Limitations of Virtual Firewall

Limitations of Virtual Firewall

Before delving into the details of configuration and troubleshooting of Virtual Firewall, it is important to understand some of the limitations of the Firewall implementation:

  • Transparent Firewall in Multiple Contexts In routed mode, the classifier classifies the packet based on source VLAN, or destination IP address. So it is possible to share the same VLAN across multiple contexts with the help of NAT. But, in transparent mode, NAT cannot be configured. Therefore, classification is based only on source VLAN. This means it is not possible to share the same VLAN across multiple contexts.

  • NAT Zero Access List and Shared Interfaces in routed mode On the PIX Firewall, you can configure "NAT zero access-list" to bypass the NAT for the traffic defined on the ACL. If you do that and if the VLAN is shared, the classifier will not know the destination address per context, so communication will fail.

  • Hosts on Shared Interfaces Cannot Initiate Outbound Connections If you share the inside VLAN among multiple contexts, this will cause problems, unless you have the destination address translation configured. Usually outbound traffic is Internet-bound, and configuration address translation may not be possible. Therefore, it is strongly recommended not to share the inside VLAN for outbound traffic among multiple contexts.

Configuration Steps

Figure 3-9 shows two context deployments of the PIX firewall.

Figure 3-9. Two Context Deployment of the PIX Firewall


Work through the following steps to configure multiple contexts on the PIX firewall based on Figure 3-9:
1.
Change the mode of operation from the single to multiple with the following command:

PIX(config)# mode multiple
WARNING: This command will change the behavior of the device
WARNING: This command will initiate a Reboot
Proceed with change mode? [confirm]
Convert the system configuration? [confirm]
. . . . . .

Once the PIX is booted up, execute the following show command and be sure that the security context mode is shown as multiple:

PIX# show mode
Security context mode: multiple
PIX#

After the PIX is converted to the multiple context, once you log in to the PIX, you will be taken to the System Resource Space (context). From here, you can configure the rest of the other contexts. The context admin will be created by default, which can be verified with the following command:

PIX# show running-config context admin
context admin
 config-url flash:/admin.cfg
!
PIX#

2.
Configure interfaces.

You need to configure all interfaces on the system context before they can be mapped to the user security context. For this setup, the inside and outside (both interfaces) are configured as trunk carrying VLAN 10 and 20 on the inside and VLAN 30 and 40 on the outside. For the outside interface, configure the PIX in the system context as follows:

PIX(config)# interface Ethernet 0
PIX(config-if)# speed auto
PIX(config-if)# duplex auto
PIX(config)# interface Ethernet 0.30
PIX(config-subif)# vlan 30
PIX(config-subif)# interface Ethernet 0.40
PIX(config-subif)# vlan 40

Similarly, configure the inside interface for VLAN 10 and 20 as follows:

PIX(config)# interface Ethernet 1
PIX(config-if)# speed auto
PIX(config-if)# duplex auto
PIX(config)# interface Ethernet 1.10
PIX(config-subif)# vlan 10
PIX(config-subif)# interface Ethernet 0.20
PIX(config-subif)# vlan 20
PIX(config-subif)#
3.
Create contexts.

From system context, you can create a new context or change the role of admin context. To do this, you need to create a new context that you want to designate as admin context. For instance, if you want to configure contexts ctx1 and ctx2, and want to make ctx1 your admin context, you need to create the two new contexts as follows:

PIX(config)# context ctx1
PIX(config-ctx)# config-url flash:/ctx1.cfg
PIX(config)# context ctx2
PIX(config-ctx)# config-url flash:/ctx2.cfg
PIX(config-ctx)#

Now assign the admin context role to ctx1 context as follows:

PIX(config)# admin-context ctx1

Finally remove the admin context that was created by default as follows:

PIX(config)# no context admin

Verify the contexts you have just created:

PIX# show context
Context Name          Interfaces               URL
*ctx1                                          flash:/ctx1.cfg
ctx2                                          flash:/ctx2.cfg

Total active Security Contexts: 2
PIX#

4.
Associate interfaces to the contexts.

You need to associate the interfaces from the system context with the allocate-interface commands. For example, to allocate interfaces Ethernet0.30, and Ethernet1.10, you can use the following commands:

PIX(config)# context ctx1
PIX(config-ctx)# allocate-interface Ethernet0.30
PIX(config-ctx)# allocate-interface Ethernet1.10

Similarly, the following interface mappings are for context ctx2:

PIX(config)# context ctx2
PIX(config-ctx)# allocate-interface Ethernet0.40
PIX(config-ctx)# allocate-interface Ethernet1.20

After creation of context, verify it with the following command:

PIX# show context
Context Name      Interfaces                    URL
*ctx1             Ethernet0.30, Ethernet1.10            flash:/ctx1.cfg
ctx2             Ethernet0.40, Ethernet0.20            flash:/ctx2.cfg

Total active Security Contexts: 2
PIX#
5.
Configure the interfaces on the context.

From system context, go to the respective contexts to configure the interfaces with changeto command. The following commands show how to configure the interfaces on the context ctx1:

PIX(config)# changeto context ctx1
PIX/ctx1(config)# interface Ethernet0.30
PIX/ctx1(config-if)# ip address 192.168.1.1 255.255.255.0
PIX/ctx1(config-if)# nameif outside
PIX/ctx1(config-if)# exit

The following commands are used to configure the inside interface on context ctx1:

PIX/ctx1(config)# interface Ethernet1.10
PIX/ctx1(config-if)# ip address 10.1.1.1 255.255.255.0
PIX/ctx1(config-if)# nameif inside
PIX/ctx1(config-if)# exit

Configure interfaces for context ctx2 in the same way as for context ctx1:

PIX(config)# changeto context ctx2
PIX/ctx2(config)# interface Ethernet0.40
PIX/ctx2(config-if)# ip address 192.168.2.1 255.255.255.0
PIX/ctx2(config-if)# nameif outside
PIX/ctx2(config-if)# exit
PIX/ctx2(config)# interface Ethernet1.20
PIX/ctx2(config-if)# ip address 10.1.2.1 255.255.255.0
PIX/ctx2(config-if)# nameif inside
PIX/ctx2(config-if)# exit

6.
At this stage, you can treat both ctx1 and ctx2 contexts as individual firewalls and define the policies, NAT, and so on just as you would do for a regular PIX firewall.

To go back to the system context, execute the following command:

PIX(config-ctx)# changeto context system
PIX(config)#