Pages

Saturday 29 May 2021

Reasons to Start a Wireless Network

As far as I’m concerned, wireless networks would have to rank as one of the best inventions in history. They really are the best thing since sliced bread. I mean, really, bread is easy enough to cut yourself, but have you ever tried to wire up a network? Its a lot of hard yakka as many would say. WiFi is the wireless way to handle networking. It is also known as 802.11 networking and wireless networking. The big advantage of WiFi is its simplicity.
You can connect computers anywhere in your home or office without the need for wires. The computers connect to the network using radio signals, and computers can be up to 100 feet or so apart. So, in the spirit of spreading the word, I’m going to give you some great reasons why you need a wireless network. Sharing Internet Access. Wireless networking gives you a cheap and easy way to share one Internet connection between multiple computers, eliminating the need for more than one modem. You can even add new computers to your network simply by plugging in a wireless card and switching them on — they get an Internet connection straightaway! There aren’t many wired networks that can say that. Sharing Files and Printers. A wireless network gives you access to your files wherever you are in your home, and makes it easy to synchronise the data on a laptop with a home computer. It is much easier to send files between computers with a wireless network than it is to send them by email, or even by burning them to a CD. Plus, with the printer connected, you can also write things wherever you want, press print, and go and collect them from a printer connected to another computer — printers that are plugged into one of the computers on the network are shared between all the computers automatically. Always On Connection A big factor in the spread of broadband was that it let Internet connections be always-on, without needing to dial in. Well, wireless networking lets network connections be always-on, meaning that any of your computers can connect to the Internet whenever you want! You can take laptops from room to room, and it doesn’t matter — they’ll always have access. Plus, there’s not even any need to set up a username and password system, as wireless networks work without logging in. It’s just so convenient! No More Wires. This, of course, is the biggest reason why you should switch your network over to wireless. Wires are inconvenient, expensive, ugly and dangerous — you’ll be delighted to see the back of them. The average Ethernet wire doesn’t cost that much per metre, but once you’ve bought enough metres to do whatever you need to do, well, it tends to add up quickly. Not only that, but if you want to run your wire between rooms or floors, you have to knock holes in the walls — which might not even be allowed if you’re renting. I know plenty of people in rented apartments who had to keep their network confined to one room until they went wireless. With wireless networking, well, you can even take your computer outside, if you want to! No more wires also means no more spaghetti all over the floor and in the corners. Not only does this improve the safety of your home, as it’s all too easy to trip over exposed wires, but it also means that you don’t have to go to all the trouble of packing all the wires up and re-connecting them at the other end when you move. It also means that you don’t have to examine every wire for damage if your Internet connection breaks down. Play LAN and Internet Games. You might have seen an option in your favourite game to play over a LAN. Well, wireless networks are LANs, which means that your whole family can play that game together — without needing the computers to be anywhere near each other. It’s far more fun to play against real people you know than to play against random people over the Internet, not to mention that the game will work much faster. You could even invite your friends to bring their computers and join in — a ‘LAN party’! An added benefit is that wireless equipment lets you easily connect any games consoles you or your kids might have to the Internet, and start playing online. It’s far easier to play online with a wirelessly connected Xbox or PlayStation 2 than to have to connect it to your modem every time. Convinced Yet? If you’re excited, then that’s great — keep reading these articles for advice on how to set everything up. If you don’t think it’s for you yet, well, don’t give up on it — I’m sure you’ll come round when you realise just how easy and cheap wireless really is.

