Archive for the ‘Cisco Security – Firewalls’ Category

– Don’t forget to enable physical interfaces (e0/0, e0/1, e0/2)
– Create sub-interface and assign VLAN to sub-interface and make sure switch port is in trunking mode. The native (untagged) VLAN of the trunk connection maps to the physical interface, and it cannot be assigned to a sub-interface.

ASA03-5510#interface Ethernet0/3
nameif INSIDE
security-level 0
ip address 136.1.93.17 255.255.255.0

ASA03-5510#interface Ethernet0/0.34
vlan 34
nameif outside
security-level 100
ip address 136.1.34.17 255.255.255.0

ASA03-5510# sh nameif
Interface                       Name                     Security
Ethernet0/0.34           outside                   100
Ethernet0/3                 INSIDE                    0

ASA03-5510# sh ip address
System IP Addresses:
Interface                     Name                   IP address      Subnet mask     Method
Ethernet0/0.34         outside                136.1.34.17     255.255.255.0   manual
Ethernet0/3              INSIDE                136.1.93.17     255.255.255.0   manual
Current IP Addresses:
Interface                    Name                   IP address      Subnet mask     Method
Ethernet0/0.34         outside               136.1.34.17     255.255.255.0   manual
Ethernet0/3              INSIDE               136.1.93.17     255.255.255.0   manual
ASA03-5510#

ASA3# show conn

enable logging on ASA:
#logging on
#logging console 7

– Switch configurations:

interface FastEthernet0/13                      interface FastEthernet0/14
description ASA03 0/3                                   description ASA04 0/3
switchport access vlan 93                              switchport trunk allowed vlan 34
switchport mode access                                 switchport mode trunk
spanning-tree portfast

ASA configuration commands:

ASA03-5510(config)# sla monitor 20
ASA03-5510(config-sla-monitor)# type echo protocol ipIcmpEcho 8.8.8.8 interface outside
ASA03-5510(config-sla-monitor-echo)# frequency 3
ASA03-5510(config-sla-monitor-echo)# request-data-size 1392
ASA03-5510(config-sla-monitor-echo)# num-packets 3
ASA03-5510(config-sla-monitor-echo)# timeout 1000
ASA03-5510(config)# sla monitor schedule 20 life forever start-time now
ASA03-5510(config)# track 1 rtr 20 reachability
ASA03-5510(config)# route outside 0.0.0.0 0.0.0.0 10.99.99.2 1 track 1
ASA03-5510(config)# route outside-backup 0.0.0.0 0.0.0.0 10.88.99.2 20

 

# sh sla monitor configuration
SA Agent, Infrastructure Engine-II
Entry number: 110
Owner:
Tag:
Type of operation to perform: echo
Target address: 8.8.8.8
Interface: outside
Number of packets: 3
Request size (ARR data portion): 1392
Operation timeout (milliseconds): 1000
Type Of Service parameters: 0x0
Verify data: No
Operation frequency (seconds): 3
Next Scheduled Start Time: Start Time already passed
Group Scheduled : FALSE
Life (seconds): Forever
Entry Ageout (seconds): never
Recurring (Starting Everyday): FALSE
Status of entry (SNMP RowStatus): Active
Enhanced History:

# sh sla monitor operational-state
Entry number: 110
Modification time: 06:56:46.879 UTC Tue Aug 5 2014
Number of Octets Used by this Entry: 2056
Number of operations attempted: 22
Number of operations skipped: 0
Current seconds left in Life: Forever
Operational state of entry: Active
Last time this entry was reset: Never
Connection loss occurred: FALSE
Timeout occurred: FALSE
Over thresholds occurred: FALSE
Latest RTT (milliseconds): 10
Latest operation start time: 06:57:49.881 UTC Tue Aug 5 2014
Latest operation return code: OK
RTT Values:
RTTAvg: 10      RTTMin: 10      RTTMax: 10
NumOfRTT: 3     RTTSum: 30      RTTSum2: 300

 

ASA2# debug icmp trace
ASA2# debug track
ASA2# un all

 

