Cisco PIX. Upgrade-Workshop PixOS 7. Dipl.-Ing. Karsten Iwen CCIE #14602 (Seccurity)

Transcription

1 Cisco PIX Upgrade-Workshop PixOS 7

2 Agenda Basics Access-Control Inspections Transparent Firewalls Virtual Firewalls Failover VPNs

3 Sec. 4-1 P. 135 Virtual firewalls are logical firewallinstances which can be controlled individually. Each virtual firewall can have dedicated interfaces, or it can share interfaces with other Virtual Firewalls. For PixOS 7.0 and 7.1, all virtual firewalls share the system-resources, Resource-Management is supported in PixOS 7.2

4 A virtual firewall is named Security- Context on PixOS 7 Two modes: Single-context-mode Multiple-context-mode virtual firewalls have to be licensed: pix7ws# show version Cisco PIX Security Appliance Software Version 7.0(2)... Security Contexts : 2

5 In multiple-context-mode, the firewall has three logical components: System execution space The system itself is controlled here Administrative Context A virtual firewall from which the physical firewall is managed User Context These are the real virtual instances

6 Restrictions: no VPN no Multicast no Routing-protocols

7 Example of configuring multiplecontext-mode: Two virtual firewalls have to be configured Context 1 uses Ethernet 2 as inside interface Context 2 uses Ethernet 3 as inside interface both virtual firewalls share one physical outside interface

8 The firewall runs in single-contextmode by default: pix7ws# show mode Security context mode: single and is licensed for multiple-contextmode: pix7ws# show activation-key Serial Number: Running Activation Key: 0x9f1ac8ed 0xffe5e215 0x67aab511 0x7a23bdc3 Licensed features for this platform: Security Contexts : 2

9 The mode has to be switched to multiple-context-mode: pix7ws(config)# mode multiple WARNING: This command will change the behavior of the device WARNING: This command will initiate a Reboot Proceed with change mode? [confirm] Convert the system configuration? [confirm]! The old running configuration file will be written to flash The admin context configuration will be written to flash The new running configuration file was written to flash Security context mode: multiple *** *** --- SHUTDOWN NOW ---

10 Creating context 'system'... Done. (0) Creating context 'null'... Done. (257) Creating context 'admin'... Done. (1) pix7ws# show mode Security context mode: multiple

11 The running config is changed significantly: pix7ws# show running-config : Saved : PIX Version 7.0(2) <system>! interface Ethernet0! interface Ethernet1 speed 100 duplex full!

12 admin-context admin context admin allocate-interface Ethernet0 allocate-interface Ethernet1 allocate-interface Ethernet2 allocate-interface Ethernet3 config-url flash:/admin.cfg the command mode multiple is not visible in the config!

13 the old running-config is backed up for switching back to single-contextmode: pix7ws# show flash: Directory of flash:/ 6 -rw :24:07 Aug downgrade.cfg 9 -rw :25:07 Aug image.bin 12 -rw :25:32 Aug asdm-502.bin 13 -rw :30:08 Aug old_running.cfg 14 -rw :30:08 Aug admin.cfg

14 A new context has to be defined from the system execution space: pix7ws# pix7ws# show context Context Name Interfaces URL *admin Ethernet0,Ethernet1, flash:/admin.cfg Ethernet2,Ethernet3 Total active Security Contexts: 1

15 The contexts are created: pix7ws(config)# context Cust1 Creating context 'Cust1'... Done. (2) pix7ws(config-ctx)# exit pix7ws(config)# context Cust2 Creating context 'Cust2'... Done. (3) pix7ws(config-ctx)#

16 Now we have the system-executionspace, the admin-context and two usercontexts: pix7ws(config-ctx)# show context Context Name Interfaces URL *admin Ethernet0,Ethernet1, flash:/admin.cfg Ethernet2,Ethernet3 Cust1 (not entered) Cust2 (not entered) Total active Security Contexts: 3

17 Each virtual firewall gets two interfaces: pix7ws(config)# context Cust1 pix7ws(config-ctx)# allocate-interface Ethernet2 pix7ws(config-ctx)# allocate-interface Ethernet0 pix7ws(config-ctx)# pix7ws(config-ctx)# context Cust2 pix7ws(config-ctx)# allocate-interface Ethernet3 pix7ws(config-ctx)# allocate-interface Ethernet0 pix7ws(config-ctx)# pix7ws(config-ctx)# context admin pix7ws(config-ctx)# no allocate-interface Ethernet2 pix7ws(config-ctx)# no allocate-interface Ethernet3

