Gerald,Have you (not) - Page 2

Gerald Wiltse · ‎07-25-2011

I'm about to implement my first 5520's, and I have questions about the details which aren't really explained in the documentation. My situation is active/standby.

Failover Link:

1. Etherchannel is now possible on the ASA's, but is it supported on the Failover link? I sure hope so.

2. What is the REAL FUNCTIONAL difference between the failover link going down when using a switch versus a crossover cable between ASA's? Specifically speak to what happens from a detection/reaction perspective in the IOS on both sides.

3. If the failover link is down on either side (or both), do the ASA's still communicate across their inside/outside interfaces to prevent a conflict? How does it work exactly.

I've read a lot of documentation, and am very familar with interface tracking for HSRP/VRRP, routing protocols, and even IPSLA tracking and logic for failover from my routing and switching experience. Still, I'm having a hard time understanding how the ASA's will behave.

I am looking for a unique and verbose explanation from people who have worked with the ASA's exhaustively (in their own words). Please do not post links to any cisco documentation, nor post statements that begin with "I think" or "I believe".

Thanks,

Jerry

Julio Carvajal · ‎07-26-2011

Hello Roy after checking your configuration I found some things I would like to talk about:

first to understand your network you are tryng to use 2 diferent links to the ISP right so if one goes down the other one will be install in the routing table, this using the SLA Monitoring Feature.

-You should have this nat in order to permit access to the Internet from the inside using the 2 links to the ISP

nat (inside) 1 0 0

global (twc) 1 interface

global (verizon) 1 interface

-As your running config file you are using the interface Verizon as the backup line to the ISP so the AD for this static route should be higher than the one on the TWCs static

route twc 0 0 74.62.207.65 1 track #

route verizon 0 0 65.208.133.169 254

This will ensure you to use the TWC line to the internet as a primay route and track it and monitor it

-You will need to change the SLA config to monitor the target used on the TWC link instead of the link of verizon.

Please let me know if this works?

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

radgerjr1 · ‎07-26-2011

Thanks J for getting back with me so soon. Verizon is the Pri for now & TWC is the backup. The reason is I wanted to make sure the backup concept will work before drastically changing everything. These changes are being done on a very active Firewall and downtime is not an option, plus I'm working on it remotely, and after hours. I could never get the global (twc) 1 interface to show up. When I was adding the 3rd interface, it would show up in asdm as Home (dmz). If I set the nat (inside) 1 0 0 will I get the global line? Which is the best way to make the changes, cli or asdm/ Thanks again.

Julio Carvajal · ‎07-26-2011

Hi again Roy

With the SLA monitoring you will be able to provide a backup path to go the internet if the primary line goes down.

You should be able to create the global (twc) 1, if you dont do it and the primary path goes down there will not be a connection to the internet because the nat statement will only apply to the Global (Verizon). so You need that global to work with SLA.

About the nat (inside) 1 0 0 , this means:

1 - the one is the ID of the nat statement

2- 0 0 means that this Nat statement will afect any host going to the internet and yes it will hit the global line if the Global line uses the same ID of nat than the nat inside.

You should see 3 interfaces on the ASA., About wich is the best way to make the changes, this is all up to you I prefer to deal with CLI but some people rather to use ASDM. so at the end of the day the same changes are going to be applied to the ASA so the question is where do you feel more comfortable, on the CLI or the ASDM?

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

radgerjr1 · ‎07-28-2011

Hi J,

Sorry it took me a while to get back to you with good, no great news - I did what you suggested, and it all worked like a charm. I made the changes in about 10 min, pulled the plug on the Pri ISP (TWC), it switched over to backup (Verizon) in less than 20 seconds, then I plugged the Pri back in, and it switched back in about 20 sec. I even pulled the backup just to make sure. Thank you once again on quality info. I attached the config right after I wrote it to Flash.

ASA Version 7.2(4)
!
hostname ?????

domain-name ?????

enable password ????? encrypted
passwd ????? encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
ospf cost 10
!
interface Vlan2
nameif Verizon
security-level 0
ip address 65.208.133.170 255.255.255.248
ospf cost 10
!
interface Vlan3
backup interface Vlan2
nameif TWC
security-level 0
ip address 74.62.207.66 255.255.255.240
ospf cost 10
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 3
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
<--- More --->

domain-name ?????