ASA03-5510# sh ip address
System IP Addresses:
Interface                Name                   IP address      Subnet mask     Method
Ethernet0/0         outside                 10.99.99.1      255.255.255.0   manual
Ethernet0/1          outside-backup  10.88.99.1      255.255.255.0   manual
Ethernet0/2          inside                   1.1.1.10            255.255.255.0   manual

!— shut down main ISP interface
!— Traceroute shows that traffic is going via backup link (outside-backup interface)

ASA03-5510# sh track
Track 1
Response Time Reporter 20 reachability
Reachability is Down
12 changes, last change 00:00:10
Latest operation return code: Timeout
Tracked by:
STATIC-IP-ROUTING 0
ASA03-5510#
ASA03-5510#

ASA03-5510# sh track
Track 1
Response Time Reporter 20 reachability
Reachability is Up
11 changes, last change 00:05:34
Latest operation return code: OK
Latest RTT (millisecs) 1
Tracked by:
STATIC-IP-ROUTING 0

ASA03-5510# sh route

C    1.1.1.0 255.255.255.0 is directly connected, inside
C    10.99.99.0 255.255.255.0 is directly connected, outside
C    10.88.99.0 255.255.255.0 is directly connected, outside-backup
S*   0.0.0.0 0.0.0.0 [20/0] via 10.88.99.2, outside-backup

ASA03-5510# traceroute 10.77.99.3

Type escape sequence to abort.
Tracing the route to 10.77.99.3

10.88.99.2 0 msec 0 msec 0 msec   !– via outside-backup
2  10.77.99.3 0 msec *  0 msec

!– the main ISP interface was brought up.

ASA03-5510# sh track
Track 1
Response Time Reporter 20 reachability
Reachability is Down
12 changes, last change 00:01:23
Latest operation return code: Timeout
Tracked by:
STATIC-IP-ROUTING 0
ASA03-5510#

ASA03-5510# sh track
Track 1
Response Time Reporter 20 reachability
Reachability is Up
13 changes, last change 00:00:02
Latest operation return code: OK
Latest RTT (millisecs) 1
Tracked by:
STATIC-IP-ROUTING 0
ASA03-5510#

!– traceroute show that traffic goes via main ISP now. Route was put in automatically,
ASA03-5510# traceroute 10.77.99.3
Type escape sequence to abort.
Tracing the route to 10.77.99.3

10.99.99.2 0 msec 0 msec 0 msec !— via outside interface
2  10.77.99.3 0 msec *  0 msec

ASA03-5510# sh run route !– only sla related routes are in configuration

route outside 0.0.0.0 0.0.0.0 10.99.99.2 1 track 1
route outside-backup 0.0.0.0 0.0.0.0 10.88.99.2 20

ASA03-5510# sh route

C    1.1.1.0 255.255.255.0 is directly connected, inside
C    10.99.99.0 255.255.255.0 is directly connected, outside
C    10.88.99.0 255.255.255.0 is directly connected, outside-backup
S*   0.0.0.0 0.0.0.0 [1/0] via 10.99.99.2, outside

 

!– SLA related configuration:

ASA Version 8.4(3)
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 10.99.99.1 255.255.255.0
!
interface Ethernet0/1
nameif outside-backup
security-level 0
ip address 10.88.99.1 255.255.255.0
!
interface Ethernet0/2
nameif inside
security-level 100
ip address 1.1.1.10 255.255.255.0
!

object network inside-host
subnet 1.1.1.0 255.255.255.0

nat (inside,outside) source dynamic inside-host interface
nat (inside,outside-backup) source dynamic inside-host interface
route outside 0.0.0.0 0.0.0.0 10.99.99.2 1 track 1
route outside-backup 0.0.0.0 0.0.0.0 10.88.99.2 20

sla monitor 20
 type echo protocol ipIcmpEcho 8.8.8.8 interface outside
 frequency 5
sla monitor schedule 20 life forever start-time now
!
track 1 rtr 20 reachability

 

 
During troubleshooting it is often necessary to see what traffic is being passed between two networks or two hosts. Lets use built-in capture tool. Below are the steps you need to take:
So, we are troubleshooting traffic between a host with the address of 20.20.20.1 and a host with the address of 10.10.10.1.

