Difference between revisions of "Configuring and Cabling of Stateful Active/Standby Failover on a Cisco ASA 5510 Firewall"
From NesevoWiki
Jump to navigationJump to search| Line 50: | Line 50: | ||
* Make the appliance the primary failover unit | * Make the appliance the primary failover unit | ||
fw(config># failover lan unit primary | fw(config># failover lan unit primary | ||
| − | * Configure the failover interface. We will assign the name ''failoverlink'' to it. | + | * Configure the failover interface. |
| + | ** We will assign the name ''failoverlink'' to it. | ||
fw(config)# failover lan interface failoverlink Ethernet0/3 | fw(config)# failover lan interface failoverlink Ethernet0/3 | ||
| − | * Assign IP assresses to the ''failoverlink'' interface. Note that the network segments assigned to the interfaces of the firewall must not overlap. We will use the 10.0.1.0/24 network for the failover ip addresses. | + | ** Assign IP assresses to the ''failoverlink'' interface. Note that the network segments assigned to the interfaces of the firewall must not overlap. We will use the 10.0.1.0/24 network for the failover ip addresses. |
fw(config)# failover interface ip failoverlink 10.0.1.1 255.255.255.0 standby 10.0.1.2 | fw(config)# failover interface ip failoverlink 10.0.1.1 255.255.255.0 standby 10.0.1.2 | ||
| − | * Enable the ''failoverlink'' interface | + | ** Enable the ''failoverlink'' interface |
fw(config)# interface Ethernet0/3 | fw(config)# interface Ethernet0/3 | ||
fw(config-if)# no shutdown | fw(config-if)# no shutdown | ||
fw(config-if)# exit | fw(config-if)# exit | ||
fw(config)# | fw(config)# | ||
| + | * Configure the ''failoverlink'' interface to be used for stateful failover as well | ||
| + | fw(config)# failover link failoverlink | ||
| + | * Enable failover | ||
| + | fw(config)# failover | ||
| + | * Enable http replication | ||
| + | fw(config)# failover replication http | ||
| + | * Save system config | ||
| + | fw(config)# write mem | ||
| + | fw(config)# copy running-config startup-config | ||
| + | * Exit config mode | ||
| + | fw(config)# exit | ||
| + | fw# | ||
| + | * Check the failover status. It should now up as primary unit in active state and be complaining about it's mate issing. | ||
| + | fw# show failover | ||
| + | |||
| + | === Configuring the secondary appliance === | ||
Revision as of 16:06, 20 January 2012
These steps were tested under IOS 8.2(2).
Prerequisites
- You need two identical Cisco ASA 5510 appliances
- Both appliances must be running the identical IOS version
- You need at least IOS version 7.0. If you want to use IPv6, you need at least IOS version 8.2(2).
- You need an ASA 5510 Security Plus license on both appliances.
- Both appliances must be in the same mode (single|multiple|transparent|routed). This tutorial uses routed mode. (You can tell the mode your appliance is running under issuing the
show firewallcommand in enable mode.)
Assumptions
In this tutorial we assume tho following target configuration:
- One interface (Ethernet0/0) named outside which will be attached to the internet in your target environment
- One interface (Ethernet0/1) named inside which will be attached to the internal LAN in your target environment
- One interface (Ethernet0/2) named tmplan which will temporarily attached to your LAN in the test environment (for setup and testing purposes)
- One interface (Ethernet0/3) named failoverlink which will serve as the interface for failover and stateful failover
- The hosts in your LAN are configured to use a default gateway with the IP address of 10.0.0.1
Configuration steps
In a ASA 5510 failover configuration scenario one appliance is the primary one, the other one is the secondary one. You can read about the meaning of this in Cisco's official documentation.
Configuring the primary appliance
- Power up your primary appliance (i.e. the one that is to become the primary appliance). Leave the other one switched off.
- Connect to the primary appliance via console.
- Enter
enable, then theconf tcommand to get to the config prompt. Depending on your configuration you may have to enter a password.
fw> enable fw# fw# conf t fw(config)#
- In a failover scenario you have to apply a standby ip address to each data interface you want to have taken over by the secondary appliance in case of a failure on the primary one. We want all of our data interfaces to be covered.
- Configure interface outside (use the network parameters valid for the external ip range in your target environment)
fw(config)# interface Ethernet0/0 fw(config-if)# nameif outside fw(config-if)# ip address 111.222.111.222 255.255.255.192 standby 111.222.111.223 fw(config-if)# no shutdown fw(config-if)# exit fw(config)#
- Configure interface inside (use the network parameters valid for the internal ip range in your target environment)
fw(config)# interface Ethernet0/1 fw(config-if)# nameif inside fw(config-if)# ip address 10.0.0.1 255.255.255.0 standby 10.0.0.2 fw(config-if)# no shutdown fw(config-if)# exit fw(config)#
- Configure interface tmplan (use the network parameters valid for the internal ip range in your test environment)
fw(config)# interface Ethernet0/2 fw(config-if)# nameif tmplan fw(config-if)# ip address 192.168.0.250 255.255.255.0 standby 192.168.0.251 fw(config-if)# no shutdown fw(config-if)# exit fw(config>#
- Make the appliance the primary failover unit
fw(config># failover lan unit primary
- Configure the failover interface.
- We will assign the name failoverlink to it.
fw(config)# failover lan interface failoverlink Ethernet0/3
- Assign IP assresses to the failoverlink interface. Note that the network segments assigned to the interfaces of the firewall must not overlap. We will use the 10.0.1.0/24 network for the failover ip addresses.
fw(config)# failover interface ip failoverlink 10.0.1.1 255.255.255.0 standby 10.0.1.2
- Enable the failoverlink interface
fw(config)# interface Ethernet0/3 fw(config-if)# no shutdown fw(config-if)# exit fw(config)#
- Configure the failoverlink interface to be used for stateful failover as well
fw(config)# failover link failoverlink
- Enable failover
fw(config)# failover
- Enable http replication
fw(config)# failover replication http
- Save system config
fw(config)# write mem fw(config)# copy running-config startup-config
- Exit config mode
fw(config)# exit fw#
- Check the failover status. It should now up as primary unit in active state and be complaining about it's mate issing.
fw# show failover