How To Secure Your Wireless Network

People have more flexible time due to wireless network. Thanks to the invention of wireless. People can now work from home while taking care of their kids or doing house works. No more stress from traffic jam anymore. Is this great? Well, there is something you should realize. Working from home while using a wireless local area network (WLAN) may lead to theft of sensitive information and hacker or virus infiltration unless proper measures are taken. As WLANs send information over radio waves, someone with a receiver in your area could be picking up the transmission, thus gaining access to your computer. They could load viruses on to your laptop which could be transferred to the company’s network when you go back to work. Believe it or not! Up to 75 per cent of WLAN users do not have standard security features installed, while 20 per cent are left completely open as default configurations are not secured, but made for the users to have their network up and running ASAP. It is recommended that wireless router/access point setup be always done though a wired client.
You can setup your security by follow these steps: 1. Change default administrative password on wireless router/access point to a secured password. 2. Enable at least 128-bit WEP encryption on both card and access point. Change your WEP keys periodically. If equipment does not support at least 128-bit WEP encryption, consider replacing it. Although there are security issues with WEP, it represents minimum level of security, and it should be enabled. 3. Change the default SSID on your router/access point to a hard to guess name. Setup your computer device to connect to this SSID by default. 4. Setup router/access point not to broadcast the SSID. The same SSID needs to be setup on the client side manually. This feature may not be available on all equipment. 5. Block anonymous Internet requests or pings. On each computer having wireless network card, network connection properties should be configured to allow connection to Access Point Networks Only. Computer to Computer (peer to peer) Connection should not be allowed. Enable MAC filtering. Deny association to wireless network for unspecified MAC addresses. Mac or Physical addresses are available through your computer device network connection setup and they are physically written on network cards. When adding new wireless cards / computer to the network, their MAC addresses should be registered with the router /access point. Network router should have firewall features enabled and demilitarized zone (DMZ) feature disabled. All computers should have a properly configured personal firewall in addition to a hardware firewall. You should also update router/access point firmware when new versions become available. Locating router/access point away from strangers is also helpful so they cannot reset the router/access point to default settings. You can even try to locate router/access point in the middle of the building rather than near windows to limit signal coverage outside the building. There is no guarantee of a full protection of your wireless network, but following these suggested tips can definitely lessen your risk of exposing to attackers aiming at insecure networks.

Saturday 26 August 2017

VPN Interview Questions and Answers

  1. What is Trusted and Untrusted Networks?
  2. Answer:
    Trusted networks: Such Networks allow data to be transferred transparently. The machines using a trusted network are usually administered by an Administrator to ensure that private and secured data is not leaked. Access to this network is limited. Computers using trusted networks are more secured and confidential because of strong firewalls.

    Untrusted networks: Such networks are usually administered by the owners. They can allow improper access to sensitive or personal data. These machines are usually separate. Such machines could me more prone to attacks.
  1. Is there market penetration for these products?
  2. Answer: Those companies who were early adopters of firewalls are the ones using VPNs today. VPNs are still early in the use cycle. Three years ago, they hardly existed. Then firewall products started to include them — first ANS Interlock, then TIS Gauntlet. Soon, customers started demanding VPN functionality in their firewalls, even though few of them actually used it. But the Security Architecture for Internet Protocol (IPSEC) standard is changing that — with IPSEC-compliant off-the-shelf products, using encryption to protect the privacy of communications will be an automatic decision. It may take awhile. I predicted that 1998 would be the "Year of the VPN," but maybe 1999 is more realistic. Look, over four years after the famous Internet password sniffing incident, most people still seem to be working with reusable passwords.
  1. What are the different authentication methods used in VPNs?
  2. Answer:The authentication method uses an authentication protocol. The methods are:

    EAP authentication method: Extensible authentication protocol authenticates remote access connection. The authentication mechanism is decided between the remote VPN client and authenticator (ISA). The mechanism is typical in which authenticator requests for authentication information and the responses are given by the remote VPN client.

    MS Chap Authentication method: Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) starts with the authenticator (Remote access server) challenge. The challenge to the remote access client sends a session identifier and challenge string. The client in response sends the nonreversible encryption of the string, the identifier and password. Authenticator checks the credentials and grants access on a successful authentication.

    Unencrypted passwords (PAP): Uses plain text passwords. Does not involve encryption. Used for less secure clients.

    Shiva Password Authentication Protocol (SPAP): It is a password authentication protocol. It is less secure as the same user password is always sent in the same reversibly encrypted form.
  1. What security vulnerabilities are unique to or heightened by VPN?
  2. Answer: Even though VPNs provide ubiquitous, perimeter security, firewalls are still needed. Walls around cities went away because it became inexpensive to bring them in closer to individual homes. Only a perimeter enforcement mechanism can guarantee adherence to an organization's security policies. However, as part of policy enforcement, a firewall might need to be able to look at the information in a packet. Encryption makes that rather difficult. VPNs — improperly deployed — take away a firewall's ability to audit useful information, or to make decisions beyond the level of "who is allowed to talk to whom." There are ways around this. The easiest way is to make the firewall a trusted third member of the conversation. People who value privacy above everything else chafe at this. But people who value the security of their organization realize that this is a necessity.
  1. What is VPN?
  2. Answer: A VPN is a service that offers secure, reliable connectivity over a shared public network infrastructure such as the Internet. VPNs maintain the same security and management policies as a private network. They are the most cost effective method of establishing a virtual point-to-point connection between remote users and an enterprise customer's network.
  1. Is VPN a long-term solution or a short-term stop gap kind of thing?
  2. Answer: VPNs are long-term solutions. VPNs may become ubiquitous and transparent to the user, but they will not go away. Because the problem VPNs address — privacy over a public network — will not go away. VPNs will exist from the desktop to the server, and at the IP packet level as well as the application data level.
  1. What are the different types of VPN?
  2. Answer: 
    Remote Access VPN - Also called as Virtual Private dial-up network (VPDN) is mainly used in scenarios where remote access to a network becomes essential. Remote access VPN allows data to be accessed between a company’s private network and remote users through a third party service provider; Enterprise service provider. E.g Sales team is usually present over the globe. Using Remote access VPN, the sales updates can be made.