1.) Define the traffic that you would like to check by creating capture file called LB:

#access-list LB extended permit ip host 20.20.20.1 host 10.10.10.1
#access-list LB extended permit ip host 10.10.10.1 host 20.20.20.1
#access-list LB extended permit icmp host 20.20.20.1 host 10.10.10.1
#access-list LB extended permit icmp host 10.10.10.1 host 20.20.20.1

2.) Create and start the packet capture process called LB:

#capture LB access-list LB

3.) Create some traffic between these hosts.
Our defined ACL will detect all traffic between these two hosts, so let just start pinging:

From the host 20.20.20.1 ping 10.10.10.1
From the host 10.10.10.1 ping 20.20.20.1

4.) Analyze the packet capture.

#show capture LB !— This will show all captured traffic.

5.) Turn off the packet capture and remove the ACL:

#no capture LB
#clear configure access-list LB

#clear capture LB !—clear the capture log by using this command
#show capture LB | inc 20.20.20.1 !—use the pipe functionality when viewing output

 

 

 

 

!– Make sure all interfaces are not in shutdown state and enter redundant and port-channel commands.

ASA1(config)# int eth0/0
ASA1(config-if)# channel-group 1 mode active
ASA1(config-if)# no shut

ASA1(config-if)# int et0/2
ASA1(config-if)# channel-group 1 mode active
ASA1(config-if)# no shut

ASA1(config)# int port-channel 1
ASA1(config-if)# nameif outside
ASA1(config-if)# ip address 160.60.0.12 255.255.255.0

ASA1(config)# int redundant 1
ASA1(config-if)# member-interface eth0/1
ASA1(config-if)# member-interface eth0/3
ASA1(config-if)# nameif inside
ASA1(config-if)# ip address 20.0.0.12 255.255.255.0
ASA1(config-if)# no shut

!– Show run
interface Ethernet0/0
channel-group 1 mode active
no nameif
no security-level
no ip address

interface Ethernet0/1
no nameif
no security-level
no ip address

interface Ethernet0/2
channel-group 1 mode active
no nameif
no security-level
no ip address

interface Ethernet0/3
no nameif
no security-level
no ip address

interface Management0/0
shutdown
no nameif
no security-level
no ip address

interface Redundant1
member-interface Ethernet0/1
member-interface Ethernet0/3
nameif inside
security-level 100
ip address 20.0.0.12 255.255.255.0

interface Port-channel1
nameif outside
security-level 0
ip address 160.60.0.12 255.255.255.0

!– Configure routing
ASA1(config)# router ospf 1
ASA1(config-router)# network 20.0.0.0 255.255.255.0 area 1
ASA1(config-router)# network 160.60.0.0 255.255.255.0 are 0
ASA1(config-router)# log-adj-changes

!– Create network object for inside and dynamic PAT
ASA1(config)# object network INSIDE
ASA1(config-network-object)# subnet 20.0.0.0 255.255.255.0
ASA1(config-network-object)# nat (inside,outside) dynamic interface

ASA1(config)# access-list OUT-IN ext permit icmp any any
ASA1(config)# access-group OUT-IN in int outside

ASA1# sh int ip br 
Interface                  IP-Address      OK? Method Status                Protocol
Ethernet0/0                unassigned      YES unset  up                    up
Ethernet0/1                unassigned      YES unset  up                    up
Ethernet0/2                unassigned      YES unset  up                    up
Ethernet0/3                unassigned      YES unset  up                    up
Management0/0              unassigned      YES unset  administratively down up
Port-channel1              160.60.0.12     YES manual down                  down
Redundant1                 20.0.0.12       YES manual up                    up

!– Make sure that switch ports are also configured for channel-group so the Port-channel1 interface is not down.

