Virtual Firewalls in ASA
Let's consider a company having a different department (accounting department, engineering department etc) having their own internal administrator where each one requires an administrative control of the company's local firewall. It will be a bit troublesome if the local network engineer would create an administrator account, having a privilege 15, for each of the internal administrator. Worst case scenario to think of is that those created admin accounts might mess up the policy, ACL, NAT of the other department.
The solution to support this requirement is to implement a Multiple mode Virtual firewall in ASA. A Multiple mode Virtual firewall by functionality will convert the physical firewall and create two (2) or more logical firewalls which is called a context. By doing this, we can create a multiple administrator account that will be isolated only to their own respective department and not crossing the boundaries of the other department. This solution will separate the policies for each department thus simplifying the administration of the local engineer.
Let's use this diagram and the assignments to continue this topic.
It is fairly easy to achieve this solution. If you are ready, let's start.
By default, ASA is in single mode. It needs to be converted first from single mode to multi mode. After conversion, the firewall will tend to create a system config which contains the context which represents the created virtual firewall. Information such as the ACL, IP Address, NAT etc will not be reflected on the system config.
The running configuration of the unconverted mode will be put on the flash under a new name old_running.cfg as well as the creation of admin.cfg which represents the configuration of the context (logical firewall) having the relevant config like the IP address, nameif, security level, ACL, NAT routes etc.
Note: It is advisable to backup your running configuration first before proceeding below.
Verify which type of mode your firewall is currently in by issuing a command show mode.
To change to multimode you need to be at the global configuration mode then type mode multiple. Confirmation to this action will save the running configuration to flash using a filename old_running.cfg. Like what i've said before, the firewall will also create a context called admin.cfg.
The system will force a reboot for the changes to take place.
During the reboot process, the ASA will create a system config on which it will contain only the information such as the interfaces, the context, allocation and config URL. By definition, allocation refers to the interface port that will be assigned to the context and by default, all configured and unshut interface will be assigned to it. ,the config-url on the other hand, shows the location of the running-config of the context.
To check the configuration of the context admin, issue a command changeto context admin. Doing this will logically bring you to the running config of the context admin.You will notice that the prompt will now include the admin context as shown.
The admin.cfg shows all the IP Address, nameif, security level, policies etc. and by observation, this is the running configuration for the virtual firewall. In order to define a virtual firewall specific to the diagram, we need to do configuration on the system config by allocating the specific interface pertaining to the department.
Let's name a context for Engineering --ENGINEERING and ACCOUNTING for the Accounting department. Also we will be allocating 5 successive users for ASDM, SSH and Telnet in each department.
Since we are currently in context admin, we need to go to system config by issuing changeto system on cmd.
We will be creating a class for ENGINEERINGUSERS and ACCOUNTING USERS having the respective access on their virtual system as shown below.
Resources, Allocation and config-url is now defined being specific to the department.
Now we are ready to identify the IP address allocated per department. To access the virtual firewall, use the command changeto context engineering for engineering department and changeto context accounting for accounting department as this represents the running config of the virtual firewall you are connecting to.