Bạn đi làm IT và phải cấu hình Cisco ASA ...Hãy tải file về, sẽ không có trên mạng public đâu nhaBạn đi làm IT và phải cấu hình Cisco ASA ...Hãy tải file về, sẽ không có trên mạng public đâu nhaBạn đi làm IT và phải cấu hình Cisco ASA ...Hãy tải file về, sẽ không có trên mạng public đâu nhaBạn đi làm IT và phải cấu hình Cisco ASA ...Hãy tải file về, sẽ không có trên mạng public đâu nhaBạn đi làm IT và phải cấu hình Cisco ASA ...Hãy tải file về, sẽ không có trên mạng public đâu nhaBạn đi làm IT và phải cấu hình Cisco ASA ...Hãy tải file về, sẽ không có trên mạng public đâu nha
Trang 1Cisco ASA Firewall Active /
Standby Failover
The Cisco ASA firewall is often an important device in the network We use it for (remote access) VPNs, NAT/PAT, filtering and more Since it’s such an important device it’s a good idea to have a second ASA in case the first one fails
The ASA supports active/standby failover which means one ASA becomes
the active device, it handles everything while the backup ASA is the standby device It doesn’t do anything unless the active ASA fails
The failover mechanism is stateful which means that the active ASA sends all stateful connection information state to the standby ASA This includes TCP/UDP states, NAT translation tables, ARP table, VPN information and more
When the active ASA fails, the standby ASA will take over and since it has all connection information, your users won’t notice anything…
There are a number of requirements if you want to use failover:
• Platform has to be the same: for example 2x ASA 5510 or 2x ASA 5520
• Hardware must be the same: same number and type of interfaces Flash memory and RAM has to be the same
• Same operating mode: routed or transparent mode and single or multiple context mode
• License has to be the same number of VPN peers, encryption supported, etc
• Correct license Some of the “lower” models require the Security Plus license for failover (the ASA 5510 is an example)
In this lesson we’ll take a look how to configure active/standby failover Here’s the topology I will use:
Trang 2We have two ASA firewalls…ASA1 and ASA2 ASA1 will be the active firewall and ASA2 will be in standby mode Their Ethernet 0/0 interfaces are connected to the “INSIDE” security zone while the Ethernet 0/1 interfaces are connected to the “OUTSIDE” security zone The Ethernet 0/3 interface in the middle will be used to synchronize connection information for failover R1 and R2 are only used so we can generate some traffic
Configuration
We will start with the failover interface on ASA1 Make sure it’s not shut:
ASA1(config)# interface Ethernet 0/3
ASA1(config-if)# no shutdown
And then we configure this ASA to be the active (primary) device:
Trang 3ASA1(config)# failover lan unit primary
Now we will configure Ethernet 0/3 to be the failover interface:
ASA1(config)# failover lan interface FAILOVER Ethernet 0/3
INFO: Non-failover interface config is cleared on Ethernet0/3 and its sub-interfaces
And we'll tell the ASA to use this interface for stateful failover:
ASA1(config)# failover link FAILOVER Ethernet 0/3
We can now configure the IP addresses on the failover interface We need to use a dedicated subnet for this:
ASA1(config)# failover interface ip FAILOVER 192.168.12.1
255.255.255.0 standby 192.168.12.2
ASA1 (active) will use IP address 192.168.12.1 and ASA2 (standby) will use
192.168.12.2 Now we can enable failover:
ASA1(config)# failover
Failover is now configured on ASA1 Let's configure some security zones and IP
addresses on the "normal" Interfaces:
ASA1(config)# interface Ethernet 0/0
ASA1(config-if)# no shutdown
ASA1(config-if)# nameif INSIDE
ASA1(config-if)# ip address 192.168.1.254 255.255.255.0 standby 192.168.1.253
ASA1(config)# interface Ethernet 0/1
ASA1(config-if)# nameif OUTSIDE
ASA1(config-if)# ip address 192.168.2.254 255.255.255.0 standby 192.168.2.253
The ASA requires something that triggers the failover mechanism An interface that fails
is a good trigger When the inside or outside interface fails, we should failover By default all physical interfaces are monitored but let me show you the command anyway:
Trang 4ASA1(config)# monitor-interface INSIDE
ASA1(config)# monitor-interface OUTSIDE
This is all we have to configure We can now configure ASA2:
ASA2(config)# failover lan unit secondary