SW2(config)#int f0/41
SW2(config-if)#channel-group 1 mode active
Creating a port-channel interface Port-channel 1
SW2(config)#int f0/12
SW2(config-if)#channel-group 1 mode active

ASA1# ping 160.60.0.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 160.60.0.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

ASA1# sh interface redundant 1 detail
Interface Redundant1 “inside”, is up, line protocol is up
Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
Input flow control is unsupported, output flow control is off
MAC address 001e.7a36.6d41, MTU 1500
IP address 20.0.0.12, subnet mask 255.255.255.0
334 packets input, 26940 bytes, 0 no buffer
Received 244 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
74 L2 decode drops
142 packets output, 11258 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 2 interface resets
0 late collisions, 0 deferred
162 input reset drops, 0 output reset drops, 0 tx hangs
input queue (blocks free curr/low): hardware (510/254)
output queue (blocks free curr/low): hardware (510/253)
Traffic Statistics for “inside”:
106 packets input, 6761 bytes
142 packets output, 8555 bytes
2 packets dropped
1 minute input rate 0 pkts/sec,  41 bytes/sec
1 minute output rate 0 pkts/sec,  45 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec,  16 bytes/sec
5 minute output rate 0 pkts/sec,  16 bytes/sec
5 minute drop rate, 0 pkts/sec
Control Point Interface States:
Interface number is 9
Interface config status is active
Interface state is active
Redundancy Information:
Member Ethernet0/1(Active), Ethernet0/3
Last switchover at 14:08:54 UTC Sep 18 2013

!– If you shut down Eth0/1, the active interface becomes Eth0/3 and we should loose one, two pings:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

ASA1#  sh int red 1
Interface Redundant1 “inside”, is up, line protocol is up
Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
Input flow control is unsupported, output flow control is off
MAC address 001e.7a36.6d41, MTU 1500
IP address 20.0.0.12, subnet mask 255.255.255.0
29393 packets input, 3455064 bytes, 0 no buffer
Received 260 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
82 L2 decode drops
29183 packets output, 3437408 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 2 interface resets
0 late collisions, 0 deferred
162 input reset drops, 0 output reset drops, 0 tx hangs
input queue (blocks free curr/low): hardware (510/254)
output queue (blocks free curr/low): hardware (510/253)
Traffic Statistics for “inside”:
29157 packets input, 2911127 bytes
29183 packets output, 2911931 bytes
6 packets dropped
1 minute input rate 140 pkts/sec,  14009 bytes/sec
1 minute output rate 140 pkts/sec,  14004 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec,  16 bytes/sec
5 minute output rate 0 pkts/sec,  16 bytes/sec
5 minute drop rate, 0 pkts/sec
Redundancy Information:
Member Ethernet0/3(Active), Ethernet0/1
Last switchover at 14:08:54 UTC Sep 18 2013

!– Check out port channel status

ASA1# sh port-channel 1 detail
Ports: 2   Maxports = 16
Port-channels: 1 Max Port-channels = 48
Protocol: LACP/ active
Minimum Links: 1
Maximum Bundle: 8
Load balance: src-dst-ip
Ports in the group:
——————-
Port: Et0/0
————
Port state    = bndl
Channel group =    1        Mode = LACP/ active
Port-channel  = Po1

Flags:  S – Device is sending Slow LACPDUs   F – Device is sending fast LACPDUs.
A – Device is in active mode.        P – Device is in passive mode.

Local information:
LACP port     Admin     Oper    Port        Port
Port      Flags   State      Priority      Key       Key     Number      State
—————————————————————————–
Et0/0     SA      bndl       32768         0x1       0x1     0x1         0x3d

Partner’s information:
Partner Partner    LACP Partner  Partner   Partner  Partner     Partner
Port      Flags   State      Port Priority Admin Key Oper Key Port Number Port State
———————————————————————————–
Et0/0     SA      bndl       32768         0x0       0x1      0x10d       0x3d

Port: Et0/2
————
Port state    = bndl
Channel group =    1        Mode = LACP/ active
Port-channel  = Po1

Flags:  S – Device is sending Slow LACPDUs   F – Device is sending fast LACPDUs.
A – Device is in active mode.        P – Device is in passive mode.

