Virtual Private Networks

Case Study 3 Data Center Security with Cisco ASA

SecureMe builds security policies that align asset protection with business goals. To secure its data center, the security administrator defines separate security zones. These zones divide the data center into areas that are logically alienated from one another to contain security threats and anomalies at minimal impact. The individual zones in SecureMe's data center support individual application groups of servers. Each zone is protected by a virtual firewall context on the Cisco ASA 5520s at the data center (DC-5520-1 and DC-5520-2). Figure 22-7 illustrates how each zone is protected by each security context.

Figure 22-7. Data Center Zones and Virtual Contexts

SecureMe's data center has four different zones, corresponding to individual virtual firewall contexts running in transparent mode:

  • Authentication servers (authservers context)
  • E-commerce applications (e-commerce context)
  • MySQL database server and third-party applications (databases context)
  • Mail and DNS servers (maildns context)

Communication between applications is limited to specific traffic required for application integration, data warehousing, and web services.

Interfaces cannot be shared in transparent mode, thus creating the need for different subinterfaces for the inside and outside interfaces of each virtual context. Example 22-11 shows the system context configuration and how each separate context is created.

Example 22-11. Admin Context Configuration

!Cisco ASA 5520 running in transparent multi-mode

firewall transparent


!Separate subinterfaces are created and associated to their respective VLANs

interface GigabitEthernet0/0


interface GigabitEthernet0/0.1

 vlan 200


interface GigabitEthernet0/0.2

 vlan 201


interface GigabitEthernet0/0.3

 vlan 202


interface GigabitEthernet0/0.4

 vlan 203


interface GigabitEthernet0/1


interface GigabitEthernet0/1.1

 vlan 100


interface GigabitEthernet0/1.2

 vlan 101


interface GigabitEthernet0/1.3

 vlan 102


interface GigabitEthernet0/1.4

 vlan 103


interface GigabitEthernet0/2


interface GigabitEthernet0/2.1

 vlan 501


interface GigabitEthernet0/2.2

 vlan 502


interface GigabitEthernet0/3.1

 vlan 503


interface GigabitEthernet0/3.2

 vlan 504


interface Management0/0


enable password 8Ry2YjIyt7RRXU24 encrypted

hostname DC-5520-1

ftp mode passive

pager lines 24

no failover

no asdm history enable

arp timeout 14400

console timeout 0


!Admin context configuration. Management0/0 interface is allocated for the admin context

admin-context admin

context admin

 allocate-interface Management0/0

 config-url disk0:/admin.cfg


! Virtual context for RADIUS and Domain Controllers

context authservers

 description Virtual context for Radius and Domain Controllers

 allocate-interface GigabitEthernet0/0.1

 allocate-interface GigabitEthernet0/1.1

 config-url disk0:/authservers.cfg


!Virtual context for e-commerce applications

context ecommerce

 description Virtual context for e-commerce applications

 allocate-interface GigabitEthernet0/0.2

 allocate-interface GigabitEthernet0/1.2

 config-url disk0:/ecommerce.cfg


! Virtual context for databases and third-party application

context databases

 description Virtual context for databases and third-party app

 allocate-interface GigabitEthernet0/0.3

 allocate-interface GigabitEthernet0/1.3

 config-url disk0:/databases.cfg


!Virtual context for email and DNS servers

context maildns

 description Virtual context for email and DNS servers

 allocate-interface GigabitEthernet0/0.4

 allocate-interface GigabitEthernet0/1.4

config-url disk0:/maildns.cfg

!Virtual context for active/active failover

context FO_context1

 allocate-interface GigabitEthernet0/2.1

 allocate-interface GigabitEthernet0/3.1

 config-url flash:/FO_context1.cfg

 failover-group 1


!Virtual context for active/active failover

context FO_context2

 allocate-interface GigabitEthernet0/2.2

 allocate-interface GigabitEthernet0/3.2

 config-url flash:/FO_context2.cfg

 failover-group 2

The Cisco ASA 5520s at SecureMe's data center include a configuration for each context that identifies the security policy for each zone. Figure 22-8 illustrates one of the security contexts (maildns context) within the respective data center zone.

Figure 22-8. Mail and DNS Server Data Center Zone

Example 22-12 shows the maildns virtual context configuration.

Example 22-12. maildns Context Configuration

DC-5520-1/maildns(config)# show running-config

: Saved


ASA Version 7.0(1) 

firewall transparent



interface GigabitEthernet0/1.4

 nameif inside

 security-level 100


interface GigabitEthernet0/0.4

 nameif outside

 security-level 0


enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted


!ASA automatically configures the hostname parameters to the context name

hostname maildns


!ACL allowing only mail and DNS traffic to corresponding servers

access-list maildns extended permit tcp any host eq smtp

access-list maildns extended permit tcp any host eq pop3

access-list maildns extended permit tcp any host eq imap4

access-list maildns extended permit udp any host eq domain

access-list maildns extended permit udp any host eq domain

pager lines 24

mtu outside 1500

mtu inside 1500

ip address

no asdm history enable

arp timeout 14400


!A static NAT is configured to limit the maximum number of connections to 10000 and

!maximum embryonic connections to 500.

static (inside,outside) netmask tcp 10000 500

static (inside,outside) netmask udp 10000 500


!Access-group for the previously configured access-list

access-group maildns in interface outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp

telnet timeout 5

ssh timeout 5


class-map inspection_default

 match default-inspection-traffic



policy-map global_policy

 class inspection_default

 inspect dns maximum-length 512

 inspect ftp

 inspect h323 h225

 inspect h323 ras

 inspect netbios

 inspect rsh

 inspect rtsp

 inspect skinny

 inspect esmtp

 inspect sqlnet

 inspect sunrpc

 inspect tftp

 inspect sip

 inspect xdmcp


service-policy global_policy global


: end



ESMTP inspection is configured in the maildns context. All other security contexts are configured similarly to the maildns context, except for the appropriate ports and protocols allowed for each application.

Part I: Product Overview

Introduction to Network Security

Product History

Hardware Overview

Part II: Firewall Solution

Initial Setup and System Maintenance

Network Access Control

IP Routing

Authentication, Authorization, and Accounting (AAA)

Application Inspection

Security Contexts

Transparent Firewalls

Failover and Redundancy

Quality of Service

Part III: Intrusion Prevention System (IPS) Solution

Intrusion Prevention System Integration

Configuring and Troubleshooting Cisco IPS Software via CLI

Part IV: Virtual Private Network (VPN) Solution

Site-to-Site IPSec VPNs

Remote Access VPN

Public Key Infrastructure (PKI)

Part V: Adaptive Security Device Manager

Introduction to ASDM

Firewall Management Using ASDM

IPS Management Using ASDM

VPN Management Using ASDM

Case Studies

show all menu

Cisco Asa(c) All-in-one Firewall, IPS, And VPN Adaptive Security Appliance
Cisco ASA: All-in-One Firewall, IPS, and VPN Adaptive Security Appliance
ISBN: 1587052091
EAN: 2147483647
Year: 2006
Pages: 231
Similar book on Amazon

Flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net