Configuration of an ASA in Transparent and Multi Context Mode

Topology used

clip_image002[6]

Multiple Contexts configuration

First, the firewall has to be configured as Transparent and multi-context with the commands firewall transparent and mode multiple. This last command will ask a reboot in order to complete.

After the reboot, by default only one context exists, which is the context admin. If interfaces were already present, they all are now owned by this context.

The creation of the context PROD is done by using the context command. The context submode is the place where interface will be allocated in the future.

Transparent mode and Management

Now we need to configure the management access in order to be able to manage the device in the future.

On some platform, the management interface will be used to manage the device. In GNS3 such interface is not present so we need to manage it from a regular data interface.

As we are in transparent mode, physical interfaces cannot own an ip addresss :

ASA1# conf t

ASA1(config)# inter g0

ASA1(config-if)# ?

 

Interface configuration commands:

  channel-group  Etherchannel/port bundling configuration

  default        Set a command to its defaults

  description    Interface specific description

  exit           Exit from interface configuration mode

  help           Interactive help for interface subcommands

  lacp           LACP interface subcommands

  no             Negate a command or set its defaults

  shutdown       Shutdown the selected interface

 

This is where the BVI interface comes into play. As in regular IOS, a BVI interface is an interface that represents a single broadcast domain. To configure it, be sure to go into the context where you want it to exist. To enter a context, use the changeto context command.

interface BVI1

 ip address 192.168.1.200 255.255.255.0

 

Now interfaces belonging to the bridge-domain 1 must be identified. This is configured using the bridge-group command under the solicited interface. As we configure the first interface, we can also give it a nameif and let the system assign the security level.

 

interface GigabitEthernet0

 nameif management

 bridge-group 1

 security-level 0

 

From here, the management network should be able to join the bridge network in GNS3 :

ASA1/admin# ping 192.168.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/10 ms

 

This operation needs to be done on the two firewalls. Do not forget to unshut the interface in the system context also.

Failover and Stateful configuration, Active/Standby

The failover configuration requires a dedicated link between ASA. In GNS3 the fourth interface is used for the failover and is placed in to VLAN 50.

The primary and secondary unit must be declared along with the interface and IP addresses which will be used :

failover

failover lan unit primary

failover lan interface folink GigabitEthernet3

failover interface ip folink 1.1.1.1 255.255.255.0 standby 1.1.1.2

 

On the secondary box, the only change is the secondary option at the failover lan unit command. Something that is not intuitive with the CLI help is the configuration of the link, what the software wants you to specify if the future nameif of the interface you want to use for the failover link. You do not need to specify it under the under, the firewall will do it itself and add a description under the interface.

Also the failover interface ip command does not change between the two boxes. This is not like HSRP or VRRP. Here the primary ASA will use 1.1.1.1 and the standby ASA will use 1.1.1.2. The redundancy is done with some kind of MAC moving.

When this is complete you can check the state of operations with the command show failover :

ASA1# sh failover

Failover On

Failover unit Primary

Failover LAN Interface: folink GigabitEthernet3 (up)

Unit Poll frequency 1 seconds, holdtime 15 seconds

Interface Poll frequency 5 seconds, holdtime 25 seconds

Interface Policy 1

Monitored Interfaces 1 of 60 maximum

Version: Ours 8.4(2), Mate 8.4(2)

Last Failover at: 08:03:27 UTC Oct 22 2012

        This host: Primary – Active

                Active time: 359 (sec)

                  admin Interface management (192.168.1.200): Normal (Waiting)

        Other host: Secondary – Standby Ready

                Active time: 0 (sec)

                  admin Interface management (0.0.0.0): Normal (Waiting)

 

This is the output on the primary box. The secondary box output is very similar except it shows it as secondary.

Next we have the option to add a Stateful link. The Stateful link will be used to exchange states information between the two firewalls so that when a failover occurs the standby firewall already have all information about the opened sessions and the traffic will not be interrupted.

Without a Stateful link, all TCP sessions would be reset because existing flow coming to the standby firewall does not exist yet.

 failover link folink GigabitEthernet3

Cisco recommends that the stateful failover link should be dedicated. To achieve High Availability you should also have redundant failover and stateful links.

The new output of the show failover command is completed with these information:

 

Stateful Failover Logical Update Statistics

        Link : folink GigabitEthernet3 (up)

        Stateful Obj    xmit       xerr       rcv        rerr

        General         102        0          93         0

        sys cmd         93         0          93         0

        up time         0          0          0          0

        RPC services    0          0          0          0

        TCP conn        0          0          0          0

        UDP conn        0          0          0          0

        ARP tbl         0          0          0          0

        L2BRIDGE Tbl    7          0          0          0

        Xlate_Timeout   0          0          0          0

        IPv6 ND tbl     0          0          0          0

        SIP Session     0          0          0          0

        Route Session   0          0          0          0

        User-Identity   2          0          0          0

 

        Logical Update Queue Information

                        Cur     Max     Total

        Recv Q:         0       2       93

        Xmit Q:         0       2       103

 

Also note that started from here, there is some configuration that will be replicated from the Primary unit to the Secondary unit.