Local information:
LACP port     Admin     Oper    Port        Port
Port      Flags   State      Priority      Key       Key     Number      State
—————————————————————————–
Et0/2     SA      bndl       32768         0x1       0x1     0x3         0x3d

Partner’s information:
Partner Partner    LACP Partner  Partner   Partner  Partner     Partner
Port      Flags   State      Port Priority Admin Key Oper Key Port Number Port State
———————————————————————————–
Et0/2     SA      bndl       32768         0x0       0x1      0x12a       0x3d

ASA1# sh port-channel 1 load-balance
EtherChannel Load-Balancing Configuration:
src-dst-ip

EtherChannel Load-Balancing Addresses UsedPer-Protocol:
Non-IP: Source XOR Destination MAC address
IPv4: Source XOR Destination IP address
IPv6: Source XOR Destination IP address

!– this is output when one of the interfaces is down, no load balacing:

ASA1# sh int e0/0 | in packets output
63320 packets output, 7471910 bytes, 0 underruns

ASA1# sh int e0/2 | in packets output
16482 packets output, 1941871 bytes, 0 underruns

!– Check port channel summary and notice that one of the interface is down.

ASA1# sh port-channel summary
Flags:  D – down        P – bundled in port-channel
I – stand-alone s – suspended
H – Hot-standby (LACP only)
U – in use      N – not in use, no aggregation/nameif
M – not in use, no aggregation due to minimum links not met
w – waiting to be aggregated
Number of channel-groups in use: 1
Group  Port-channel  Protocol    Ports
——+————-+———–+———————————————–
1      Po1(U)            LACP    Et0/0(P)   Et0/2(D)

#########################################################################

!– Change ASA mode from single to multi on both units
ASA1(config)# mode multi
ASA2(config)# mode multi

!– Check out the warning messages:
WARNING: This command will change the behavior of the device
WARNING: This command will initiate a Reboot
Proceed with change mode? [confirm]
Convert the system configuration? [confirm]
The old running configuration file will be written to flash
Converting the configuration – this may take several minutes for a large configuration
The admin context configuration will be written to flash
The new running configuration file was written to flash
Security context mode: multiple

!– In system context on primary firewall, enable physical interfaces, create subinterfaces, create contexts, assign interfaces to contexts, setup context1 to be admin context.

ASA1(config)# int et0/0
ASA1(config-if)# no shut
ASA1(config)# int eth0/1
ASA1(config-if)# no shut
ASA1(config)# int et0/3
ASA1(config-if)# no shut

ASA1(config)# int eth0/1.11
ASA1(config-subif)# vlan 11
ASA1(config-subif)# no shut

ASA1(config)# int eth0/1.13
ASA1(config-subif)# vlan 13
ASA1(config-subif)# no shut

ASA1(config)# context CTX1
Creating context ‘CTX1’… Done. (3)
ASA1(config-ctx)# description == CTX1 ==
ASA1(config-ctx)# allocate-interface eth0/1.11
ASA1(config-ctx)# allocate-interface et0/0
ASA1(config-ctx)# config-url disk0:/CTX1-ActiveActive.cfg

!– dedicate CTX1 as admin context
ASA1(config)# admin-context CTX1

ASA1(config)# context CTX2
Creating context ‘CTX2’… Done. (3)
ASA1(config-ctx)# description == CTX2 ==
ASA1(config-ctx)# allocate-interface eth0/0
ASA1(config-ctx)# allocate-interface eth0/1.13
ASA1(config-ctx)# config-url disk0:/CTX2-ActiveActive.cfg

!– Switch to CTX1 and configure it: apply interface ip and security levels, create dynamic pat for inside to outside basic communication, create basic acl to permit ping, setup interface monitoring as requested:

ASA1(config)# changeto context CTX1

ASA1/CTX1(config)# int eth0/1.11
ASA1/CTX1(config-if)# nameif inside
ASA1/CTX1(config-if)# ip address 10.0.0.13 255.255.255.0 standby 10.0.0.14
ASA1/CTX1(config-if)# no shut

ASA1/CTX1(config-if)# int eth0/0
ASA1/CTX1(config-if)# nameif outside
ASA1/CTX1(config-if)# ip address 150.50.0.13 255.255.255.0 standby 150.50.0.14
ASA1/CTX1(config-if)# no shut
ASA1/CTX1(config)# object network inside
ASA1/CTX1(config-network-object)# subnet 10.0.0.0 255.255.255.0
ASA1/CTX1(config-network-object)# nat (inside,outside) dynamic interface
ASA1/CTX1(config)# access-list OUTSIDE-IN permit icmp any any echo-rep
ASA1/CTX1(config)# access-group OUTSIDE-IN in int outside