    Site to Site VPN – Intranet based: This type of VPN can be used when multiple Remote locations are present and can be made to join to a single network. Machines present on these remote locations work as if they are working on a single network.

    Site to Site VPN – Extranet based: This type of VPN can be used when several different companies need to work in a shared environment. E.g. Distributors and service companies. This network is more manageable and reliable.
  1. What security vulnerabilities are addressed by VPN?
  2. Answer: VPNs directly protect the privacy of a communication, and indirectly provide an authentication mechanism for a gateway, site, computer, or individual. Whether you need privacy or not is a function of your business, the nature of what you discuss electronically, and how much it is worth to someone else. Authentication is a side effect, even without IPSEC, because if site A knows it talks to site B over an encrypted channel, and someone else pretends to be site B, they will also have to be able to talk encrypted to site A, since site A expects it and will reciprocate. Typically, the secrets are sufficiently protected that no one could pretend to be site B and pull it off. Again, it comes down to the risk, which is a function of the information you are transmitting. The threats and vulnerabilities are there, in any case. It is very easy to capture traffic on the Internet or on your phone line. Is it important enough information to care? That is the question that most people answer wrong. It is my experience that while people may understand the value of what they have and they may understand the risk of losing or compromising what they have, few understand both at the same time.
  1. What are unreasonable expectations for VPN?
  2. Answer: With firewalls, we went from a very small number of security-wise companies using real firewalls to firewalls becoming a "must have" on a checklist. But somehow, having a firewall became synonymous with "all my Internet security problems are solved!" VPNs and IPSEC have started off that way too. There has been a lot of "When we have IPSEC on the desk top we won't need firewalls." This is nonsense. VPNs cannot enforce security policies, they cannot detect misuse or mistakes, and they cannot regulate access. VPNs can do what they were meant to do: keep communications private.
  1. What are unreasonable expectations for VPN?
  2. Answer: With firewalls, we went from a very small number of security-wise companies using real firewalls to firewalls becoming a "must have" on a checklist. But somehow, having a firewall became synonymous with "all my Internet security problems are solved!" VPNs and IPSEC have started off that way too. There has been a lot of "When we have IPSEC on the desk top we won't need firewalls." This is nonsense. VPNs cannot enforce security policies, they cannot detect misuse or mistakes, and they cannot regulate access. VPNs can do what they were meant to do: keep communications private.
  1. What are some of the tough questions to pose to VPN product vendors?
  2. Answer: Many vendors claim to be IPSEC-compliant. The real requirement should be "list the other products with which you can communicate" Also, a customer should want to know how automatic the key exchange mechanism is? In a perfect world — in an IPSEC world — it would be automatic. If a Virtual Network Perimeter (VNP, not VPN) is used, how easy is it to deploy the software to mobile PC users? How much does it interfere with normal network operation from a mobile PC, if at all? What crypto algorithms are used? What key length?
  1. What kind of resources (staff, computational muscle, bandwidth, etc.) are required for VPN deployment, usage, maintenance?
  2. Answer: VPNs are typically handled as just another job by the network or system administrator staff. Whoever is managing the firewall today can easily add VPN management to the plate because once a VPN is set up there is little else to do on most implementations.
  1. Who are the major players in the market?
  2. Answer: Aventail is a leader in this market. All the major firewall vendors and router vendors are in it as well. On the client side, Timestep and V-ONE are big.
  1. What firewall issues are relevant to VPN selection and deployment?
  2. Answer: Well, the perimeter security issues mentioned above, plus a firewall should give the option of VPN with or without trust. For example, I would prefer all sessions between my firewall and my clients and business partners to be encrypted — to be VPNs. But, I want all of them to run up against my firewall if they try to do anything besides what I permit. On the other hand, if I dial in from the speaker's lounge at a conference, I would like a private connection (that is to say, encrypted) that also looks and feels like a virtual "inside" connection, just as if I was sitting in the office.
  1. What kind of performance issues does VPN raise?
  2. Answer: Encryption takes more horsepower than sending data in the clear. It really shows up on mobile PCs transmitting large hunks of data — for example, a PowerPoint presentation — over a dial-up phone line. Firewalls and other server systems should employ hardware crypto engines. With these there are no performance issues. I expect that this functionality for mobile PCs will migrate to PC cards with crypto engines. When will this happen? Within the next 18 months.
  1. What is the relationship between VPN and firewalls?
  2. Answer: While VPNs were available before firewalls via encrypting modems and routers, they came into common use running on or with firewalls. Today, most people would expect a firewall vendor to offer a VPN option. (Even though most people today don't use VPNs.) Also, they want it managed via the same firewall management interface. But then, users today seem to want nearly everything on the firewall: mail server, name server, proxy servers for HTTP, FTP server, directory server, and so on. That's terrible and a subject in itself.
  1. Are VPNs used for specific kinds of applications or environments? If so, what are some examples of where and why VPNs would be deployed?
  2. Answer: VPNs should be used for all information exchange. I don't want to have to "go encrypted" when something secret is about to be sent. I want everything to be encrypted. It should be as commonplace as people sending postal mail in sealed envelopes. It will also ensure that the VPN mechanism is working.

