Tweet
Bùi Nguyễn Hoàng Long
I. Mô tả:
Context cho phép định nghĩa những Virtual Firewall trên một Physical Firewall, với mỗi Virtual Firewall có thể áp đặt chính sách riêng biệt như một Physical Firewall. Trong bài Lab này, sẽ dùng tính năng Context chọn đường đi cho hai mạng hai khác nhau.
· PC thuộc mạng 192.168.1.0/24 ra Internet qua GATEWAY_1
· PC thuộc mạng 192.168.2.0/24 ra Internet qua GATEWAY_2
Có thể kết hợp với tính năng track object để cung cấp thêm tính dự phòng
II. Cấu hình
Xác định mode
ASA(config)# mode multiple
Tạo context
ASA(config)# context CT01
Xác định file cấu hình của CT01
ASA(config-ctx)# config-url flash:/CT01.cfg
Gán cổng cho Context
ASA(config-ctx)# allocate-interface e0/0 e0
ASA(config-ctx)# allocate-interface e0/2 e1
ASA(config)# context CT02
WARNING: Could not fetch the URL disk0:/CT02.cfg
INFO: Creating context with default config
ASA(config-ctx)# allocate-interface e0/1 e0
Hai context dùng chung cổng e0/2 hay còn gọi là shared
ASA(config-ctx)# allocate-interface e0/2 e1
Khi cổng được shared cho hai context, sẽ sử chung một địa chỉ MAC, gây khó khăn cho việc phân loại gói vào context, với mac-address auto cho phép tự động định nghĩa địa chỉ MAC cho từng context cho sử dụng chung cổng shared
ASA(config)# mac-address auto
Cấu hình cho Context CT01
ASA(config)# changeto context CT01
ASA/CT01(config)#
ASA/CT01(config)# interface e0
ASA/CT01(config-if)# ip address 192.168.1.1 255.255.255.0
ASA/CT01(config-if)# nameif inside
ASA/CT01(config)# interface e1
ASA/CT01(config-if)# ip address 192.168.3.1 255.255.255.0
ASA/CT01(config-if)# nameif outside
ASA/CT01(config)# route outside 0.0.0.0 0.0.0.0 192.168.3.3
ASA/CT01(config)# no nat-control
ASA/CT01(config)# access-list ICMP permit icmp any any echo
ASA/CT01(config)# access-group ICMP in interface outside
ASA/CT01(config)# dhcpd address 192.168.1.2-192.168.1.10 inside
ASA/CT01(config)# dhcpd dns 203.162.4.191
ASA/CT01(config)# dhcpd enable inside
Cấu hình cho context CT02
ASA(config)# changeto context CT02
ASA/CT02(config)# interface e0
ASA/CT02(config-if)# ip address 192.168.2.1 255.255.255.0
ASA/CT02(config-if)# nameif inside
ASA/CT02(config)# interface e1
ASA/CT02(config-if)# nameif outside
ASA/CT02(config-if)# ip address 192.168.3.2 255.255.255.0
ASA/CT02(config)# route outside 0 0 192.168.3.4
ASA/CT02(config)# no nat-control
ASA/CT02(config)# access-list ICMP permit icmp any any
ASA/CT02(config)# dhcpd address 192.168.2.2-192.168.2.10 inside
ASA/CT02(config)# dhcpd dns 203.162.4.191
ASA/CT02(config)# dhcpd enable inside
ASA/CT02(config)# access-group ICMP in interface outside
III. Cấu hình đầy đủ
SYSTEM
ASA Version 8.0(2) <system>
!
hostname ASA
enable password 8Ry2YjIyt7RRXU24 encrypted
mac-address auto
!
interface Ethernet0/0
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
shutdown
!
interface Management0/0
shutdown
!
class default
limit-resource All 0
limit-resource ASDM 5
limit-resource SSH 5
limit-resource Telnet 5
!
ftp mode passive
pager lines 24
no failover
no asdm history enable
arp timeout 14400
console timeout 0
admin-context admin
context admin
config-url disk0:/admin.cfg
!
context CT01
allocate-interface Ethernet0/0 e0
allocate-interface Ethernet0/2 e1
config-url disk0:/CT01.cfg
!
context CT02
allocate-interface Ethernet0/1 e0
allocate-interface Ethernet0/2 e1
config-url disk0:/CT02.cfg
!
prompt hostname context
Cryptochecksum:0939b993a0c691a483b24a01d7901707
: end
CT01
:
ASA Version 8.0(2) <context>
!
hostname CT01
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface e0
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface e1
nameif outside
security-level 0
ip address 192.168.3.1 255.255.255.0
!
passwd 2KFQnbNIdI.2KYOU encrypted
access-list ICMP extended permit icmp any any
access-group ICMP in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.3.3 1
dhcpd dns 203.162.4.191
dhcpd address 192.168.1.2-192.168.1.10 inside
dhcpd enable inside
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
Cryptochecksum:00000000000000000000000000000000
: end
CT02
ASA Version 8.0(2) <context>
!
hostname CT02
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface e0
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
!
interface e1
nameif outside
security-level 0
ip address 192.168.3.2 255.255.255.0
!
passwd 2KFQnbNIdI.2KYOU encrypted
access-list ICMP extended permit icmp any any
access-group ICMP in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.3.4 1
dhcpd dns 203.162.4.191
dhcpd address 192.168.2.2-192.168.2.10 inside
dhcpd enable inside
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
Cryptochecksum:00000000000000000000000000000000
: end
GATEWAY_1
Building configuration...
