How to configure hot failover cisco asa 5510, 5500 series firewalls
Upcoming SlideShare
Loading in...5
×

Like this? Share it with your network

Share

How to configure hot failover cisco asa 5510, 5500 series firewalls

  • 292 views
Uploaded on

How to configure hot failover cisco asa 5510, 5500 series firewalls. More details...

How to configure hot failover cisco asa 5510, 5500 series firewalls. More details...

More in: Internet
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
292
On Slideshare
292
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
2
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. How to Configure Hot Failover-Cisco ASA 5510 and ASA 5500 Series-ActiveStandby? In this article, the author told the detailed info of Cisco asa 5505, 5500 failover configuration from primary to standby. What we need to pay attention? Let’s start. Two Cisco ASAs have identical hardware specs. From "Show version" compare the licenses installed. Licenses must match on both ASAs. If you are running ASA IOS 8.3 and above, licenses don't need to match. Before upgrading to 8.3 (in case you want to but you don't have to), study well! Access Lists and NAT are different so you need to do manual clean up and re-configuration. Also 8.3 needs 1G of memory. After failover is configured, configuration from primary will replicate to standby. Note that Important: If you have AnyConnect or VPN images loaded on the primary, you need to copy them into the secondary because again that will not replicate - only configuration will replicate. Connect the two ASAs through a cat5 cable for fail-over link (Heartbeat). You could use the Management interface management0/0 for that. Pick a network and IP address for that interface like 192.168.150.1. The standby will have 192.168.150.2 Primary ASA: For each interface with IP address and mask pick an ip address for the standby from the same network. For instance for inside network with IP address 192.168.99.1 255.255.255.0, pick an ip address for the standby like 192.168.99.2 (no mask needed) and configure that interface: ip address 192.168.99.1 255.255.255.0 standby 192.168.99.2 Do the same thing for all other interfaces that you are going to use like the Outside and DMZ. Make sure they are in "no shutdown". Interfaces need to be on different networks. For management interface, do a no shutdown. Make sure interface has no interface name "no nameif". Don't configure ip address for it. Type the following commands ASA(config)# failover lan unit primary ASA(config)# failover lan interface failover Management0/0 When you type this command the ASA will say "INFO: Non-failover interface config is cleared on Management0/0 and its sub-interfaces" and it will give a description to that interface as "description LAN Failover Interface" ASA(config)# failover interface ip failover 192.168.150.1 255.255.255.0 standby 192.168.150.2
  • 2. ASA(config)# failover link failover Management0/0 If you do show running-config you will see that the description of interface Management 0/0 has changed to "description LAN/STATE Failover Interface". ASA(config)# failover replication http ASA(config)# Failover Secondary/Standby ASA: Connect all interfaces to the respective network (at least the inside interface to the inside network and outside interface to the outside network. The Management 0/0 interfaces on both ASAs are connected together through a cross-over cable). Connect to the ASA through a consol. Go to all interfaces that you are going to use (just like the Primary ASA) and do a no shutdown. Don't forget the Management Interface that we are going to use as a failover interface - Make sure interface has no interface name "no nameif". ASA configuration including IP addresses will replicate from the Primary ASA when replication starts. Following is the minimum configuration that you need to do on the standby. No more! Type the following: ASA(config)# failover lan interface failover Management0/0 ASA(config)# failover interface ip failover 192.168.150.1 255.255.255.0 standby 192.168.150.2 (this is the same exact command you typed on the Primary). ASA(config)# failover link failover Management0/0 ASA(config)# failover lan unit secondary ASA(config)# failover replication http ASA(config)# failover (This is the last command that you need to do and as soon as you do that the replication of configuration will start) You will see messages similar to the following: "Detected an Active mate Beginning configuration replication from mate.... Jul 12 2013 23:37:14: %ASA-6-720037: (VPN-Secondary) HA progression callback: id =3,seq=200,grp=0,event=101,op=15,my=Sync Config,peer=Active. Jul 12 2013 23:37:14: %ASA-6-721003: (WebVPN-Secondary) HA progression change: event HA_PROG_STANDBY_CONFIG, my state Sync Config, peer state Active. Jul 12 2013 23:37:14: %ASA-1-709006: (Secondary) End Configuration Replication (STB)"
  • 3. Gie some time for replication to finish before you proceed with the following After that, go back to the primary ASA (not standby) and save config on it and that will save it on both ASAs: ASA#Wr mem You can use the following two commands to see the state of failover ASA# show failover ASA# show failover state Down the road, if standy configuration is out of sync with the Active asa, go to standby and do: conf t no failover failover Last resort if configures are not matching, on the Active/primary ASA: Wr standby [make sure you read more about "wr standby" this before you do it] More Cisco ASA Topics: How to Configure Cisco ASA Failover into Active/Standby Mode? Cisco ASA Failover, Failover Modes & ASA Failover Configuration Cisco ASA IPS Module Configuration How to Configure New ASA 5510 in Transparent Mode? Cisco Security Advisory: Multiple Vulnerabilities in Cisco ASA Software Cisco ASA SNMP Polling Via VPN Site-to-Site Tunnel Create IPv6 LAN-to-LAN VPN Tunnel on Cisco ASAs