Đang tải... (xem toàn văn)
Bạn đi làm IT và phải cấu hình Cisco ASA ...Hãy tải file về, sẽ không có trên mạng public đâu nhaBạn đi làm IT và phải cấu hình Cisco ASA ...Hãy tải file về, sẽ không có trên mạng public đâu nhaBạn đi làm IT và phải cấu hình Cisco ASA ...Hãy tải file về, sẽ không có trên mạng public đâu nhaBạn đi làm IT và phải cấu hình Cisco ASA ...Hãy tải file về, sẽ không có trên mạng public đâu nhaBạn đi làm IT và phải cấu hình Cisco ASA ...Hãy tải file về, sẽ không có trên mạng public đâu nhaBạn đi làm IT và phải cấu hình Cisco ASA ...Hãy tải file về, sẽ không có trên mạng public đâu nha
Cisco ASA Firewall Active / Standby Failover The Cisco ASA firewall is often an important device in the network We use it for (remote access) VPNs, NAT/PAT, filtering and more Since it’s such an important device it’s a good idea to have a second ASA in case the first one fails The ASA supports active/standby failover which means one ASA becomes the active device, it handles everything while the backup ASA is the standby device It doesn’t anything unless the active ASA fails The failover mechanism is stateful which means that the active ASA sends all stateful connection information state to the standby ASA This includes TCP/UDP states, NAT translation tables, ARP table, VPN information and more When the active ASA fails, the standby ASA will take over and since it has all connection information, your users won’t notice anything… There are a number of requirements if you want to use failover: • • • • • Platform has to be the same: for example 2x ASA 5510 or 2x ASA 5520 Hardware must be the same: same number and type of interfaces Flash memory and RAM has to be the same Same operating mode: routed or transparent mode and single or multiple context mode License has to be the same number of VPN peers, encryption supported, etc Correct license Some of the “lower” models require the Security Plus license for failover (the ASA 5510 is an example) In this lesson we’ll take a look how to configure active/standby failover Here’s the topology I will use: We have two ASA firewalls…ASA1 and ASA2 ASA1 will be the active firewall and ASA2 will be in standby mode Their Ethernet 0/0 interfaces are connected to the “INSIDE” security zone while the Ethernet 0/1 interfaces are connected to the “OUTSIDE” security zone The Ethernet 0/3 interface in the middle will be used to synchronize connection information for failover R1 and R2 are only used so we can generate some traffic Configuration We will start with the failover interface on ASA1 Make sure it’s not shut: ASA1(config)# interface Ethernet 0/3 ASA1(config-if)# no shutdown And then we configure this ASA to be the active (primary) device: ASA1(config)# failover lan unit primary Now we will configure Ethernet 0/3 to be the failover interface: ASA1(config)# failover lan interface FAILOVER Ethernet 0/3 INFO: Non-failover interface config is cleared on Ethernet0/3 and its sub-interfaces And we'll tell the ASA to use this interface for stateful failover: ASA1(config)# failover link FAILOVER Ethernet 0/3 We can now configure the IP addresses on the failover interface We need to use a dedicated subnet for this: ASA1(config)# failover interface ip FAILOVER 192.168.12.1 255.255.255.0 standby 192.168.12.2 ASA1 (active) will use IP address 192.168.12.1 and ASA2 (standby) will use 192.168.12.2 Now we can enable failover: ASA1(config)# failover Failover is now configured on ASA1 Let's configure some security zones and IP addresses on the "normal" Interfaces: ASA1(config)# interface Ethernet 0/0 ASA1(config-if)# no shutdown ASA1(config-if)# nameif INSIDE ASA1(config-if)# ip address 192.168.1.254 255.255.255.0 standby 192.168.1.253 ASA1(config)# interface Ethernet 0/1 ASA1(config-if)# nameif OUTSIDE ASA1(config-if)# ip address 192.168.2.254 255.255.255.0 standby 192.168.2.253 The ASA requires something that triggers the failover mechanism An interface that fails is a good trigger When the inside or outside interface fails, we should failover By default all physical interfaces are monitored but let me show you the command anyway: ASA1(config)# monitor-interface INSIDE ASA1(config)# monitor-interface OUTSIDE This is all we have to configure We can now configure ASA2: ASA2(config)# ASA2(config)# ASA2(config)# ASA2(config)# 255.255.255.0 ASA2(config)# failover lan unit secondary failover lan interface FAILOVER Ethernet 0/3 failover link FAILOVER Ethernet 0/3 failover interface ip FAILOVER 192.168.12.1 standby 192.168.12.2 failover We configure ASA2 to be the standby device, its Ethernet 0/3 interface will be used for failover and we configure the