Configuring ASA in Multi Mode, Active/Active

Posted: October 6, 2013 in Cisco Security - Firewalls

!– Change ASA mode from single to multi on both units
ASA1(config)# mode multi
ASA2(config)# mode multi

!– Check out the warning messages:
WARNING: This command will change the behavior of the device
WARNING: This command will initiate a Reboot
Proceed with change mode? [confirm]
Convert the system configuration? [confirm]
The old running configuration file will be written to flash
Converting the configuration – this may take several minutes for a large configuration
The admin context configuration will be written to flash
The new running configuration file was written to flash
Security context mode: multiple

!– In system context on primary firewall, enable physical interfaces, create subinterfaces, create contexts, assign interfaces to contexts, setup context1 to be admin context.

ASA1(config)# int et0/0
ASA1(config-if)# no shut
ASA1(config)# int eth0/1
ASA1(config-if)# no shut
ASA1(config)# int et0/3
ASA1(config-if)# no shut

ASA1(config)# int eth0/1.11
ASA1(config-subif)# vlan 11
ASA1(config-subif)# no shut

ASA1(config)# int eth0/1.13
ASA1(config-subif)# vlan 13
ASA1(config-subif)# no shut

ASA1(config)# context CTX1
Creating context ‘CTX1’… Done. (3)
ASA1(config-ctx)# description == CTX1 ==
ASA1(config-ctx)# allocate-interface eth0/1.11
ASA1(config-ctx)# allocate-interface et0/0
ASA1(config-ctx)# config-url disk0:/CTX1-ActiveActive.cfg

!– dedicate CTX1 as admin context
ASA1(config)# admin-context CTX1

ASA1(config)# context CTX2
Creating context ‘CTX2’… Done. (3)
ASA1(config-ctx)# description == CTX2 ==
ASA1(config-ctx)# allocate-interface eth0/0
ASA1(config-ctx)# allocate-interface eth0/1.13
ASA1(config-ctx)# config-url disk0:/CTX2-ActiveActive.cfg

!– Switch to CTX1 and configure it: apply interface ip and security levels, create dynamic pat for inside to outside basic communication, create basic acl to permit ping, setup interface monitoring as requested:

ASA1(config)# changeto context CTX1

ASA1/CTX1(config)# int eth0/1.11
ASA1/CTX1(config-if)# nameif inside
ASA1/CTX1(config-if)# ip address 10.0.0.13 255.255.255.0 standby 10.0.0.14
ASA1/CTX1(config-if)# no shut

ASA1/CTX1(config-if)# int eth0/0
ASA1/CTX1(config-if)# nameif outside
ASA1/CTX1(config-if)# ip address 150.50.0.13 255.255.255.0 standby 150.50.0.14
ASA1/CTX1(config-if)# no shut
ASA1/CTX1(config)# object network inside
ASA1/CTX1(config-network-object)# subnet 10.0.0.0 255.255.255.0
ASA1/CTX1(config-network-object)# nat (inside,outside) dynamic interface
ASA1/CTX1(config)# access-list OUTSIDE-IN permit icmp any any echo-rep
ASA1/CTX1(config)# access-group OUTSIDE-IN in int outside

ASA1/CTX1(config)# monitor-interface inside
ASA1/CTX1(config)# no monitor-interface outside

!– Switch to CTX2 and configure it: apply interface ip and security levels, create dynamic pat for inside to outside basic communication, create basic acl to permit ping, setup interface monitoring as requested:

ASA1/CTX1# changeto context CTX2

ASA1/CTX2(config)# int eth 0/0
ASA1/CTX2(config-if)# nameif outside
ASA1/CTX2(config-if)# ip address 150.50.0.31 255.255.255.0 standby 150.50.0.41
ASA1/CTX2(config-if)# no shut

ASA1/CTX2(config-if)# int eth0/1.13
ASA1/CTX2(config-if)# nameif inside
ASA1/CTX2(config-if)# ip address 10.0.1.13 255.255.255.0 standby 10.0.1.14
ASA1/CTX2(config-if)# no shut

ASA1/CTX2(config)# object network inside
ASA1/CTX2(config-network-object)# subnet 10.0.1.0 255.255.255.0
ASA1/CTX2(config-network-object)# nat (inside,outside) dynamic interface
ASA1/CTX2(config)# access-list OUTSIDE-IN permit icmp any any echo-reply
ASA1/CTX2(config)# access-group OUTSIDE-IN in int outside

ASA1/CTX2(config)# monitor-interface inside
ASA1/CTX2(config)# no monitor-interface outside

!– In system context on primary firewall, setup failover commands (this unit is primary), create failover groups, assigning context to failover groups, activate failover:

ASA1/CTX2# changeto system

ASA1(config)# int eth0/3
ASA1(config-if)# no shut
ASA1(config-if)# failover lan unit primary
ASA1(config)# failover lan interface FAIL eth0/3
INFO: Non-failover interface config is cleared on Ethernet0/3 and its sub-interfaces
ASA1(config)# failover link FAIL eth0/3
ASA1(config)# failover interface ip FAIL 1.1.1.1 255.255.255.0 standby 1.1.1.2

ASA1(config)# failover group 1
ASA1(config-fover-group)# primary
ASA1(config-fover-group)# preempt
ASA1(config-fover-group)# interface-policy 1
ASA1(config-fover-group)# polltime interface msec 500 holdtime 5

ASA1(config)# failover group 2
ASA1(config-fover-group)# secondary
ASA1(config-fover-group)# preempt
ASA1(config-fover-group)# interface-policy 1
ASA1(config-fover-group)# polltime interface msec 500 hold 5

ASA1(config)# context CTX1
ASA1(config-ctx)# join-failover-group 1
ASA1(config)# context CTX2
ASA1(config-ctx)# join-failover-group 2

ASA1(config)# failover

!– On secondary firewall, bring up failover interface, setup failover commands (unit secondary)
!– Note that only few commands will be needed; all other config details are replicated via failover.

ASA2(config)# int eth0/3
ASA2(config-if)# no shut

ASA2(config)# failover lan unit secondary
ASA2(config)# failover lan interface FAIL eth0/3
ASA2(config)# failover link FAIL eth0/3
ASA2(config)# failover interface ip FAIL 1.1.1.1 255.255.255.0 standby 1.1.1.2

!– Activate failover
ASA2(config)# failover

How to verify:

!– show failover in system context

ASA1(config)# sh failover
Failover On
Failover unit Secondary
Failover LAN Interface: FAIL Ethernet0/3 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 110 maximum
Version: Ours 8.4(3), Mate 8.4(5)
Group 1 last failover at: 14:47:42 UTC Sep 11 2013
Group 2 last failover at: 14:47:55 UTC Sep 11 2013

This host: Secondary
Group 1 State: Standby Ready
Active time: 0 (sec)
Group 2 State: Active
Active time: 113 (sec)

slot 0: ASA5510 hw/sw rev (2.0/8.4(3)) status (Up Sys)
CTX1 Interface outside (150.50.0.14): Normal (Not-Monitored)
CTX1 Interface inside (10.0.0.14): Unknown (Waiting)
CTX2 Interface outside (150.50.0.31): Normal (Not-Monitored)
CTX2 Interface inside (10.0.1.13): Unknown (Waiting)
slot 1: empty

Other host: Primary
Group 1 State: Active
Active time: 388 (sec)
Group 2 State: Standby Ready
Active time: 274 (sec)

slot 0: ASA5510 hw/sw rev (2.0/8.4(5)) status (Up Sys)
CTX1 Interface outside (150.50.0.13): Normal (Not-Monitored)
CTX1 Interface inside (10.0.0.13): Unknown (Waiting)
CTX2 Interface outside (150.50.0.41): Normal (Not-Monitored)
CTX2 Interface inside (10.0.1.14): Unknown (Waiting)
slot 1: empty

Stateful Failover Logical Update Statistics
Link : FAIL Ethernet0/3 (up)
Stateful Obj xmit xerr rcv rerr
General 16 0 18 0
sys cmd 16 0 16 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 0 0 0 0
UDP conn 0 0 0 0
ARP tbl 0 0 0 0
Xlate_Timeout 0 0 0 0
IPv6 ND tbl 0 0 0 0
SIP Session 0 0 0 0
Route Session 0 0 0 0
User-Identity 0 0 2 0

Logical Update Queue Information
Cur Max Total
Recv Q: 0 1 18
Xmit Q: 0 1 16
ASA1(config)#

!– Once the failed interface recovers, the original primary unit takes over the primary role and the messages pops up on the screen.

#telnet or ping thru firewall
#show monitor-interface in context

filter vlan on switch interface to force switchover (“switch trunk allowed vlan remove 11”)

!– Note that once you allow back vlan 11, the primary unit will preempt.

ASA1#
Group 1 preempt mate

##### Theory #####

In the system context on the primary unit:
– setup interfaces (no shut),
– create subinterfaces,
– assign subinterface to vlan, and
– do interface no shut
– create contexts and assign interfaces to the context,
– setup failover commands,
– create failover groups,
– setup primary, preempt and interface policy and polltime.
– Next step is to switch to context and join context to correct failover group.
– Activate failover within config-t.

On the switch, setup trunk interfaces for outside and inside interfaces allowing correct vlans.

Then switch to context1 and setup interface names, ip addresses, objects, nat, access list and interface monitoring.
Then switch to context 2 and setup interface names, ip addresses, objects, nat, access list and interface monitoring.

On secondary unit enter only failover commands (same as from primary unit), bring up failover interface and activate failover.

###########################################################################

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s