Solved: Re: How to segregate multiple customers (4) behind Cisco ASA?

s0chia-Cisco · ‎09-16-2017

Hello,

Please help me:

I need help to figure out how could segregate 4 different customers in a building behind Cisco ASA Firewall. I will post later on a network diagram: I got 2 access switches and a collapsed core switch then ASA firewall then Internet router (single).

I'd like to know what is the best practice to achieve this keeping in mind I'd avoid to impact on the other customers because of a single customer.

Router Internet

|

Firewall

|

Core switch

|

Access Switches

| | | |

custA custB custC custD

I have these ideas on this topic:

VRFs (it's possible on ASA?)
Using same security level on the sub-interfaces coming from core switch
Multiple security context (in this case if one context need to be reload or restart it will impact also the others customers?)

I'll appreciate any kind of help.

Marvin Rhoads · ‎09-17-2017

I didn't forget them - I was leaving some of the work for you to figure out. :)

The basic NAT is to translate outbound traffic to the outside interface address. Whether or not you need that and any ACLs are dependent on whether or not your ASA is where NAT needs to happen - it isn't always the case - and whether or not you need to allow traffic initiated from the outside.

Basic NAT would look like this:

nat (CustomerA,outside) after-auto source dynamic any interface

nat (CustomerB,outside) after-auto source dynamic any interface

nat (CustomerC,outside) after-auto source dynamic any interface

nat (CustomerD,outside) after-auto source dynamic any interface

View solution in original post

Marvin Rhoads · ‎09-16-2017

The easiest way is to use a sub-interface per customer / subnet (assuming they are all on different subnets). Do not permit same-security traffic intra-interface. Create NAT statements and access-lists for each subinterface / customer subnet separately.

ASA does not support VRFs and multiple context is more complexity than you need for this use case (in my opinion).

s0chia-Cisco · ‎09-16-2017

Hi Marvin,

appreciate your help. Let me think about it.

s0chia

s0chia-Cisco · ‎09-16-2017

s0chia-Cisco · ‎09-16-2017

Hi Marvin,

Could write a short config example at least for 1 customer just to have a more clear idea how it could be in the reality.

S0chia

Marvin Rhoads · ‎09-16-2017

Something like the following:

interface GigabitEthernet0/1

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/1.2

vlan 2

nameif CustomerA

security-level 100

ip address 10.2.2.2 255.255.255.0

!

interface GigabitEthernet0/1.3

vlan 3

nameif CustomerB

security-level 100

ip address 10.3.3.3 255.255.255.0

!

interface GigabitEthernet0/1.4

vlan 4

nameif CustomerC

security-level 100

ip address 10.4.4.4 255.255.255.0

!

interface GigabitEthernet0/1.5

vlan 5

nameif CustomerD

security-level 100

ip address 10.5.5.5 255.255.255.0

s0chia-Cisco · ‎09-17-2017

Hi Marvin,

great config but missing some part like NAT for each interface.

I say you wrote the same security level for each sub-interface just to segregate customers. It's good.

s0chia

s0chia-Cisco · ‎09-17-2017

Forgot also ACL...

Marvin Rhoads · ‎09-17-2017

I didn't forget them - I was leaving some of the work for you to figure out. :)

The basic NAT is to translate outbound traffic to the outside interface address. Whether or not you need that and any ACLs are dependent on whether or not your ASA is where NAT needs to happen - it isn't always the case - and whether or not you need to allow traffic initiated from the outside.

Basic NAT would look like this:

nat (CustomerA,outside) after-auto source dynamic any interface

nat (CustomerB,outside) after-auto source dynamic any interface

nat (CustomerC,outside) after-auto source dynamic any interface

nat (CustomerD,outside) after-auto source dynamic any interface

s0chia-Cisco · ‎09-17-2017

Hi Marvin,

Thanks a lot. What book do you advice me to improve my Firewall/Security skill?

S0chia

Marvin Rhoads · ‎09-17-2017

You're welcome.

As far as books, the classic book is the Cisco Press one on ASAs:

https://www.amazon.com/Cisco-ASA-All-one-Next-Generation-ebook/dp/B00JZOP4U8

That is very comprehensive and sort of a classic - in its thrid edition. It won't cover Firepower though. For that, the follow-on book would be:

https://www.amazon.com/Cisco-Next-Generation-Security-Solutions-All-ebook/dp/B01I1V3YJ8/ref=sr_1_1?s=digital-text&ie=UTF8&qid=1505662847&sr=1-1&keywords=firepower

Or you could just get a Safari books subscription and add both (and several others) to your bookshelf. That's what I do.

s0chia-Cisco · ‎09-17-2017

Hi Marvin,

thanks!!!

I really appreciate your help.

Have a nice day and thanks for books advice as well.

s0chia

s0chia-Cisco · ‎09-18-2017

Hi Marvin,

in the case some customer (let's assume Customer_B) has the same network of Customer_C how could I manage it?

Using VRFs on the core switch and connected to Firewall usiing Sub-Interface?

this point is very obfuscated in my mind.

Appreciate any kind of help.

s0chia

Marvin Rhoads · ‎09-18-2017

If you have overlapping customer subnets and want to share a common ASA then the ASA must be multiple context mode.

If you choose that alternative then you just upped the complexity by an order of magnitude and it is not the best project to take on if you are new to ASA.

s0chia-Cisco · ‎09-18-2017

Hi Marvin,

Thanks for your quick reply.

I know how to implement Multiple Security Context (I made a home lab for that) but it was very hard.

Appreciate once again.

s0chia