Wednesday 26 July 2017

Cisco anyconnect mac client

Cisco any connect client on mac

Cisco client can be downloaded from the cisco site and choose to save and open the .dmg file.
then run  the 'AnyConnect.pkg' and click "Continue".
carefully read the license agreement and click "Continue" and then "Agree".
keep all the default settings and click "Continue" and "Install", entering your admin username and password.
after completion , navigate to the 'Cisco' folder inside your 'Applications'.
Drag the 'Cisco AnyConnect Secure Mobility Client.app' into the dock to create a shortcut and then launch it.
Enter the following server address under 'VPN': vpn domain name which you have provided or public ip address
Press 'Connect' and, when prompted, enter your VPN username and password.
Once you have connected for the first time, the server will remain so you shouldn't need to re-enter it again.

the client will recheck the new version everytime you connect it.


Monday 14 May 2012

ASA 5500 Adding a DMZ Step By Step


ASA 5500 Adding a DMZ Step By Step
 
Problem
Assuming you have a working ASA 5500 and you want to add a DMZ to it, this is the process.
Assumptions
1. Networks,
a. Inside network is 10.1.0.0 255.255.0.0
b. Outside network is 123.123.123.120 255.255.255.248
c. DMZ network is 172.16.1.0 255.255.0.0
2. Interfaces,
a. Inside Interface is 10.1.0.254
b. Outside Interface is 172.16.1.254
c. DMZ Interface is 172.16.1.254
3. The Web server in the DMZ will have the following IP addresses,
a. DMZ IP address 172.16.1.1
b. Public IP address 123.123.123.124
4. From the Internet you want to allow web traffic and secure web traffic (http/www andhttps/ssl) to the DMZ Server.
5. The DMZ Server needs to speak to a database server on the inside LAN, on TCP port 1433.
Solution
1. Firstly connect to the ASA log in and go to enable mode.
User Access Verification
Password:
Type help or '?' for a list of available commands.
PetesASA> en
Password: ********
2. Go to configure terminal mode and set up the DMZ interface (In this case Ethernet0/2).
PetesASA# conf t
PetesASA(config)# interface Ethernet0/2
PetesASA((config-if)# nameif DMZ
PetesASA((config-if)# security-level 50
PetesASA((config-if)# ip address 172.16.1.254 255.255.0.0
PetesASA((config-if)# no shutdown
PetesASA((config-if)# exit
3. I like to name the DMZ entities IP addresses so things look neat.
PetesASA(config)# name 172.16.1.1 DMZ-Host-Private-IP
PetesASA(config)# name 123.123.123.124 DMZ-Host-Public-IP
4. Set a some NAT statement to handle traffic flow. (assuming you have a matching global statement like global (outside) 1 xxx - "show run global" will tell you).
PetesASA(config)# nat (DMZ) 1 0.0.0.0 0.0.0.0
Note We are only going to have one DMZ host, and it will have a static mapping - if you had many DMZ hosts then also add "global (DMZ) 1 interface".
5. Now add some static mappings.
PetesASA(config)# static (DMZ,outside) DMZ-Host-Public-IP DMZ-Host-Private-IP netmask 255.255.255.255
PetesASA(config)# static (inside,DMZ) 10.1.0.0 10.1.0.0 netmask 255.255.0.0
PetesASA(config)# static (inside,DMZ) 172.16.1.0 172.16.1.0 netmask 255.255.255.0
6. To let people from outside you need to either create an access-list or add some rules to any existing inbound access-list. ("show run access-group" will tell you, look for an ACLapplies "in" to the outside interface e.g. "access-group outbound in interface inside". We will assume I don't have one so i'll need the access-group at the end.
PetesASA(config)# access-list inbound extended permit tcp any host DMZ-Host-Public-IP eq www
PetesASA(config)# access-list inbound extended permit tcp any host DMZ-Host-Public-IP eq https
PetesASA(config)# access-group inbound in interface outside
7. Now to allow the DMZ host to get to the database server I'm going to allow TCP 1433.
PetesASA(config)# access-list DMZ_outbound extended permit tcp host DMZ-Host-Private-IP host DMS-SQL eq 1433
PetesASA(confi
g)# access-group DMZ_outbound in interface DMZ
8. Finally save the configuration.