ASA2(config)# failover lan interface FAILOVER Ethernet 0/3
ASA2(config)# failover link FAILOVER Ethernet 0/3
ASA2(config)# failover interface ip FAILOVER 192.168.12.1
255.255.255.0 standby 192.168.12.2
ASA2(config)# failover
We configure ASA2 to be the standby device, its Ethernet 0/3 interface will be used for failover and we configure the active and standby IP addresses Let's enable this
interface so that the ASA's can talk with each other:
ASA2(config)# interface Ethernet 0/3
ASA2(config-if)# no shutdown
This is what you will see on ASA1 and ASA2:
ASA1#
Beginning configuration replication: Sending to mate
End Configuration Replication to mate
ASA2#
Failover LAN became OK
Switchover enabled
Configuration has changed, replicate to mate
State check detected an Active mate
Beginning configuration replication from mate
End configuration replication from mate
Switching to Standby
Failover is up and running, the configuration has been replicated from ASA1 to ASA2 Whenever you make changes to the configuration, you only have to save on the active ASA and it will be replicated to the standby ASA:
ASA1# write memory
Building configuration
Trang 5Cryptochecksum: 690a4de8 e1179377 f8eabae6 8cf5242e
3372 bytes copied in 3.240 secs (1124 bytes/sec)
After saving the configuration you will see this on the standby ASA:
ASA1# Cryptochecksum: 5739e8f7 32355bc0 a97e7dfa dd54ad71
3373 bytes copied in 3.240 secs (1124 bytes/sec)
Let's see if failover is really working shall we?
Verification
A simple method to verify if its working is to check the show failover command:
ASA1# show failover
Failover On
Failover unit Primary
Failover LAN Interface: FAILOVER Ethernet0/3 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 110 maximum
Version: Ours 9.1(5), Mate 9.1(5)
Last Failover at: 12:23:34 UTC Dec 19 2014
This host: Primary - Active
Active time: 1664 (sec) slot 0: ASA5510 hw/sw rev (2.0/9.1(5)) status (Up Sys) Interface INSIDE (192.168.1.254): Normal (Monitored) Interface OUTSIDE (192.168.2.254): Normal
(Monitored)
slot 1: empty Other host: Secondary - Standby Ready
Active time: 31 (sec) slot 0: ASA5510 hw/sw rev (1.1/9.1(5)) status (Up Sys) Interface INSIDE (192.168.1.253): Normal (Monitored) Interface OUTSIDE (192.168.2.253): Normal
(Monitored)
slot 1: empty Stateful Failover Logical Update Statistics
Link : FAILOVER Ethernet0/3 (up)
Stateful Obj xmit xerr rcv rerr
Trang 6sys cmd 89 0 89 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 0 0 0 0
UDP conn 0 0 0 0
ARP tbl 0 0 0 0
Xlate_Timeout 0 0 0 0
IPv6 ND tbl 0 0 0 0
VPN IKEv1 SA 0 0 0 0
VPN IKEv1 P2 0 0 0 0
VPN IKEv2 SA 0 0 0 0
VPN IKEv2 P2 0 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 0 0 0 0
Route Session 0 0 0 0
User-Identity 1 0 0 0
CTS SGTNAME 0 0 0 0
CTS PAC 0 0 0 0
TrustSec-SXP 0 0 0 0
IPv6 Route 0 0 0 0
Logical Update Queue Information
This gives us a nice overview, you can see which device is active/standby but also what kind of stateful information is being exchanged Let's create some telnet traffic between R1 and R2 so that you can see that the firewalls are exchanging TCP connection
information:
R1#telnet 192.168.2.2
Trying 192.168.2.2 Open
User Access Verification
Password:
R2>enable
Password:
R2#
When we check the show failover command again you will see this:
Trang 7ASA1# show failover | include TCP
The connection information for my TCP session has been exchanged between the two ASAs To really test our failover, we have to simulate a link failure I'll shut the interface
on my switch that connects to the Ethernet 0/0 interface of ASA1:
SW1(config)#interface FastEthernet 0/14
SW1(config-if)#shutdown
Now you will see this on the active ASA:
Switching to Standby
And the standby ASA will tell us:
Switching to Active
Of course we can also check the show failover command again:
ASA1# show failover | include This host
This host: Primary - Failed
ASA1# show failover | include This host
This host: Secondary - Active
This proves that failover is working as it should, the standby ASA has become active after the link failure
Active/standby failover does not use preemption Once you enable the interface again, the currently active ASA will remain active
That's all there is for now! I hope you enjoyed this lesson, if you have any
questions feel free to leave a comment!