ASA1/CTX1(config)# monitor-interface inside
ASA1/CTX1(config)# no monitor-interface outside

!– Switch to CTX2 and configure it: apply interface ip and security levels, create dynamic pat for inside to outside basic communication, create basic acl to permit ping, setup interface monitoring as requested:

ASA1/CTX1# changeto context CTX2

ASA1/CTX2(config)# int eth 0/0
ASA1/CTX2(config-if)# nameif outside
ASA1/CTX2(config-if)# ip address 150.50.0.31 255.255.255.0 standby 150.50.0.41
ASA1/CTX2(config-if)# no shut

ASA1/CTX2(config-if)# int eth0/1.13
ASA1/CTX2(config-if)# nameif inside
ASA1/CTX2(config-if)# ip address 10.0.1.13 255.255.255.0 standby 10.0.1.14
ASA1/CTX2(config-if)# no shut

ASA1/CTX2(config)# object network inside
ASA1/CTX2(config-network-object)# subnet 10.0.1.0 255.255.255.0
ASA1/CTX2(config-network-object)# nat (inside,outside) dynamic interface
ASA1/CTX2(config)# access-list OUTSIDE-IN permit icmp any any echo-reply
ASA1/CTX2(config)# access-group OUTSIDE-IN in int outside

ASA1/CTX2(config)# monitor-interface inside
ASA1/CTX2(config)# no monitor-interface outside

!– In system context on primary firewall, setup failover commands (this unit is primary), create failover groups, assigning context to failover groups, activate failover:

ASA1/CTX2# changeto system

ASA1(config)# int eth0/3
ASA1(config-if)# no shut
ASA1(config-if)# failover lan unit primary
ASA1(config)# failover lan interface FAIL eth0/3
INFO: Non-failover interface config is cleared on Ethernet0/3 and its sub-interfaces
ASA1(config)# failover link FAIL eth0/3
ASA1(config)# failover interface ip FAIL 1.1.1.1 255.255.255.0 standby 1.1.1.2

ASA1(config)# failover group 1
ASA1(config-fover-group)# primary
ASA1(config-fover-group)# preempt
ASA1(config-fover-group)# interface-policy 1
ASA1(config-fover-group)# polltime interface msec 500 holdtime 5

ASA1(config)# failover group 2
ASA1(config-fover-group)# secondary
ASA1(config-fover-group)# preempt
ASA1(config-fover-group)# interface-policy 1
ASA1(config-fover-group)# polltime interface msec 500 hold 5

ASA1(config)# context CTX1
ASA1(config-ctx)# join-failover-group 1
ASA1(config)# context CTX2
ASA1(config-ctx)# join-failover-group 2

ASA1(config)# failover

!– On secondary firewall, bring up failover interface, setup failover commands (unit secondary)
!– Note that only few commands will be needed; all other config details are replicated via failover.

ASA2(config)# int eth0/3
ASA2(config-if)# no shut

ASA2(config)# failover lan unit secondary
ASA2(config)# failover lan interface FAIL eth0/3
ASA2(config)# failover link FAIL eth0/3
ASA2(config)# failover interface ip FAIL 1.1.1.1 255.255.255.0 standby 1.1.1.2

!– Activate failover
ASA2(config)# failover

How to verify:

!– show failover in system context

ASA1(config)# sh failover
Failover On
Failover unit Secondary
Failover LAN Interface: FAIL Ethernet0/3 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 110 maximum
Version: Ours 8.4(3), Mate 8.4(5)
Group 1 last failover at: 14:47:42 UTC Sep 11 2013
Group 2 last failover at: 14:47:55 UTC Sep 11 2013

This host: Secondary
Group 1 State: Standby Ready
Active time: 0 (sec)
Group 2 State: Active
Active time: 113 (sec)

slot 0: ASA5510 hw/sw rev (2.0/8.4(3)) status (Up Sys)
CTX1 Interface outside (150.50.0.14): Normal (Not-Monitored)
CTX1 Interface inside (10.0.0.14): Unknown (Waiting)
CTX2 Interface outside (150.50.0.31): Normal (Not-Monitored)
CTX2 Interface inside (10.0.1.13): Unknown (Waiting)
slot 1: empty

