Author: Ben

Preface

Recently many readers ask us about Firewall configuration and hope that we can make a detail explanation to the latest two functions of Firewall: Virtual Firewall (Security Contexts) and Transparent Firewall (Layer 2 Firewall). To respond all readers’ expectation, in this document, we will specially implement some very useful functions of Cisco ASA in current industry to every engineer and information manager.

Additionally, recent issues of NetAdmin extensively report on information security related to UTM, in which it shows network security demand is increasing. As we know, Cisco ASA 5500 is exactly perfect in Unified Threat Management. That’s why we choose ASA to introduce UTM concept.

Equipment:

1. Cisco PIX/ASA Firewall

Software and kernel:

1. Cisco PIX or ASA 5500, firmware v7.21, management application ASDM 5.21
2. Cisco 3524 Switch

Essential knowledge:

1. VLAN protocol 802.1Q
2. Routing and Firewall basis
3. Cisco IOS operation

About virtual firewall and transparent firewall

Virtual Firewall or Security Contexts:
In terms of general users, they usually have to purchase several physical Firewalls to satisfy the demands of different circumstances. On the contrary, Virtual Firewall function can produce several Virtual Firewalls which are equivalent to physical ones. Thus, enterprises can easily control and monitor large amount of Firewall implementation.

Transparent or Layer 2 Firewall:
General Firewall has at least two interfaces in which we have to designate their IP address respectively so as to make packets smoothly pass through Firewall to another interface. In this circumstance, Firewall is in Routed mode. However, in terms of Internet Server Provider, if we want to implement ten Firewalls above in a large network composed of hundreds of thousands of routers, it will not only results in big trouble toward routing configuration but routing loop in the whole IP addressing architecture.

For example, if we want to implement routed mode Firewall between A router and B router, we have to re-configure router IP address in accommodating to firewall IP address. Besides, Firewall has to support various routing protocols such as RIP, OSPF, BGP and etc. It is very annoyed! On the contrary, Transparent Firewall function can make us easily implement Transparent Firewall between routers without considering IP addressing problem. Therefore, it is also named as Layer 2 Firewall.

Generally speaking, the advanced Firewalls like Cisco and Juniper have already supported these functions. In terms of Cisco PIX/ASA v7.0 above, they also have supported Virtual Firewall and Transparent Firewall.

How to configure Virtual Firewall (Security Contexts)

Before explaining Virtual Firewall configuration, some terminologies are required to be understood:

Next, readers can run ‘show version’ in EXEX mode to know how many contexts this ASA/PIX can support. The following example shows it can support five maximum contexts.

In August NetAdmin, we have introduced ASA/PIX initialization. Generally, the default firewall mode is Single. So we have to be familiar with some command lines to change mode. In EXEC mode, run ‘show mode’ to show whether it is in Single Mode or Multiple Mode.

If for changing mode, we have to enter in Configuration Mode to run mode command. The following example shows the transformation from Single to Multiple. After twice confirmation, we have to reboot ASA/PIX to apply configuration.

After rebooting, it shows Multiple Mode in EXEC mode.

How to configure Transparent Firewall

It is also very easy to configure Transparent Firewall. ASA platform can make Transparent and Virtual Firewall coexist. However, we have to notice that the original context configuration is no longer accommodating to Transparent demand when we start Transparent Firewall so that all contexts will be removed. Therefore, we have to add Virtual Firewall context each to each when it changes to Transparent mode. Besides, changing mode to Transparent or Routed can take effect without rebooting firewall.

Establish several Transparent Firewalls

Now we have configured ASA 5510 as Virtual and Transparent mode. Coming up next, we will establish several virtual Transparent Firewalls. First, we have to establish an IP address so as to utilize ASDM to configure ASA 5510.

Run ‘show context’ in EXEC mode to show whether there are any contexts existing. So far we don’t see any contexts.

Before establishing a general virtual Firewall, admin-context should exist. So we establish one admin-context named as ‘admin’ and fire virtual Transparent Firewalls named as ‘geego1’, ‘geego2’, ‘geego3’, ‘geego4 and ‘geego5’ respectively.

Each virtual Firewall needs its independent configuration. However, we have to configure the interfaces to each virtual Firewall before establishing the configuration of each virtual Firewall. The current Firewall is in Transparent and Virtual mode. In terms of the limits on physical interface, ASA/PIX supports 802.1Q protocol and able to configure 25 VLANs. Thus, we will establish 12 VLANs whose VLAN IDs are 6, 10, 20, 30, 40, 50, 66, 100, 200, 300, 400 and 500 respectively, in which VLAN ID 6 and VLAN ID 66 are external and internal VLAN respectively for admin while VLAN ID 10 and VLAN ID 100 are external and internal VLAN respectively for geego1. The rest contexts are analogous to the principle above. Thus, we have to establish related VLAN interface on ASA platform.

In addition, configure relevant VLAN ID to every VLAN interface so that Ethernet 0/3 will communicate with switch via 802.1Q protocol.

Next, we have to finish the following two steps: 1) establish configuration for each virtual Firewall; 2) allocate established VLAN interfaces for each virtual Firewall.

Though we have configured each context’s configuration and position, so far these configurations do not exist in storage device ‘disk0:’. Thus, we have to build up these files. Taking geego1 for example, first we get into context system and run ‘changeto context ’ to enter in geego1 virtual Firewall. Then run ‘write’ to save configuration. Therefore, we produce one configuration named as ‘geego1.cfg’ in the directory of ‘disk0:’.

Regarding configuration of other contexts, please refer to the same method above.

Next, we will relate all VLAN interfaces to the corresponding VLAN ID and then allocate the interfaces for each context.

Now we will see how to change to system context or others in command line mode. Here we take admin context as our example.

After getting into admin context, we can see the allocated interface exists in admin context configuration.

So far we have finished the configuration of each virtual Transparent Firewall.

How to configure switch

Every reader can issue 802.1Q protocol to the Firewall port connected to switch. In terms of Cisco Switch, we can first establish all VLAN IDs on Firewall and then enter in port configuration interface to issue 802.1Q.

Run ‘vlan database’ in EXEC mode to enter in VLAN configuration prompt in establishing necessary VLAN.

Run ‘show vlan brief’. We can see the established VLAN below.

Then enter in port configuration prompt to issue 802.1Q.

At last, we can use Ethernet cable to make connection between switch and Firewall.

Conclusion

The present document introduces ASA Virtual and Transparent Firewall. In the next issue, based on the configuration in this document, we will implement some interesting functions of ASA to make it become a truly UTM. On the other hand, to increase the opportunities of interacting with more readers, we will hold a technical document conference in the evening on October 17th (Tue.). Then we can discuss related techniques face to face. Due to place limitation, readers can call 0800-296-296 to make participating appointment. If for any other questions about techniques or configurations, please feel free to discuss with us.