mode

Prerequisites

•When we convert from single mode to multiple mode, the ASA converts the running configuration into two files. The original startup configuration is not saved, so if it differs from the running configuration, you should back it up before proceeding.

•The context mode (single or multiple) is not stored in the configuration file, even though it does endure reboots. If we need to copy our configuration to another device, set the mode on the new device to match.

Now lets enable “mode multiple” , it gives us Warning and asks for Reload, so reload it and check the Disk0: space after that.

ASA1(config)# mode multiple
WARNING: This command will change the behavior of the device
WARNING: This command will initiate a Reboot
Proceed with change mode? [confirm]
Convert the system configuration? [confirm]
!!
The old running configuration file will be written to flash

Converting the configuration – this may take several minutes for a large configuration

The admin context configuration will be written to flash

The new running configuration file was written to flash
Security context mode: multiple

ASA1# sh disk0:
–#–  –length–  —–date/time——  path
5  4096        Dec 09 2012 02:53:34  log
14  4096        Dec 09 2012 02:53:36  coredumpinfo
15  59          Dec 09 2012 02:53:36  coredumpinfo/coredump.cfg
48  17738924    Dec 09 2012 03:08:38  asdm-702.bin
49  4805906     Dec 09 2012 03:17:08  anyconnect-win-2.5.3055-k9.pkg
50  6975261     Dec 09 2012 03:17:28  anyconnect-linux-2.5.3055-k9.pkg
51  6300827     Dec 09 2012 03:17:46  anyconnect-macosx-i386-2.5.3055-k9.pkg
32  0           Dec 10 2012 01:25:46  nat_ident_migrate
53  8855        Feb 01 2013 01:49:44  old_running.cfg
   54  5710        Feb 01 2013 01:50:10  admin.cfg

Now our running config in Single mode has been saved as “old_running.cfg” and “admin.cfg”, we can confirm the config with “ASA1# more disk0:old_running.cfg  “.

Step 2 (Optional) Configure classes for resource management:-

To set the default class limit for conns to 10 percent instead of unlimited, enter the following commands:

ASA1(config)# class default
ASA1(config-class)# limit-resource conns 10%
All other resources remain at unlimited.

To add a class called gold, enter the following commands:

ASA1(config)# class gold
ASA1(config-class)# limit-resource mac-addresses 10000
ASA1(config-class)# limit-resource conns 15%
ASA1(config-class)# limit-resource rate conns 1000
ASA1(config-class)# limit-resource rate inspects 500
ASA1(config-class)# limit-resource hosts 9000
ASA1(config-class)# limit-resource asdm 5
ASA1(config-class)# limit-resource ssh 5
ASA1(config-class)# limit-resource rate syslogs 5000
ASA1(config-class)# limit-resource telnet 5
ASA1(config-class)# limit-resource xlates 36000

Step 3 & 4 Configure interfaces in the system execution space and Configure security contexts:-

First lets clear the old interface configuration.

ASA1(config)# clear configure interface

Now lets create our interfaces and assign it to contexts.

interface GigabitEthernet1.13
vlan 13
!
interface GigabitEthernet2.24
vlan 24
!
admin-context admin
context admin
config-url disk0:/admin.cfg
!

context SECURE
member gold
allocate-interface GigabitEthernet2.24 int24
config-url disk0:/SECURE.cfg
!

context LEGACY
member gold
allocate-interface GigabitEthernet1.13 int13
config-url disk0:/LEGACY.cfg
!

Step 6    Complete interface configuration in the context:- (As of now we will skip step 5, it is optional although)

Currently we will not assign any interface to ADMIN context , normally in production network we assign “Management 0” to into ADMIN context for management only.Thats all  config needed in system context, now lets move it to the individual context and configure our rest of the config.

ASA1# changeto context SECURE
ASA1/SECURE# conf t
ASA1/SECURE(config)# interface int24
ASA1/SECURE(config-if)#  nameif inside
ASA1/SECURE(config-if)#  security-level 100
ASA1/SECURE(config-if)#  ip address 24.24.24.254 255.255.255.0
ASA1/SECURE(config-if)#  nameif inside_secure
ASA1/SECURE(config-if)# end

Now lets move to LEGACY context and configure interfaces.

ASA1/SECURE# changeto context LEGACY
ASA1/LEGACY# conf t
ASA1/LEGACY(config)# interface int13
ASA1/LEGACY(config-if)#  nameif inside_legacy
ASA1/LEGACY(config-if)#  security-level 100
ASA1/LEGACY(config-if)#  ip address 13.13.13.254 255.255.255.0
ASA1/LEGACY(config-if)# end
ASA1/LEGACY#

Now on the R1 and R3 side create a default route towards 13.13.13.254 ASA1/LEGACY context. And on R2 and R4 towards 24.24.24.254 ASA1/SECURE.

R1 and R3
ip route 0.0.0.0 0.0.0.0 13.13.13.254
R2 and R4
ip route 0.0.0.0 0.0.0.0 24.24.24.254

Verification:- Now to test the connectivity lets ping from R1,R2,R3 and R4.

R1#ping 13.13.13.254

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 13.13.13.254, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/12/32 ms
R1#ping 13.13.13.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 13.13.13.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/21/32 ms
!
R3#ping 13.13.13.254

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 13.13.13.254, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/14/32 ms
R3#ping 13.13.13.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 13.13.13.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/24/40 ms
!
R2#ping 24.24.24.254

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 24.24.24.254, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/10/16 ms
R2#ping 24.24.24.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 24.24.24.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/24/44 ms
!
R4#ping 24.24.24.254

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 24.24.24.254, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/12/20 ms
R4#ping 24.24.24.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 24.24.24.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/24/44 ms

Now lets verify on ASA1 with few show commands.

ASA1# sh context
Context Name      Class      Interfaces           URL
*admin            default                         disk0:/admin.cfg
SECURE           gold       GigabitEthernet2.24  disk0:/SECURE.cfg
LEGACY           gold       GigabitEthernet1.13  disk0:/LEGACY.cfg

Total active Security Contexts: 3
ASA1# sh disk0:           –>All files are in place.
–#–  –length–  —–date/time——  path
—rest of the outpur emitted—
53  8855        Feb 01 2013 01:49:44  old_running.cfg
   54  5710        Feb 01 2013 01:50:10  admin.cfg
   55  1567        Feb 01 2013 03:39:10  SECURE.cfg
   58  1567        Feb 01 2013 03:53:23  LEGACY.cfg

Indeed our configuration is working , we will work on more complex scenarios later on.