Other host: Primary
Group 1 State: Active
Active time: 388 (sec)
Group 2 State: Standby Ready
Active time: 274 (sec)

slot 0: ASA5510 hw/sw rev (2.0/8.4(5)) status (Up Sys)
CTX1 Interface outside (150.50.0.13): Normal (Not-Monitored)
CTX1 Interface inside (10.0.0.13): Unknown (Waiting)
CTX2 Interface outside (150.50.0.41): Normal (Not-Monitored)
CTX2 Interface inside (10.0.1.14): Unknown (Waiting)
slot 1: empty

Stateful Failover Logical Update Statistics
Link : FAIL Ethernet0/3 (up)
Stateful Obj xmit xerr rcv rerr
General 16 0 18 0
sys cmd 16 0 16 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 0 0 0 0
UDP conn 0 0 0 0
ARP tbl 0 0 0 0
Xlate_Timeout 0 0 0 0
IPv6 ND tbl 0 0 0 0
SIP Session 0 0 0 0
Route Session 0 0 0 0
User-Identity 0 0 2 0

Logical Update Queue Information
Cur Max Total
Recv Q: 0 1 18
Xmit Q: 0 1 16
ASA1(config)#

!– Once the failed interface recovers, the original primary unit takes over the primary role and the messages pops up on the screen.

#telnet or ping thru firewall
#show monitor-interface in context

filter vlan on switch interface to force switchover (“switch trunk allowed vlan remove 11”)

!– Note that once you allow back vlan 11, the primary unit will preempt.

ASA1#
Group 1 preempt mate

##### Theory #####

In the system context on the primary unit:
– setup interfaces (no shut),
– create subinterfaces,
– assign subinterface to vlan, and
– do interface no shut
– create contexts and assign interfaces to the context,
– setup failover commands,
– create failover groups,
– setup primary, preempt and interface policy and polltime.
– Next step is to switch to context and join context to correct failover group.
– Activate failover within config-t.

On the switch, setup trunk interfaces for outside and inside interfaces allowing correct vlans.

Then switch to context1 and setup interface names, ip addresses, objects, nat, access list and interface monitoring.
Then switch to context 2 and setup interface names, ip addresses, objects, nat, access list and interface monitoring.

On secondary unit enter only failover commands (same as from primary unit), bring up failover interface and activate failover.

###########################################################################

#object-group service SERVICES
#service-object icmp echo
#service-object tcp destination eq telnet
#service-object udp destination eq syslog

#object network R1
#host 20.0.0.1
#nat (inside,outside) static 160.60.0.1

#access-list OUT-IN extended permit object-group SERVICES host 160.60.0.2 object R1
#access-group OUT-IN in interface outside

ASA1# sh access-list
access-list OUT-IN; 3 elements; name hash: 0x456198c2
access-list OUT-IN line 1 extended permit object-group SERVICES host 160.60.0.2 object R1 (hitcnt=3)
access-list OUT-IN line 1 extended permit icmp host 160.60.0.2 host 20.0.0.1 echo (hitcnt=2)
access-list OUT-IN line 1 extended permit tcp host 160.60.0.2 host 20.0.0.1 eq telnet (hitcnt=1)
access-list OUT-IN line 1 extended permit udp host 160.60.0.2 host 20.0.0.1 eq syslog (hitcnt=0)
ASA1#
##### Theory #####

Object groups allow for combining different type of IP protocols (TCP, UDP), port numbers and ICMP error codes into a single unit. The ACL will have one line for all configured protocols/ports instead of one line per protocol/port.

