Sunday, September 23, 2007

Cisco ASA 5510 How to setup Active / Passive Failover

PIX / ASA Failover

1. Backup running config on the primary firewall.

RSFWALL1# copy run flash:/before_failover.cfg

Source filename [running-config]?

Destination filename [before_failover.cfg]?
Cryptochecksum: babed83d 62a5fba7 e5ea368d 642157bd

8549 bytes copied in 3.670 secs (2849 bytes/sec)
RSFWALL1#

2. Blow away the config in the interface you are going to use for failover.

RSFWALL1(config)# clear configure interface m0/0
RSFWALL1(config)# int m0/0
RSFWALL1(config-if)# no shut
RSFWALL1(config)#

3. Change the interface IP addresses  (to add the standby addresses for each interface)

RSFWALL1(config)# interface Ethernet0/0
RSFWALL1(config-if)# speed 100
RSFWALL1(config-if)# duplex full
RSFWALL1(config-if)# nameif Outside
RSFWALL1(config-if)# security-level 0
RSFWALL1(config-if)# ip address xx.xxx.xxx.225 255.255.255.0 standby zz.zzz.1$
RSFWALL1(config-if)# interface Ethernet0/1
RSFWALL1(config-if)# speed 100
RSFWALL1(config-if)# duplex full
RSFWALL1(config-if)# nameif DMZ1
RSFWALL1(config-if)# security-level 50
RSFWALL1(config-if)# ip address 172.31.5.1 255.255.255.0 standby 172.31.5.254
RSFWALL1(config-if)# interface Ethernet0/2
RSFWALL1(config-if)# speed 100
RSFWALL1(config-if)# duplex full
RSFWALL1(config-if)# nameif DMZ2
RSFWALL1(config-if)# security-level 55
RSFWALL1(config-if)# ip address 172.31.4.1 255.255.255.0 standby 172.31.4.254
RSFWALL1(config-if)# interface Ethernet0/3
RSFWALL1(config-if)# speed 100
RSFWALL1(config-if)# duplex full
RSFWALL1(config-if)# nameif Inside
RSFWALL1(config-if)# security-level 100
RSFWALL1(config-if)# ip address 172.31.3.3 255.255.255.0 standby 172.31.3.254

4. Set up the failover LAN interface (In config mode!).

RSFWALL1(config)# failover lan interface failover m0/0
INFO: Non-failover interface config is cleared on Management0/0 and its sub-inte
rfaces
RSFWALL1(config)#


5. Setup failover link IP address.

RSFWALL1(config)# failover interface ip failover 172.16.254.254 255.255.255.0 standby 172.16.254.250
RSFWALL1(config)#

6. Setup a shared key.

RSFWALL1(config)#
RSFWALL1(config)# failover lan key 666999
RSFWALL1(config)#

7. Set it as the primary unit.

RSFWALL1(config)#
RSFWALL1(config)# failover lan unit primary
RSFWALL1(config)#

8. Turn on failover.

RSFWALL1(config)# failover
RSFWALL1(config)#

9. Save the config

RSFWALL1(config)# write mem
Building configuration...
Cryptochecksum: 5c8dfc45 ee6496db 8731d2d5 fa945425

8695 bytes copied in 3.670 secs (2898 bytes/sec)
[OK]
RSFWALL1(config)#

10 Go to the Second PIX!!

11. Enter enable mode

ciscoasa> en
Password:
ciscoasa#

12. Open the failover link and do a no shut.

Ciscoasa# conf t
ciscoasa(config)# interface m0/0
ciscoasa(config-if)# no shut
ciscoasa(config-if)# exit
ciscoasa(config)#


13. Turn on LAN interface for failover

ciscoasa(config)# failover lan interface failover m0/0
INFO: Non-failover interface config is cleared on Management0/0 and its sub-inte
rfaces
ciscoasa(config)#

14. Give it an IP address

ciscoasa(config)# failover interface ip failover 172.16.254.254 255.255.255.0 standby 172.16.254.250

15. Give it the same key you used above.

Ciscoasa(config)#
ciscoasa(config)# failover lan key 666999
ciscoasa(config)#

16. Set it as the secondary (standby unit).

Ciscoasa(config)# failover lan unit secondary

17. Turn on failover.

Ciscoasa(config)#
ciscoasa(config)# failover

You should see................

Detected an Active mate
Beginning configuration replication from mate.


18. On the secondary firewall show failover

RSFWALL1(config)# show failover
Failover On
Failover unit Secondary
Failover LAN Interface: failover Management0/0 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 4 of 250 maximum
Version: Ours 7.2(2), Mate 7.0(5)
Last Failover at: 14:49:43 UTC May 4 2007
This host: Secondary - Standby Ready
Active time: 0 (sec)
slot 0: ASA5510 hw/sw rev (1.1/7.2(2)) status (Up Sys)
Interface Outside (xx.xxx.xxx.254): Link Down (Waiting)
Interface DMZ1 (172.31.5.254): Link Down (Waiting)
Interface DMZ2 (172.31.4.254): Link Down (Waiting)
Interface Inside (172.31.3.254): Link Down (Waiting)
slot 1: empty
Other host: Primary - Active
Active time: 514 (sec)
slot 0: ASA5510 hw/sw rev (1.1/7.0(5)) status (Up Sys)
Interface Outside (xx.xxx.xxx..225): Link Down (Waiting)
Interface DMZ1 (172.31.5.1): Link Down (Waiting)
Interface DMZ2 (172.31.4.1): Link Down (Waiting)
Interface Inside (172.31.3.3): Link Down (Waiting)
slot 1: empty

Stateful Failover Logical Update Statistics
Link : Unconfigured.


19. On the Primary firewall show failover.

SFWALL1# show failover
Failover On
Failover unit Primary
Failover LAN Interface: failover Management0/0 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 15 seconds
Interface Policy 1
Monitored Interfaces 4 of 250 maximum
Version: Ours 7.0(5), Mate 7.2(2)
Last Failover at: 13:21:42 UTC May 4 2007
This host: Primary - Active
Active time: 616 (sec)
slot 0: ASA5510 hw/sw rev (1.1/7.0(5)) status (Up Sys)
slot 1: empty
Interface Outside (xx.xxx.xxx.225): Link Down (Waiting)
Interface DMZ1 (172.31.5.1): Link Down (Waiting)
Interface DMZ2 (172.31.4.1): Link Down (Waiting)
Interface Inside (172.31.3.3): Link Down (Waiting)
Other host: Secondary - Standby Ready
Active time: 0 (sec)
slot 0: ASA5510 hw/sw rev (1.1/7.2(2)) status (Up Sys)
slot 1: empty
Interface Outside (xx.xxx.xxx.254): Link Down (Waiting)
Interface DMZ1 (172.31.5.254): Link Down (Waiting)
Interface DMZ2 (172.31.4.254): Link Down (Waiting)
Interface Inside (172.31.3.254): Link Down (Waiting)

Stateful Failover Logical Update Statistics
Link : Unconfigured.

20. On the Primary ASA

RSFWALL1(config)# failover poll 1 hol 3
RSFWALL1(config)# failover poll interface 3
RSFWALL1(config)# int m0/0
RSFWALL1(config-if)# failover poll interface 3
RSFWALL1(config)#

21. Save the config.

SFWALL1(config)# write mem
Building configuration...
Cryptochecksum: 6650f6c9 09bbb5f0 0dafa0d1 8fc08aba

8756 bytes copied in 3.680 secs (2918 bytes/sec)
[OK]
RSFWALL1(config)#

22. When done pull the power on ASA 1 to fail.
Posted by at No comments:
Subscribe to: Posts (Atom)