topic Re: ASA - Active/Active in Transparent Mode in Network Security

ASA - Active/Active in Transparent Mode

keith.osullivan — Mon, 11 Mar 2019 12:43:36 GMT

Hi,

I am trying to configure a pair of new ASA'a for transparency and redundancy, they will protect some existing servers who's ip's cannot be changed.

I have enabled the multiple context's but cannot manage the ASA's by IP.

Below is the config.

ASA Version 7.0(7) <system>

firewall transparent

hostname ASA

enable password **** encrypted

interface GigabitEthernet0/0

interface GigabitEthernet0/0.1

vlan 601

interface GigabitEthernet0/0.2

vlan 602

interface GigabitEthernet0/1

interface GigabitEthernet0/1.1

vlan 603

interface GigabitEthernet0/1.2

vlan 604

interface GigabitEthernet0/2

shutdown

interface GigabitEthernet0/3

interface GigabitEthernet0/3.1

description LAN Failover Interface

vlan 101

interface GigabitEthernet0/3.2

description STATE Failover Interface

vlan 201

interface Management0/0

ftp mode passive

pager lines 24

failover

failover lan unit secondary

failover lan interface LANFailover GigabitEthernet0/3.1

failover link Stateful GigabitEthernet0/3.2

failover interface ip LANFailover ###internal ip#### standby ###internal ip####

failover interface ip Stateful ###internal ip#### standby ###internal ip####

failover group 1

failover group 2

secondary

no asdm history enable

arp timeout 14400

console timeout 0

admin-context admin

context admin

allocate-interface Management0/0

config-url disk0:/admin.cfg

join-failover-group 1

context context1

allocate-interface GigabitEthernet0/0.1

allocate-interface GigabitEthernet0/1.1

config-url disk0:/context1

join-failover-group 1

context context2

allocate-interface GigabitEthernet0/0.2

allocate-interface GigabitEthernet0/1.2

config-url disk0:/context2

join-failover-group 2

Cryptochecksum:xxx

: end

ASA# changeto context context1

ASA/context1# sh run

: Saved

ASA Version 7.0(7) <context>

firewall transparent

hostname context1

enable password **** encrypted

names

dns-guard

interface GigabitEthernet0/0.1

nameif outside

security-level 0

interface GigabitEthernet0/1.1

nameif inside

security-level 100

passwd xxx

pager lines 24

mtu outside 1500

mtu inside 1500

ip address ###internal ip#### standby ###internal ip####

************

output omitted

************

: end

ASA/context1# changeto context context2

ASA/context2# sh run

: Saved

ASA Version 7.0(7) <context>

firewall transparent

hostname context2

enable password **** encrypted

names

dns-guard

interface GigabitEthernet0/0.2

nameif outside

security-level 0

interface GigabitEthernet0/1.2

nameif inside

security-level 100

passwd xxx

pager lines 24

mtu outside 1500

mtu inside 1500

ip address ###internal ip#### standby ###internal ip####

************

output omitted

************

: end

ASA/context2#

Re: ASA - Active/Active in Transparent Mode

alanajjar — Tue, 13 May 2008 13:49:33 GMT

Hi,

You can configure an IP address for the Management 0/0 management-only interface. This IP address can be on a separate subnet from the main management IP address. after that you can manage the ASA through IP.

for example :

interface Management0/0

nameif management

ip address 10.10.10.10 255.255.255.0

security-level 50

no shut

also you need to specify the addresses that can manage the ASA and the interface which they are connected to :

http ip_addresse mask interface

example :

http 10.2.2.2 255.255.255.255 inside

other solution , you can add the mangement interface to the admin context, then use the previous commands in the admin context.

with regards

Re: ASA - Active/Active in Transparent Mode

keith.osullivan — Thu, 15 May 2008 13:57:30 GMT

Hi,

Thanks for the response Alan, entering the security level fixed the problem.

I still cannot get traffic to go through the firewall, i am not sure if i have to keep the vlan's on the interfaces and then assign them to the contexts. As whenever i try adding access rules it says there are no interfaces available.

Many thanks for your help.

Keith

Re: ASA - Active/Active in Transparent Mode

alanajjar — Sun, 18 May 2008 04:52:19 GMT

Hi,

You need to enable ALL the sub-interfaces in the system configuration and ALL contexts, as you know by using the command

no shut

you need to do it for all subinterfaces. note that the access lists are defined in the contexts not on the system configuration.