Current configuration : 1266 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
no service password-recovery
!
hostname GATEWAY_1
!
interface FastEthernet0/0
ip address 192.168.3.3 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
ip address dhcp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
ip route 192.168.1.0 255.255.255.0 192.168.3.1
ip route 192.168.2.0 255.255.255.0 192.168.3.2
!
ip http server
no ip http secure-server
ip nat inside source list 1 interface FastEthernet0/1 overload
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 192.168.2.0 0.0.0.255
!
GATEWAY_2
Current configuration : 888 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname GATEWAY_2
!
!
interface FastEthernet0/0
ip address 192.168.3.4 255.255.255.0
ip nat inside
duplex auto
speed auto
!
interface FastEthernet0/1
ip address dhcp
ip nat outside
duplex auto
speed auto
!
ip nat inside source list 1 interface FastEthernet0/1 overload
ip classless
ip route 192.168.1.0 255.255.255.0 192.168.3.1
ip route 192.168.2.0 255.255.255.0 192.168.3.2
ip http server
no ip http secure-server
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 192.168.2.0 0.0.0.255
!
!
IV. Kiểm tra
Trạng thái bảng định tuyến trên GATEWAY_1 và GATEWAY_2
GATEWAY_1# sh ip route static
S 192.168.1.0/24 [1/0] via 192.168.3.1
S 192.168.2.0/24 [1/0] via 192.168.3.2
S* 0.0.0.0/0 [254/0] via 10.215.219.254
GATEWAY_2# sh ip route static
S 192.168.1.0/24 [1/0] via 192.168.3.1
S 192.168.2.0/24 [1/0] via 192.168.3.2
S* 0.0.0.0/0 [254/0] via 10.215.219.254
PC thuộc mạng 192.168.1.0/24 dùng context CT01 khi ra ngoài Internet
GATEWAY_1# sh ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 10.215.219.99:1024 192.168.1.2:1024 203.162.4.190:1024 203.162.4.190:1024
PC thuộc mạng 192.168.2.0/24 dùng context CT02 khi ra ngoài Internet
GATEWAY_2#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 10.215.219.88:1024 192.168.2.2:1024 203.162.4.190:1024 203.162.4.190:1024
Cân bằng tải ASA với Context
Context cho phép định nghĩa những Virtual Firewall trên một Physical Firewall, với mỗi Virtual Firewall có thể áp đặt chính sách riêng biệt như một Physical Firewall. Trong bài Lab này, sẽ dùng tính năng Context chọn đường đi cho hai mạng hai khác nhau.
· PC thuộc mạng 192.168.1.0/24 ra Internet qua GATEWAY_1
· PC thuộc mạng 192.168.2.0/24 ra Internet qua GATEWAY_2
Có thể kết hợp với tính năng track object để cung cấp thêm tính dự phòng
II. Cấu hình
Xác định mode
ASA(config)# mode multiple
Tạo context
ASA(config)# context CT01
Xác định file cấu hình của CT01
ASA(config-ctx)# config-url flash:/CT01.cfg
Gán cổng cho Context
ASA(config-ctx)# allocate-interface e0/0 e0
ASA(config-ctx)# allocate-interface e0/2 e1
ASA(config)# context CT02
WARNING: Could not fetch the URL disk0:/CT02.cfg
INFO: Creating context with default config
ASA(config-ctx)# allocate-interface e0/1 e0
Hai context dùng chung cổng e0/2 hay còn gọi là shared
ASA(config-ctx)# allocate-interface e0/2 e1
Khi cổng được shared cho hai context, sẽ sử chung một địa chỉ MAC, gây khó khăn cho việc phân loại gói vào context, với mac-address auto cho phép tự động định nghĩa địa chỉ MAC cho từng context cho sử dụng chung cổng shared
ASA(config)# mac-address auto
Cấu hình cho Context CT01
ASA(config)# changeto context CT01
ASA/CT01(config)#
ASA/CT01(config)# interface e0
ASA/CT01(config-if)# ip address 192.168.1.1 255.255.255.0
ASA/CT01(config-if)# nameif inside
ASA/CT01(config)# interface e1
ASA/CT01(config-if)# ip address 192.168.3.1 255.255.255.0
ASA/CT01(config-if)# nameif outside
ASA/CT01(config)# route outside 0.0.0.0 0.0.0.0 192.168.3.3
ASA/CT01(config)# no nat-control
ASA/CT01(config)# access-list ICMP permit icmp any any echo
ASA/CT01(config)# access-group ICMP in interface outside
ASA/CT01(config)# dhcpd address 192.168.1.2-192.168.1.10 inside
ASA/CT01(config)# dhcpd dns 203.162.4.191
ASA/CT01(config)# dhcpd enable inside
Cấu hình cho context CT02
ASA(config)# changeto context CT02
ASA/CT02(config)# interface e0
ASA/CT02(config-if)# ip address 192.168.2.1 255.255.255.0
ASA/CT02(config-if)# nameif inside
ASA/CT02(config)# interface e1
ASA/CT02(config-if)# nameif outside
ASA/CT02(config-if)# ip address 192.168.3.2 255.255.255.0
ASA/CT02(config)# route outside 0 0 192.168.3.4
ASA/CT02(config)# no nat-control
ASA/CT02(config)# access-list ICMP permit icmp any any
ASA/CT02(config)# dhcpd address 192.168.2.2-192.168.2.10 inside
ASA/CT02(config)# dhcpd dns 203.162.4.191
ASA/CT02(config)# dhcpd enable inside
ASA/CT02(config)# access-group ICMP in interface outside
III. Cấu hình đầy đủ
SYSTEM
ASA Version 8.0(2) <system>
!
