Scribd
Upload
264 views

Cisco ASA High Availability Failover Configuration

The document discusses configuring high availability failover between two Cisco ASA firewalls. It provides the lab topology and objectives, as well as steps to configure basic settings on nodes, configure active/standby failover between the firewalls, and configure routing and NAT.

Uploaded by

cciersman
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
264 views

Cisco ASA High Availability Failover Configuration

The document discusses configuring high availability failover between two Cisco ASA firewalls. It provides the lab topology and objectives, as well as steps to configure basic settings on nodes, configure active/standby failover between the firewalls, and configure routing and NAT.

Uploaded by

cciersman
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 6

Download PNETLab Platform

PNETLAB Store
PNETLab.com

CISCO ASA HIGH AVAILABILITY FAILOVER


CONFIGURATION
Lab Topology:
The lab network topology is illustrated below:

Lab Objective: The objective of this lab exercise is for you to learn and understand how
can you configure High Availability between two Firewall ASA.

In Active/Standby failover, one unit is the active unit. It passes traffic. The standby unit
does not actively pass traffic. When a failover occurs, the active unit fails over to the
standby unit, which then becomes active. You can use Active/Standby failover for ASAs
in single or multiple context mode.

1
Download PNETLab Platform
PNETLAB Store
PNETLab.com

TASK LIST:

Task 1: Configuration basic in Nodes


Configure the hostname and IP address for the interface for Routers,Server and Firewall as
topo. Check the reachability between nodes. Then routing traffic defalt gateway to ASA-Active
Task 2: Configure Active/Standby Failover
To configure Active/Standby failover, configure basic failover settings on both the primary and
secondary units. All other configuration occurs only on the primary unit, and is then synched to
the secondary unit.
• Configure the Primary Unit for Active/Standby Failover
• Configure the Secondary Unit for Active/Standby Failover
Task 3: Configuration Routing Traffic between inside and outside interface in ASA
• Configuration enable icmp
• Configuration NAT inside to outside

SOLUTION:
Task 1: Configuration basic in Nodes
CONFIGURATION
USER1 USER2
interface Ethernet0/0 interface Ethernet0/0
no shutdown no shutdown
ROUTER ip address 192.168.10.10 255.255.255.0 ip address 192.168.10.20 255.255.255.0
! !
ip route 0.0.0.0 0.0.0.0 192.168.10.1 ip route 0.0.0.0 0.0.0.0 192.168.10.1

interface Ethernet0/0
no shutdown
SERVER ip address 192.168.10.30 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 192.168.10.1

interface Loopback0
ip address 8.8.8.8 255.255.255.255
INTERNET !
interface Ethernet0/0
no shutdown
ip address 10.168.20.100 255.255.255.0

2
Download PNETLab Platform
PNETLAB Store
PNETLab.com

Task 2: Configure Active/Standby Failover


1. Choose Interface in Firewall to Failover Link
Active-ASA(config)# failover lan interface folink Ethernet0

2. Configuration IP Interface to Failover Link


Active-ASA(config)# failover interface ip folink 10.10.10.1 255.255.255.252
standby 10.10.10.2

3. Create inside zone and outside zone in ASA


interface Ethernet4
no shutdown
nameif inside
security-level 100
ip address 192.168.10.1 255.255.255.0 standby 192.168.10.2
!
interface Ethernet2
no shutdown
nameif outside
security-level 0
ip address 10.168.20.150 255.255.255.0

4. Choose Firewall ASA to Active


Active-ASA(config)# failover lan unit primary

5. Choose Interface in Firewall to State Link


Active-ASA(config)# failover link StateLink Ethernet1

6. Configuration IP Interface to State Link


Active-ASA(config)# failover interface ip StateLink 10.10.10.5 255.255.255.252
standby 10.10.10.6

7. Enable function Failover


Active-ASA(config)# failover

3
Download PNETLab Platform
PNETLAB Store
PNETLab.com

8. File configuration same ASA Standby


Standby-ASA(config)# interface Eth0
Standby-ASA(config-if)#no shutdown
Standby-ASA(config)# failover lan unit secondary
Standby-ASA(config)# failover lan interface folink Ethernet0
Standby-ASA(config)# failover interface ip folink 10.10.10.1 255.255.255.252
standby 10.10.10.2
Standby-ASA(config)# failover

Task 3: Configuration Routing Traffic between inside and outside interface in ASA
1. Configuration enable icmp
Active-ASA(config)# policy-map global_policy
Active-ASA(config)# class inspection_default
Active-ASA(config)# inspect icmp

2. Configuration Routing to Internet and NAT Interface inside to outside


route outside 0.0.0.0 0.0.0.0 10.168.20.100 1
!
object network USER
subnet 192.168.10.0 255.255.255.0
nat (inside,outside) source dynamic USER interface

Verification:

Active-ASA# show failover


Failover On
Failover unit Primary
Failover LAN Interface: folink Ethernet0 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 60 maximum
Version: Ours 9.1(5)16, Mate 9.1(5)16
Last Failover at: 03:36:51 UTC Sep 27 2020
4
Download PNETLab Platform
PNETLAB Store
PNETLab.com

This host: Primary - Active


Active time: 765 (sec)
Interface outside (10.168.20.150): Normal (Monitored)
Interface inside (192.168.10.1): Normal (Monitored)
Other host: Secondary - Standby Ready
Active time: 0 (sec)
Interface outside (10.168.20.160): Normal (Monitored)
Interface inside (192.168.10.2): Normal (Monitored)

Stateful Failover Logical Update Statistics


Link : StateLink Ethernet1 (up)

5
Download PNETLab Platform
PNETLAB Store
PNETLab.com

Zone USER able to reach to Outside Internet thoughrout Firewall ASA:

USER1#ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 2/15/58 ms

USER2#ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/76/259 ms
!
SERVER#ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 2/10/25 ms

You might also like