Block Facebook & Google Talk on ASA


Block Access to Facebook on Cisco ASA with MPF
Problem
If you have an ASA5510 then this sort of thing would be better handled with a CSCModule, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the best solution
NOTE: This can be used for any web site simply add each URL you want to block.
Solution
1. Log into your firewal,l and enter enable mode, then enter configure terminal mode.
User Access Verification
Password:
Type help or '?' for a list of available commands.
PetesASA> en
Password: ********
PetesASA# conf t
PetesASA(config)#
2. The first thing we are going to do is write a "Regular Expression" that matches Facebook, (Repeat the line adding domainlist2, 3 etc for each additional domain you require to block.)
PetesASA(config)#
PetesASA(config)# regex domainlist1 "facebook.com"
PetesASA(config)#
3. Now we are going to create a "Class-map" which will include our regular expression. (Note: for additional you would simply add multiple match commands.)
PetesASA(config)#
PetesASA(config)# class-map type regex match-any DomainBlockList
PetesASA(config-cmap)# match regex domainlist1
PetesASA(config-cmap)#
4. We are now going to create a second class map, this one is for http inspection, and uses the first class map we created, it basically says, this class map is for http inspection and will inspect for what we declared in the first class map (i.e. Inspect http traffic for any instance of facebook.com).
PetesASA(config)#
PetesASA(config)# class-map type inspect http match-all BlockDomainsClass
PetesASA(config-cmap)# match request header host regex class DomainBlockList
PetesASA(config-cmap)#
5. Now to apply these class-maps we need to use a policy, the rule for policies is, you can have tons of policies but you can only apply one global policy, AND you can also have a policy for each interface, So here Ill create a policy for http inspection and use the classes we created above....
PetesASA(config)#
PetesASA(config)# policy-map type inspect http http_inspection_policy
PetesASA(config-pmap)# class BlockDomainsClass
PetesASA(config-pmap-c)# reset log
PetesASA(config-pmap-c)#
6. Then to knit everything together, I'm going to embed this policy in my firewalls global policy.
PetesASA(config)#
PetesASA(config)# policy-map global_policy
PetesASA(config-pmap)# class inspection_default
PetesASA(config-pmap-c)# inspect http http_inspection_policy
PetesASA(config-pmap-c)#
7. Note: Above I've assumed you have the default global policy, If you haven't, this will not apply until you have applied the global_policy globally, this is done with a service-policy command, check to see if you already have this command in your config, or simply execute the command and the firewall and will tell you, like so....
Note: If it does not error then it was NOT applied :)
PetesASA(config)#
PetesASA(config)# service-policy global_policy global
WARNING: Policy map global_policy is already configured as a service policy
PetesASA(config)#
8. Don't forget the save the config with a "write mem" command.
If you want to have this on a policy of its own, applied to an interface rather than on the Global Policy here is some working code to copy and paste (Credit to Aniket Rodrigues).