object-group service DM_INLINE_TCP_1 tcp
port-object eq 10019
port-object eq 8016
port-object eq 8200
object-group icmp-type DM_INLINE_ICMP_1
icmp-object echo
icmp-object echo-reply
icmp-object time-exceeded
icmp-object unreachable
object-group icmp-type DM_INLINE_ICMP_2
icmp-object echo
icmp-object echo-reply
icmp-object time-exceeded
icmp-object traceroute
icmp-object unreachable
object-group icmp-type DM_INLINE_ICMP_3
icmp-object echo
icmp-object echo-reply
icmp-object time-exceeded
icmp-object traceroute
icmp-object unreachable
object-group icmp-type DM_INLINE_ICMP_4
icmp-object echo
icmp-object echo-reply
icmp-object time-exceeded
icmp-object unreachable
object-group service DM_INLINE_TCP_2 tcp
port-object eq 10019
port-object eq 8016
port-object eq 8200
access-list outside_access_in remark Inbound for Security System
access-list outside_access_in extended permit tcp any host 65.208.133.174 object-group DM_INLINE_TCP_1
access-list outside_access_in extended permit icmp any host 65.208.133.174 object-group DM_INLINE_ICMP_1 inactive
access-list outside_access_in extended permit icmp any 65.208.133.168 255.255.255.248 object-group DM_INLINE_ICMP_2
access-list TWC_access_in extended permit icmp any 74.62.207.64 255.255.255.240 object-group DM_INLINE_ICMP_3
access-list TWC_access_in extended permit icmp any host 74.62.207.78 object-group DM_INLINE_ICMP_4 inactive
access-list TWC_access_in remark Inbound For Security System
access-list TWC_access_in extended permit tcp any host 74.62.207.78 object-group DM_INLINE_TCP_2
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu Verizon 1500
mtu TWC 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (Verizon) 1 interface
global (TWC) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
nat (Verizon) 1 0.0.0.0 0.0.0.0
static (inside,Verizon) 65.208.133.174 192.168.1.99 netmask 255.255.255.255 dns
static (inside,TWC) 74.62.207.78 192.168.1.99 netmask 255.255.255.255 dns
access-group outside_access_in in interface Verizon
access-group TWC_access_in in interface TWC
route TWC 0.0.0.0 0.0.0.0 74.62.207.65 1 track 3
route Verizon 0.0.0.0 0.0.0.0 65.208.133.169 2
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 TWC
http 0.0.0.0 0.0.0.0 Verizon
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 123
type echo protocol ipIcmpEcho 74.62.207.65 interface TWC
sla monitor schedule 123 life forever start-time now
!
track 3 rtr 123 reachability
telnet 68.195.244.98 255.255.255.255 Verizon
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 Verizon
ssh 0.0.0.0 0.0.0.0 TWC
ssh timeout 5
ssh version 2
console timeout 0
dhcpd dns 66.75.164.89 66.75.164.90
dhcpd auto_config TWC
!
dhcpd address 192.168.1.100-192.168.1.200 inside
dhcpd dns 8.8.8.8 208.184.36.10 interface inside
dhcpd enable inside
!

username ??????? password ????? encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:??????

: end

Julio Carvajal · ‎07-28-2011

Hello Roy

Its great to hear that everything is working.

The config seems to be right. I would take this statements out from the config because as I told you all the host on the inside are supported on the nat (inside) 1 0 0.I would take the nat (verizon) because that network does not neet to get transalted to the outside so they are unnecesary . Just to let you know this are the 2 statements.

nat (inside) 1 192.168.1.0 255.255.255.0

nat (Verizon) 1 0.0.0.0 0.0.0.0

Anything else just let me know??? Points will be appreciated

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

radgerjr1 · ‎07-28-2011

Hi J,

Ok so do the 'ospf cost 10' mean at the end of Interface Vlan section? What do you mean 'Points will be appreciated? Is this some type of support counter. Thanks again.

Julio Carvajal · ‎07-28-2011

Hello Roy,

On the config you placed in here, You are not running a ospf instance on your firewall so you cant delete those lines as well.

About the points , dont worry you only give points to people when you feel they have earn it. but no, this is no a Support counter

Any questions, Let me know.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Gerald Wiltse · ‎07-28-2011

I really failed to point out the most important aspect of this. Where the ASA 5520 has a total of 4 ethernet interfaces, there is no capacity for true link redundancy in all directions anyway. 4 interfaces in a device of this size and cost is a joke. Seriously.

praprama · ‎07-28-2011

Well unfortunately there is not much we can do about this. If you are looking for higher number of interfaces, you can look at installing the 4GE-SSM module for the 5520. Details below:

http://www.cisco.com/en/US/products/ps9320/index.html

Thanks and Regards,

Prapanch

Rafal Sobecki · ‎09-09-2015

Gerald,

Have you (not) considered aggregating E0/0+E0/1 and E0/2+E0/3, one EtherChannel for data and the other for failover, then the data EtherChannel further divided into subinterfaces, one - for outside, another for inside, third for dmz1...?

ASA Failover Interface Principles