Hope this will help.

regards

Re: ASA - Active/Active in Transparent Mode

keith.osullivan — Mon, 19 May 2008 07:32:03 GMT

Hi,

I cannot add an interface to multiple contexts (ie sharing cannot be done in transparent mode) and it will only allow me to add 2 data interfaces per a context.

Kind regards

Keith

Re: ASA - Active/Active in Transparent Mode

alanajjar — Mon, 19 May 2008 08:44:08 GMT

Hi,

Why you want to use shared interface? you didnt mention any thing about that.

In trasparent mode, you can have only two interface per context. also you define the ip address in context mode, not interface mode, and you need to applu an access list to let traffic pass through each context, because by default all traffic are blocked in transparent mode.

can you specify exactly what you want to do?

with regards

Re: ASA - Active/Active in Transparent Mode

keith.osullivan — Mon, 19 May 2008 11:01:27 GMT

Hi Alanajjar,

I really appreaciate your input in to this.

The aim is to firewall of some servers internally and their ip's cannot be changed easily (due to coding of some applications).

Internal IP (eg 192.168.0.50/24) <----> Transparent Firewalls <------> Internal IP (eg 192.168.0.50/24).

I can allocate interfaces (inside and outsite) to context's, but as its transparent i dont really want to use muliple vlans which seems to be the only way to allocate the interfaces. The above works with Active / Standby (no vlan's etc), but A/A does not seem possible without vlans. I only thought about the shared interface as it would mean no vlans.

Kind regards in advance

Keith

Re: ASA - Active/Active in Transparent Mode

alanajjar — Mon, 19 May 2008 12:23:35 GMT

Hi,

With transparent firewall you have to allocate vlans to interfaces, other wise the firewall will not pass any traffic.

I have some questions to clarify the picture :

are all servers in the same subnet or differnt subnets?

do you have layer 3 switch?

is there a problem if you use vlans?

if you can post your network diagram,this will give good picture about your situation.

I hope that I can help you in this.

with regards

Re: ASA - Active/Active in Transparent Mode

keith.osullivan — Mon, 19 May 2008 12:51:38 GMT

Hi,

All the servers are on the same subnet, so the goal is just to move the required servers from one side of the firewall to the other.

We do have a layer 3 switch and use vlans so that should not be a problem. I am just thinking if we use vlans on the firewall ports, how will traffic pass through or swap between vlans to balance the traffic.

I attach a simple network diagram, so hopefully you can see what i am trying to do.

Regards

Re: ASA - Active/Active in Transparent Mode

alanajjar — Mon, 19 May 2008 17:48:40 GMT

Hi Keith,

Your situation is easy, for your case you need only one context, in that context define an ip address in the same subnet, i.e 192.168.1.x/24. the ASA will switch traffic through the context based on the source address in your case, so the traffic from specific source, will pass through a specific context, which is in the same subnet, the ASA will use the valns on the context to switch traffic between the inbound interface (or sub-interface) and the outbound interface, and the return traffic will be pass through the same context, it will not go through another context, this will be control be the ASA.

Hope this will clarify the situation.

With regards

Re: ASA - Active/Active in Transparent Mode

keith.osullivan — Tue, 20 May 2008 11:46:15 GMT

Thanks for your help Analnjjar. I just tried setting this up and one firewall works, but the failover does not and i believe traffic is only passing through the primary firewall. With a single context it will be active / nothing am i right in thinking.

From what i can gather you assign interfaces (vlans) to contexts, and each firewall runs a different context ie different vlans. I seem to be running in trouble where I want all interfaces to run the same vlan (default) and pass traffic so it is fully transparent and balanced. With a single context you cannot have each firewall running a context so it is Active / Nothing. As i cannot assign an interface to multiple contexts in transparent mode i am stuck.

Hope that makes sense.

Re: ASA - Active/Active in Transparent Mode

alanajjar — Tue, 20 May 2008 15:16:49 GMT

Hi,

I think in your situation you dont need to use active/active failover, why you dont use transparent active/standby stateful failover? you need active/active failover when you have multiple subnets, and you want to use failover for those subnets, but here you have only one subnet, am I right?

regarding vlans, the servers are dont care about vlans, only network devices like routers, firewalls or switches. the switching between differnt vlans will be handeled by layer 3 switch in your case, so for this its not an issue. only minor changes in the switch will solve that.

I hope that I understood the situation correctly.

with regards

Re: ASA - Active/Active in Transparent Mode

keith.osullivan — Tue, 03 Jun 2008 07:54:50 GMT

Hi Alanjar,

Thank you very much for your help. I have gone tith the active / standby approach as you suggested.

Kind regards

Keith