18 Now we have one dedicated and one shared interface per user-context : pix7ws(config-ctx)# show context Context Name Interfaces URL *admin Ethernet0,Ethernet1 flash:/admin.cfg Cust1 Ethernet0,Ethernet2 (not entered) Cust2 Ethernet0,Ethernet3 (not entered) Total active Security Contexts: 3

19 Each context has its own startup-config, the location of it has to be specified: pix7ws(config-ctx)# config-url? context mode commands/options: flash: A URL beginning with this prefix for the context's config (file need not exist) ftp: A URL beginning with this prefix for the context's config (file need not exist) http: A URL beginning with this prefix for the context's config (file need not exist) https: A URL beginning with this prefix for the context's config (file need not exist) tftp: A URL beginning with this prefix for

20 We use the flash for storing the startupconfig: pix7ws(config-ctx)# context Cust1 pix7ws(config-ctx)# config-url flash:/cust1.cfg WARNING: Could not fetch the URL flash:/cust1.cfg INFO: Creating context with default config pix7ws(config-ctx)# pix7ws(config-ctx)# context Cust2 pix7ws(config-ctx)# config-url flash:/cust2.cfg WARNING: Could not fetch the URL flash:/cust2.cfg INFO: Creating context with default config pix7ws(config-ctx)#

21 We use the flash for storing the startupconfig: pix7ws(config-ctx)# show context Context Name Interfaces URL *admin Ethernet0,Ethernet1 flash:/admin.cfg Cust1 Ethernet0,Ethernet2 flash:/cust1.cfg Cust2 Ethernet0,Ethernet3 flash:/cust2.cfg Total active Security Contexts: 3 pix7ws(config-ctx)#

22 The firewall needs an admin-context, but that s admin by default pix7ws(config)# admin-context? configure mode commands/options: WORD Name of administrative context pix7ws(config)# admin-context admin

23 Now we can change to the virtual firewalls and look at the config: pix7ws/admin# changeto context Cust1 pix7ws/cust1# show running-config : Saved PIX Version 7.0(2) <context> names! interface Ethernet2 no nameif no security-level no ip address! interface Ethernet0 no nameif no security-level no ip address

24 As this firewall is unconfigured we have to specify some basic settings: pix7ws/cust1# configure terminal pix7ws/cust1(config)# interface ethernet 2 pix7ws/cust1(config-if)# nameif inside INFO: Security level for "inside" set to 100 by default. pix7ws/cust1(config-if)# ip address pix7ws/cust1(config-if)# pix7ws/cust1(config-if)# interface ethernet 0 pix7ws/cust1(config-if)# nameif outside INFO: Security level for "outside" set to 0 by default. pix7ws/cust1(config-if)# ip address pix7ws/cust1(config-if)#

25 As a context is a complete firewall it also needs ACLs, translations, routes, passwords, etc. After configuring you also have to save your config! pix7ws/cust1# pix7ws/cust1# copy running-config startup-config Source filename [running-config]? Cryptochecksum: a ea 4e0d2c26

26 The same is done for the virtual firewall Cust2 : pix7ws/cust1# changeto context Cust2 pix7ws/cust2# configure terminal pix7ws/cust2(config)# interface Ethernet 3 pix7ws/cust2(config-if)# nameif inside INFO: Security level for "inside" set to 100 by default. pix7ws/cust2(config-if)# ip address pix7ws/cust2(config-if)# pix7ws/cust2(config)# interface Ethernet 0 pix7ws/cust2(config-if)# nameif outside INFO: Security level for "outside" set to 0 by default. pix7ws/cust2(config-if)# ip address pix7ws/cust2(config-if)# exit pix7ws/cust2(config)# write Building configuration... Cryptochecksum: eaeb2961 0f010fda a c

27 The virtual firewalls can be monitored: pix7ws(config)# show context detail Cust2 Context "Cust2", has been created, but crypto destroyed Config URL: flash:/cust2.cfg Real Interfaces: Ethernet0, Ethernet3 Mapped Interfaces: Ethernet0, Ethernet3 Flags: 0x , ID: 3 pix7ws(config)# pix7ws(config)# show cpu usage context Cust2 CPU utilization for 5 seconds = 0.0%; 1 minute: 0.0%; 5 minutes: 0.0%