regex BLOCKED_DOMAIN_1 "www.facbook.com"
access-list TRAFFIC_TO_INSPECT_FOR_BLOCKED_DOMAINS extended permit tcp any any eq http
class-map type regex match-any CLASS_MAP_BLOCKED_DOMAIN_LIST
  match regex BLOCKED_DOMAIN_1
class-map type inspect http match-all CLASS_MAP_DEFINE_TRAFFIC_TO_INSPECT
  match request header host regex class CLASS_MAP_BLOCKED_DOMAIN_LIST
class-map CLASS_MAP_HTTP_TRAFFIC
  match access-list TRAFFIC_TO_INSPECT_FOR_BLOCKED_DOMAINS
policy-map type inspect http POLICY_MAP_HTTP_INSPECTION
  parameters
  class CLASS_MAP_DEFINE_TRAFFIC_TO_INSPECT
  drop-connection log
policy-map POLICY_MAP_OUTSIDE_INTERFACE
class CLASS_MAP_HTTP_TRAFFIC
  inspect http POLICY_MAP_HTTP_INSPECTION
service-policy POLICY_MAP_OUTSIDE_INTERFACE interface outside


Blocking Google Talk (Cisco ASA)
 
Problem
You want to block access to Google Talk, but not disrupt other services like Google Search and Gmail.
Solution
Yes, you could write a REGEX and block it with an MPF, like I did here, to block Facebook. But Google Talk only runs on 4 servers and uses 4 ports.
1. Connect to the Cisco ASA, and go to configure terminal mode.
PetesASA>
PetesASA> en
Password: ********
PetesASA# configure terminal
PetesASA(config)#
2. Lets keep things neat and name our four Goolge Talkservers.
PetesASA(config)# name 216.239.37.125 Google-Talk-Server-1
PetesASA(config)# name 72.14.253.125 Google-Talk-Server-2
PetesASA(config)# name 72.14.217.189 Google-Talk-Server-3
PetesASA(config)# name 209.85.137.125 Google-Talk-Server-4
3. Then lets create a group for those servers.
PetesASA(config)# object-group network Google-Talk-Servers
PetesASA(config-network-object-group)# network-object host 216.239.37.125
PetesASA(config-network-object-group)# network-object host 72.14.253.125
PetesASA(config-network-object-group)# network-object host 72.14.217.189
PetesASA(config-network-object-group)# network-object host 209.85.137.125
4. And then a group for the ports we want to block.
PetesASA(config-network-object-group)# object-group service Google-Talk-Ports tcp
PetesASA(config-service-object-group)# port-object eq 5222
PetesASA(config-service-object-group)# port-object eq 5223
PetesASA(config-service-object-group)# port-object eq https
PetesASA(config-service-object-group)# port-object eq www
5. To tie it all together we can simply add one ACL.
PetesASA(config-service-object-group)# access-list outbound line 1 deny tcp any object-group Google-Talk-Servers object-group Google-Talk-Ports
Note: This assumes you have an ACL called "outbound" thats applied to your outbound traffic, yours may have a different name, to find out issue a "show run access-group" command like so, your outbound ACL will be allied "in interface inside". If yours is called something different then change the command above accordingly. If you don't have one at all skip to step 6.
PetesASA(config)# show run access-group
access-group outbound in interface inside
access-group inbound in interface outside
PetesASA(config)#
6. Only carry this step out if you DO NOT have an ACL applied to outbound traffic. andAFTER you have carried out step 5.
PetesASA(config)# access-group outbound in interface inside
PetesASA(config)# access-list outbound permit ip any any

Deploy Cisco ASA 55xx in Active / Standby Failover


Deploy Cisco ASA 55xx in Active / Standby Failover
 
Problem

You want to deploy 2 Cisco ASA 55xx Series firewalls in an Active/Standby failover configuration.