active and standby IP addresses Let's enable this interface so that the ASA's can talk with each other: ASA2(config)# interface Ethernet 0/3 ASA2(config-if)# no shutdown This is what you will see on ASA1 and ASA2: ASA1# Beginning configuration replication: Sending to mate End Configuration Replication to mate ASA2# Failover LAN became OK Switchover enabled Configuration has changed, replicate to mate State check detected an Active mate Beginning configuration replication from mate End configuration replication from mate Switching to Standby Failover is up and running, the configuration has been replicated from ASA1 to ASA2 Whenever you make changes to the configuration, you only have to save on the active ASA and it will be replicated to the standby ASA: ASA1# write memory Building configuration Cryptochecksum: 690a4de8 e1179377 f8eabae6 8cf5242e 3372 bytes copied in 3.240 secs (1124 bytes/sec) After saving the configuration you will see this on the standby ASA: ASA1# Cryptochecksum: 5739e8f7 32355bc0 a97e7dfa dd54ad71 3373 bytes copied in 3.240 secs (1124 bytes/sec) Let's see if failover is really working shall we? Verification A simple method to verify if its working is to check the show failover command: ASA1# show failover Failover On Failover unit Primary Failover LAN Interface: FAILOVER Ethernet0/3 (up) Unit Poll frequency seconds, holdtime 15 seconds Interface Poll frequency seconds, holdtime 25 seconds Interface Policy Monitored Interfaces of 110 maximum Version: Ours 9.1(5), Mate 9.1(5) Last Failover at: 12:23:34 UTC Dec 19 2014 This host: Primary - Active Active time: 1664 (sec) slot 0: ASA5510 hw/sw rev (2.0/9.1(5)) status (Up Sys) Interface INSIDE (192.168.1.254): Normal (Monitored) Interface OUTSIDE (192.168.2.254): Normal (Monitored) slot 1: empty Other host: Secondary - Standby Ready Active time: 31 (sec) slot 0: ASA5510 hw/sw rev (1.1/9.1(5)) status (Up Sys) Interface INSIDE (192.168.1.253): Normal (Monitored) Interface OUTSIDE (192.168.2.253): Normal (Monitored) slot 1: empty Stateful Failover Logical Update Statistics Link : FAILOVER Ethernet0/3 (up) Stateful Obj xmit xerr rcv General 90 rerr 89 sys cmd 89 up time RPC services TCP conn UDP conn ARP tbl Xlate_Timeout IPv6 ND tbl VPN IKEv1 SA VPN IKEv1 P2 VPN IKEv2 SA VPN IKEv2 P2 VPN CTCP upd VPN SDI upd VPN DHCP upd SIP Session Route Session User-Identity CTS SGTNAME CTS PAC TrustSec-SXP IPv6 Route 0 0 0 0 0 0 0 0 0 0 89 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 Logical Update Queue Information Cur Max Total Recv Q: 91 Xmit Q: 25 482 This gives us a nice overview, you can see which device is active/standby but also what kind of stateful information is being exchanged Let's create some telnet traffic between R1 and R2 so that you can see that the firewalls are exchanging TCP connection information: R1#telnet 192.168.2.2 Trying 192.168.2.2 Open User Access Verification Password: R2>enable Password: R2# When we check the show failover command again you will see this: ASA1# show failover | include TCP TCP conn 0 The connection information for my TCP session has been exchanged between the two ASAs To really test our failover, we have to simulate a link failure I'll shut the interface on my switch that connects to the Ethernet 0/0 interface of ASA1: SW1(config)#interface FastEthernet 0/14 SW1(config-if)#shutdown Now you will see this on the active ASA: Switching to Standby And the standby ASA will tell us: Switching to Active Of course we can also check the show failover command again: ASA1# show failover | include This host This host: Primary - Failed ASA1# show failover | include This host This host: Secondary - Active This proves that failover is working as it should, the standby ASA has become active after the link failure Active/standby failover does not use preemption Once you enable the interface again, the currently active ASA will remain active That's all there is for now! I hope you enjoyed this lesson, if you have any questions feel free to leave a comment! ... 255.255.255.0 ASA2 (config)# failover lan unit secondary failover lan interface FAILOVER Ethernet 0/3 failover link FAILOVER Ethernet 0/3 failover interface ip FAILOVER 192.168.12.1 standby 192.168.12.2 failover. .. ip FAILOVER 192.168.12.1 255.255.255.0 standby 192.168.12.2 ASA1 (active) will use IP address 192.168.12.1 and ASA2 (standby) will use 192.168.12.2 Now we can enable failover: ASA1 (config)# failover. .. anyway: ASA1 (config)# monitor-interface INSIDE ASA1 (config)# monitor-interface OUTSIDE This is all we have to configure We can now configure ASA2 : ASA2 (config)# ASA2 (config)# ASA2 (config)# ASA2 (config)#