hostname ASA
enable password 8Ry2YjIyt7RRXU24 encrypted
mac-address auto
!
interface Ethernet0/0
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
shutdown
!
interface Management0/0
shutdown
!
class default
limit-resource All 0
limit-resource ASDM 5
limit-resource SSH 5
limit-resource Telnet 5
!
ftp mode passive
pager lines 24
no failover
no asdm history enable
arp timeout 14400
console timeout 0
admin-context admin
context admin
config-url disk0:/admin.cfg
!
context CT01
allocate-interface Ethernet0/0 e0
allocate-interface Ethernet0/2 e1
config-url disk0:/CT01.cfg
!
context CT02
allocate-interface Ethernet0/1 e0
allocate-interface Ethernet0/2 e1
config-url disk0:/CT02.cfg
!
prompt hostname context
Cryptochecksum:0939b993a0c691a483b24a01d7901707
: end
CT01
:
ASA Version 8.0(2) <context>
!
hostname CT01
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface e0
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface e1
nameif outside
security-level 0
ip address 192.168.3.1 255.255.255.0
!
passwd 2KFQnbNIdI.2KYOU encrypted
access-list ICMP extended permit icmp any any
access-group ICMP in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.3.3 1
dhcpd dns 203.162.4.191
dhcpd address 192.168.1.2-192.168.1.10 inside
dhcpd enable inside
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
Cryptochecksum:00000000000000000000000000000000
: end
CT02
ASA Version 8.0(2) <context>
!
hostname CT02
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface e0
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
!
interface e1
nameif outside
security-level 0
ip address 192.168.3.2 255.255.255.0
!
passwd 2KFQnbNIdI.2KYOU encrypted
access-list ICMP extended permit icmp any any
access-group ICMP in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.3.4 1
dhcpd dns 203.162.4.191
dhcpd address 192.168.2.2-192.168.2.10 inside
dhcpd enable inside
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
Cryptochecksum:00000000000000000000000000000000
: end
GATEWAY_1
Building configuration...
Current configuration : 1266 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
no service password-recovery
!
hostname GATEWAY_1
!
interface FastEthernet0/0
ip address 192.168.3.3 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
ip address dhcp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
ip route 192.168.1.0 255.255.255.0 192.168.3.1
ip route 192.168.2.0 255.255.255.0 192.168.3.2
!
ip http server
no ip http secure-server
ip nat inside source list 1 interface FastEthernet0/1 overload
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 192.168.2.0 0.0.0.255
!
GATEWAY_2
Current configuration : 888 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname GATEWAY_2
!
!
interface FastEthernet0/0
ip address 192.168.3.4 255.255.255.0
ip nat inside
duplex auto
speed auto
!
interface FastEthernet0/1
ip address dhcp
ip nat outside
duplex auto
speed auto
!
ip nat inside source list 1 interface FastEthernet0/1 overload
ip classless
ip route 192.168.1.0 255.255.255.0 192.168.3.1
ip route 192.168.2.0 255.255.255.0 192.168.3.2
ip http server
no ip http secure-server
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 192.168.2.0 0.0.0.255
!
!
IV. Kiểm tra
Trạng thái bảng định tuyến trên GATEWAY_1 và GATEWAY_2
GATEWAY_1# sh ip route static
S 192.168.1.0/24 [1/0] via 192.168.3.1
S 192.168.2.0/24 [1/0] via 192.168.3.2
S* 0.0.0.0/0 [254/0] via 10.215.219.254
GATEWAY_2# sh ip route static
S 192.168.1.0/24 [1/0] via 192.168.3.1
S 192.168.2.0/24 [1/0] via 192.168.3.2
S* 0.0.0.0/0 [254/0] via 10.215.219.254
PC thuộc mạng 192.168.1.0/24 dùng context CT01 khi ra ngoài Internet
GATEWAY_1# sh ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 10.215.219.99:1024 192.168.1.2:1024 203.162.4.190:1024 203.162.4.190:1024
PC thuộc mạng 192.168.2.0/24 dùng context CT02 khi ra ngoài Internet
GATEWAY_2#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 10.215.219.88:1024 192.168.2.2:1024 203.162.4.190:1024 203.162.4.190:1024