Solution

Assumptions.
Hardware on both ASA firewalls is identical.
The correct licence's for failover are installed on both firewalls.
The same software versions are installed on both firewalls.
You have your PRIMARY firewall set up and running correctly (Everything works!).
In this example the firewalls were ASA5510's and all interfaces were being used, so the Management port was used as the "Failover Link" (That needs a security plus licence!).
This Link will use a crossover cable (Only available after version 7.0(2) before that you had to use a switch - I think!).
Also I'm using the same link for LAN Based failover (heartbeat) AND Statefull replication.
IP Addresses
Each interface will need its existing IP address, and an address to use whilst in "Standby". In this example I will use the following,
Outside Interface (Ethernet 0/0) 123.123.123.123 255.255.255.0
Outside Interface STANDBY 123.123.123.124 255.255.255.0
DMZ1 Interface (Ethernet0/1) 192.168.1.1 255.255.255.0
DMZ1 Interface STANDBY 192.168.1.254 255.255.255.0
DMZ2 Interface (Ethernet0/2) 192.168.2.1 255.255.255.0
DMZ2 Interface STANDBY 192.168.2.254 255.255.255.0
Inside Interface (Ethernet 0/3) 172.16.1.1 255.255.255.0
Inside Interface (STANDBY) 172.16.1.254 255.255.255.0
Failover Interface (Management0/0) 172.16.254.254 255.255.255.0
Failover Interface STANDBY 172.16.254.250 255.255.255.0
 
Step 1 Carry Out this procedure on the PRIMARY (Already configured and working) firewall.
 
1. Backup the running config on the primary firewall.
PetesASA# copy run flash:/before_failover.cfg
Source filename [running-config]?
Destination filename [before_failover.cfg]?
Cryptochecksum: babed83d 62a5fba7 e5ea368d 642157bd

8549 bytes copied in 3.670 secs (2849 bytes/sec)
PetesASA#
2. Blow away the config on the interface you are going to use for failover.
PetesASA(config)# clear configure interface m0/0
PetesASA(config)# int m0/0
PetesASA(config-if)# no shut
PetesASA(config)#
3. Change the interface IP addresses – (to add the standby addresses for each interface).
PetesASA(config)#
PetesASA(config)# interface Ethernet0/0
PetesASA(config-if)# speed 100
PetesASA(config-if)# duplex full
PetesASA(config-if)# nameif Outside
PetesASA(config-if)# security-level 0
PetesASA(config-if)# ip address 123.123.123.123 255.255.255.0 standby 123.123.123.124
PetesASA(config-if)# interface Ethernet0/1
PetesASA(config-if)# speed 100
PetesASA(config-if)# duplex full
PetesASA(config-if)# nameif DMZ1
PetesASA(config-if)# security-level 50
PetesASA(config-if)# ip address 192.168.1.1 255.255.255.0 standby 192.168.1.254
PetesASA(config-if)# interface Ethernet0/2
PetesASA(config-if)# speed 100
PetesASA(config-if)# duplex full
PetesASA(config-if)# nameif DMZ2
PetesASA(config-if)# security-level 55
PetesASA(config-if)# ip address 192.168.2.1 255.255.255.0 standby 192.168.2.254
PetesASA(config-if)# interface Ethernet0/3
PetesASA(config-if)# speed 100
PetesASA(config-if)# duplex full
PetesASA(config-if)# nameif Inside
PetesASA(config-if)# security-level 100
PetesASA(config-if)# ip address 172.16.1.1 255.255.255.0 standby 172.16.1.254
PetesASA(config-if)# exit
PetesASA(config)#

4. Set up the failover LAN interface (In config mode!).
PetesASA(config)#
PetesASA(config)# failover lan interface failover m0/0
INFO: Non-failover interface config is cleared on Management0/0 and its sub-interfaces
PetesASA(config)#

5. Setup failover link IP address.
PetesASA(config)#
PetesASA(config)# failover interface ip failover 172.16.254.254 255.255.255.0 standby 172.16.254.250
PetesASA(config)#

6. Setup a shared key.
PetesASA(config)#
PetesASA(config)# failover lan key 666999
PetesASA(config)#

7. Set it as the primary firewall.
PetesASA(config)#
PetesASA(config)# failover lan unit primary
PetesASA(config)#
8. Turn on failover.
PetesASA(config)#
PetesASA(config)# failover
PetesASA(config)#
9. Now we need to enable statefull failover.
PetesASA(config)#
PetesASA(config)# failover link failover Management0/0
PetesASA(config)#
10. Save the config.
PetesASA(config)#
PetesASA(config)# write mem
Building configuration...
Cryptochecksum: 5c8dfc45 ee6496db 8731d2d5 fa945425

8695 bytes copied in 3.670 secs (2898 bytes/sec)
[OK]
PetesASA(config)#