Pages

Monday, 14 May 2012

Deploy Cisco ASA 55xx in Active / Standby Failover


Deploy Cisco ASA 55xx in Active / Standby Failover
 
Problem

You want to deploy 2 Cisco ASA 55xx Series firewalls in an Active/Standby failover configuration.

Solution

Assumptions.
Hardware on both ASA firewalls is identical.
The correct licence's for failover are installed on both firewalls.
The same software versions are installed on both firewalls.
You have your PRIMARY firewall set up and running correctly (Everything works!).
In this example the firewalls were ASA5510's and all interfaces were being used, so the Management port was used as the "Failover Link" (That needs a security plus licence!).
This Link will use a crossover cable (Only available after version 7.0(2) before that you had to use a switch - I think!).
Also I'm using the same link for LAN Based failover (heartbeat) AND Statefull replication.
IP Addresses
Each interface will need its existing IP address, and an address to use whilst in "Standby". In this example I will use the following,

Click For Larger Image
Outside Interface (Ethernet 0/0) 123.123.123.123 255.255.255.0
Outside Interface STANDBY 123.123.123.124 255.255.255.0
DMZ1 Interface (Ethernet0/1) 192.168.1.1 255.255.255.0
DMZ1 Interface STANDBY 192.168.1.254 255.255.255.0
DMZ2 Interface (Ethernet0/2) 192.168.2.1 255.255.255.0
DMZ2 Interface STANDBY 192.168.2.254 255.255.255.0
Inside Interface (Ethernet 0/3) 172.16.1.1 255.255.255.0
Inside Interface (STANDBY) 172.16.1.254 255.255.255.0
Failover Interface (Management0/0) 172.16.254.254 255.255.255.0
Failover Interface STANDBY 172.16.254.250 255.255.255.0
 
Step 1 Carry Out this procedure on the PRIMARY (Already configured and working) firewall.
 
1. Backup the running config on the primary firewall.
PetesASA# copy run flash:/before_failover.cfg
Source filename [running-config]?
Destination filename [before_failover.cfg]?
Cryptochecksum: babed83d 62a5fba7 e5ea368d 642157bd
8549 bytes copied in 3.670 secs (2849 bytes/sec)
PetesASA#
2. Blow away the config on the interface you are going to use for failover.
PetesASA(config)# clear configure interface m0/0
PetesASA(config)# int m0/0
PetesASA(config-if)# no shut
PetesASA(config)#
3. Change the interface IP addresses – (to add the standby addresses for each interface).
PetesASA(config)#
PetesASA(config)# interface Ethernet0/0
PetesASA(config-if)# speed 100
PetesASA(config-if)# duplex full
PetesASA(config-if)# nameif Outside
PetesASA(config-if)# security-level 0
PetesASA(config-if)# ip address 123.123.123.123 255.255.255.0 standby 123.123.123.124
PetesASA(config-if)# interface Ethernet0/1
PetesASA(config-if)# speed 100
PetesASA(config-if)# duplex full
PetesASA(config-if)# nameif DMZ1
PetesASA(config-if)# security-level 50
PetesASA(config-if)# ip address 192.168.1.1 255.255.255.0 standby 192.168.1.254
PetesASA(config-if)# interface Ethernet0/2
PetesASA(config-if)# speed 100
PetesASA(config-if)# duplex full
PetesASA(config-if)# nameif DMZ2
PetesASA(config-if)# security-level 55
PetesASA(config-if)# ip address 192.168.2.1 255.255.255.0 standby 192.168.2.254
PetesASA(config-if)# interface Ethernet0/3
PetesASA(config-if)# speed 100
PetesASA(config-if)# duplex full
PetesASA(config-if)# nameif Inside
PetesASA(config-if)# security-level 100
PetesASA(config-if)# ip address 172.16.1.1 255.255.255.0 standby 172.16.1.254
PetesASA(config-if)# exit
PetesASA(config)#
4. Set up the failover LAN interface (In config mode!).
PetesASA(config)#
PetesASA(config)# failover lan interface failover m0/0
INFO: Non-failover interface config is cleared on Management0/0 and its sub-interfaces
PetesASA(config)#
5. Setup failover link IP address.
PetesASA(config)#
PetesASA(config)# failover interface ip failover 172.16.254.254 255.255.255.0 standby 172.16.254.250
PetesASA(config)#
6. Setup a shared key.
PetesASA(config)#
PetesASA(config)# failover lan key 666999
PetesASA(config)#
7. Set it as the primary firewall.
PetesASA(config)#
PetesASA(config)# failover lan unit primary
PetesASA(config)#
8. Turn on failover.
PetesASA(config)#
PetesASA(config)# failover
PetesASA(config)#
9. Now we need to enable statefull failover.
PetesASA(config)#
PetesASA(config)# failover link failover Management0/0
PetesASA(config)#
10. Save the config.
PetesASA(config)#
PetesASA(config)# write mem
Building configuration...
Cryptochecksum: 5c8dfc45 ee6496db 8731d2d5 fa945425
8695 bytes copied in 3.670 secs (2898 bytes/sec)
[OK]
PetesASA(config)#
Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)