Interface Configuration

Now that the failover and stateful configuration is done we can go on with the configuration of the PROD context which will be the virtual firewall for all the production traffic.

Remember the firewall is in Transparent mode. That means that the firewall will not be used as default next hop by the hosts and will just be a layer 2 hop.

As we have only one inside interface, we will need to have subinterface to accomplish the configuration. 802.1Q tag will be used to define on which subinterface the traffic should be processed.

Interface can only be created in the system context. Using the command changeto system context sends us to this context to create the interfaces. Next step is to allocate these new interfaces to the right context :

interface GigabitEthernet1

!

interface GigabitEthernet1.100

 vlan 100

!

interface GigabitEthernet1.200

 vlan 200

!

context PROD

  allocate-interface GigabitEthernet1

  allocate-interface GigabitEthernet1.100

  allocate-interface GigabitEthernet1.200

  allocate-interface GigabitEthernet2

 

To check your topology, one thing we can do is to create a BVI interface that will represent a bridge-domain on the ASA. As the BVI is able to have an IP address, if the host in the corresponding VLAN is able to ping it, it means we also have Layer 2 connectivity.

To do this, we need to go to the corresponding context with the command changeto context PROD:

interface BVI1

 ip address 10.100.0.254 255.255.255.0

!

interface GigabitEthernet1.100

 nameif VLAN100

 bridge-group 1

 security-level 0

!

interface GigabitEthernet1.200

 nameif VLAN200

 bridge-group 2

 security-level 0

 

Now we can ping 10.100.0.254 from the host located in VLAN 100 :

clip_image004[4]

So now we know the Layer 2 connectivity is ok, which is great because this is what we need for the transparent services.

Also note that on the secondary box, interfaces have been automatically replicated.

Next step is to configure the outside interface. The process is the same except the VLAN is not the same as the input VLAN. The reason why is that we could have Layer 2 loops if we configure the same VLAN on two different interfaces.

The creation of the interface Gig2.10 and G2.20 is done in system context and configuration in the existing bridge-group is done in the PROD context:

ASA1# sh run

interface GigabitEthernet2

!

interface GigabitEthernet2.10

 vlan 10

!

interface GigabitEthernet2.20

 vlan 20

!

context PROD

  allocate-interface GigabitEthernet1

  allocate-interface GigabitEthernet1.100

  allocate-interface GigabitEthernet1.200

  allocate-interface GigabitEthernet2

  allocate-interface GigabitEthernet2.10

  allocate-interface GigabitEthernet2.20

 

ASA1/PROD# sh run

interface GigabitEthernet2.10

 nameif VLAN10

 bridge-group 1

 security-level 0

!

interface GigabitEthernet2.20

 nameif VLAN20

 bridge-group 2

 security-level 0

Note we can check the bridge-group configuration with the show bridge-group command:

ASA1/PROD# show bridge-group

Static mac-address entries:  0 (in use), 65535 (max)

Dynamic mac-address entries: 3 (in use), 65535 (max)

 

 Bridge Group: 2

 Interfaces:

 GigabitEthernet1.200

 GigabitEthernet2.20

ERROR: BVI interface for this bridge-group does not exist.

 

 

 Bridge Group: 1

 Interfaces:

 GigabitEthernet1.100

 GigabitEthernet2.10

 

 Management System IP Address:  10.100.0.254 255.255.255.0

 Management Current IP Address: 10.100.0.254 255.255.255.0

 Management IPv6 Global Unicast Address(es):

    N/A

 Static mac-address entries:  0

 Dynamic mac-address entries: 2

So now the Inside and Outside interface in G1.100 and G2.10 respectively are in the same bridge-group although they are not in the same VLAN from the switch perspective.

We can now configure the real gateway of the hosts which will be located at R1 and R2 with HSRP. As said before, the VLAN we need to configure for this is the VLAN 10 and 20:

interface FastEthernet0/0.10

 encapsulation dot1Q 10

 ip address 10.100.0.2 255.255.255.0

 no cdp enable

 standby 0 ip 10.100.0.1

 standby 0 priority 200

!

interface FastEthernet0/0.20

 encapsulation dot1Q 20

 ip address 10.200.0.2 255.255.255.0

 no cdp enable

 standby 1 ip 10.200.0.1

 standby 1 priority 200

Before testing the connectivity between the hosts and the gateway, it is a good idea to change the security level of the inside interfaces. Remember that by default the ASA will allow traffic to go from interface with higher security level to lower security level without explicit rule, you do need to explicitly accept the return traffic then.

 

interface GigabitEthernet1.100

 nameif VLAN100

 bridge-group 1

 security-level 100

!

access-list VLAN100_access_in extended permit icmp any any

access-list VLAN10_access_in extended permit icmp any any

From now, the host is able to ping its default gateway located on R1/R2 depending on the HSRP state.

The failover behavior can now be tested by issuing the command no failover active on the primary unit while pinging with one router to the host for example:

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Success rate is 99 percent (1520/1521), round-trip min/avg/max = 4/17/236 ms

 

 

One thought on “Configuration of an ASA in Transparent and Multi Context Mode

Leave a Reply

Your email address will not be published. Required fields are marked *