################################################################

OUTSIDE_IN -> |outside Interface |

|outside Interface| -> OUTSIDE_OUT

!– allow traceroute return packets 
!– allow traceroute return packets 
!– allow pings across firewall
!– allow pings across firewall

access-list OUTSIDE_IN extended permit icmp any any unreachable
access-list OUTSIDE_IN extended permit icmp any any time-exceeded
access-list OUTSIDE_IN extended permit icmp any any echo 
access-list OUTSIDE_IN extended permit icmp any any echo-reply

! Egress ACL: permit ping packets
access-list OUTSIDE_OUT extended permit icmp any any echo
access-list OUTSIDE_OUT extended permit icmp any any echo-reply

 !–to allow ASA to ping to any destination but not to respond to ping:
icmp permit any echo-reply outside

!– allow ASA to perform traceroute and to accept pMTU messages
# icmp permit any time-exceeded outside
# icmp permit any unreachable outside

#debug icmp trace

ICMP echo request from inside:150.1.2.2 to outside:136.1.123.12 ID=16 seq=0 len=72
ICMP echo request translating inside:150.1.2.2 to outside:136.1.123.33
ICMP echo request from inside:150.1.2.2 to outside:136.1.123.12 ID=16 seq=1 len=72
ICMP echo request translating inside:150.1.2.2 to outside:136.1.123.33
ASA3# sh xlate
1 in use, 2 most used
Flags: D – DNS, e – extended, I – identity, i – dynamic, r – portmap,
s – static, T – twice, N – net-to-net
ICMP PAT from any:150.1.2.2/16 to any:136.1.123.33/16 flags ri idle 0:00:29 timeout 0:00:30

Example:
ACL No one can ping firewall but firewall can ping out on all interfaces.
Firewall responds to traceroute and pMTU discovery:

icmp permit any echo-reply outside
icmp permit any time-exceeded outside
icmp permit any unreachable outside

icmp permit any echo-reply inside
icmp permit any time-exceeded inside
icmp permit any unreachable inside

icmp permit any echo-reply dmz1
icmp permit any time-exceeded dmz1
icmp permit any unreachable dmz1

icmp permit any echo-reply dmz2
icmp permit any time-exceeded dmz2
icmp permit any unreachable dmz2

##### A bit of theory #####

The traceroute command is used to discover the routes that packets actually take when traveling to their destination. The device sends out a sequence of User Datagram Protocol (UDP) datagrams to an invalid port address at the remote host.
Three datagrams are sent, each with a Time-To-Live (TTL) field value set to one. The TTL value of 1 causes the datagram to “timeout” as soon as it hits the first router in the path; this router then responds with an ICMP Time Exceeded Message (TEM) indicating that the datagram has expired.
Another three UDP messages are now sent, each with the TTL value set to 2, which causes the second router to return ICMP TEMs. This process continues until the packets actually reach the other destination.

Since these datagrams are trying to access an invalid port at the destination host, ICMP Port Unreachable Messages are returned, indicating an unreachable port; this event signals the Traceroute program that it is finished.

The purpose behind this is to record the source of each ICMP Time Exceeded Message to provide a trace of the path the packet took to reach the destination

For IPv4 packets, Path MTU Discovery works by setting the Don’t Fragment (DF) option bit in the IP headers of outgoing packets. Then, any device along the path whose MTU is smaller than the packet will drop it, and send back an Internet Control Message Protocol (ICMP) Fragmentation Needed (Type 3, Code 4) message containing its MTU, allowing the source host to reduce its Path MTU appropriately. The process is repeated until the MTU is small enough to traverse the entire path without fragmentation.

IPv6 routers do not support fragmentation or the Don’t Fragment option. For IPv6, Path MTU Discovery works by initially assuming the path MTU is the same as the MTU on the link layer interface through which the traffic is being sent. Then, similar to IPv4, any device along the path whose MTU is smaller than the packet will drop the packet and send back an ICMPv6 Packet Too Big (Type 2) message containing its MTU, allowing the source host to reduce its Path MTU appropriately. The process is repeated until the MTU is small enough to traverse the entire path without fragmentation.

The ping command uses a series of Internet Control Message Protocol (ICMP) Echo messages to determine:
– Whether a remote host is active or inactive.
– The round-trip delay in communicating with the host.
– Packet loss.

The ping command first sends an echo request packet to an address, then waits for a reply. The ping is
successful only if:
– the echo request gets to the destination, and
– the destination is able to get an echo reply back to the source within a predetermined time called a
timeout. The default value of this timeout is two seconds on Cisco routers.

The TTL value of a ping packet cannot be changed.

################################################################