03-17-2013 01:24 AM - edited 03-11-2019 06:15 PM
I want to configure ASA 5510 with complete redundancy first time.
I have already studied all material from cisco web site. but there are avalible alot of material.
and i'm confused about the exact my requirment material.
please help me about this scenario.
This is current configuration:
--------------------------------------------------------------------------------------
active# sh running-config
: Saved
:
ASA Version 8.2(5)
!
hostname active
domain-name dhalahore.org
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
description Inside to the Core Switches
duplex full
nameif Inside
security-level 100
ip address 192.168.10.249 255.255.255.0 standby 192.168.10.250
interface Ethernet0/1
speed 100
duplex full
no nameif
security-level 100
ip address 192.168.11.249 255.255.255.0 standby 192.168.11.250
interface Ethernet0/2
description public Server - DMZ
duplex full
nameif DMZ
security-level 50
ip address 10.1.1.1 255.255.255.0 standby 10.1.1.2
interface Ethernet0/3
description outside to the internet via router
duplex full
nameif Outside
security-level 0
ip address x.x.x.x 255.255.255.248 standby Y.Y.Y.Y
interface Management0/0
description LAN/STATE Failover Interface
management-only
ftp mode passive
clock timezone PST 5
dns domain-lookup DMZ
dns domain-lookup Outside
dns server-group DEFAULT-DNS
name-server 10.1.1.254
name-server 10.1.1.253
dns server-group DefaultDNS
domain-name dhalahore.org
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list 102 extended permit icmp any any
access-list 102 extended permit ip any any
access-list 102 extended permit tcp any any eq www
access-list no-nat extended permit ip 172.16.20.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list no-nat extended permit ip 172.16.30.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list no-nat extended permit ip 172.16.40.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list no-nat extended permit ip 172.16.10.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list no-nat extended permit ip 192.168.10.0 255.255.255.0 10.1.1.0 255.255.255.0
pager lines 24
logging asdm informational
mtu Inside 1500
mtu DMZ 1500
mtu Outside 1500
failover
failover lan unit primary
failover lan interface FAILOVER Management0/0
failover polltime unit 1 holdtime 3
failover polltime interface 3 holdtime 15
failover key *****
failover link FAILOVER Management0/0
failover interface ip FAILOVER 172.16.254.254 255.255.255.0 standby 172.16.254.250
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
nat (Inside) 0 access-list no-nat
static (DMZ,Outside) tcp interface www 10.1.1.254 www netmask 255.255.255.255
access-group 102 in interface DMZ
access-group 102 in interface Outside
route Outside 0.0.0.0 0.0.0.0 x.x.x.x
route Inside 172.16.10.0 255.255.255.0 192.168.10.253 1
route Inside 172.16.20.0 255.255.255.0 192.168.10.253 1
route Inside 172.16.30.0 255.255.255.0 192.168.10.253 1
route Inside 172.16.40.0 255.255.255.0 192.168.10.253 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 192.168.10.249 255.255.255.255 Inside
telnet 0.0.0.0 0.0.0.0 Inside
--------------------------------------------------------------------------------------------------------------------------------------
Solved! Go to Solution.
03-19-2013 09:12 AM
Hello Saleem,
Lets say that you were going to run LACP and the ASA would be the Active side,
interface gigabitEthernet 0/1
channel-group 1 mode active
interface gigabitEthernet 0/3
channel-group 1 mode active
exit
interface port-channel 1
nameif TEST
ip address 2.2.2.2 255.255.255.0
no shut
interface gigabitEthernet 0/3
no shut
interface gigabitEthernet 0/1
no shut
That's the example man,
03-17-2013 02:41 AM
You haven't configured "nameif" for interface Ethernet0/1.
What is the status of your "show failover" output?
ASA only works in Active/Standby failover mode.
03-17-2013 07:33 AM
Failover is working fine.
Please ignore my current configuration .... i want to configure from scratch level.
it should be Active/ standby and vss.
03-17-2013 09:11 AM
Hello Saleem,
If failover is working fine, not sure what you need from us?
Oh I think I got it, you want us to configure it from scratch based on the diagram you upload right.. A lot of work
Regards,
Julio Carvajal
03-17-2013 12:15 PM
Please see the below link:
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/interface_start.pdf
i want to configur asa with complete redundancy.
03-17-2013 12:27 PM
We still need more information,
what do you want to accomplish? Etherchannels, just redundant interfaces,
If you want a solution or reply ASAP to the discussions you post here you got to be as specific as possible
03-18-2013 02:03 AM
i just need etherchannel for e0/0 inside acitve asa and e0/1 inside passive asa.
got my point?
03-18-2013 09:40 AM
Hello Saleem,
Yeah, just got it...
So an etherchannel will be built, but witch ports will create the logical bundle E0/0 and witch other?? Remember that they must belong to each box, you cannot use cross-stack on the ASA.
Regards
03-18-2013 10:21 PM
E0/0 and E0/1.
03-19-2013 09:12 AM
Hello Saleem,
Lets say that you were going to run LACP and the ASA would be the Active side,
interface gigabitEthernet 0/1
channel-group 1 mode active
interface gigabitEthernet 0/3
channel-group 1 mode active
exit
interface port-channel 1
nameif TEST
ip address 2.2.2.2 255.255.255.0
no shut
interface gigabitEthernet 0/3
no shut
interface gigabitEthernet 0/1
no shut
That's the example man,
03-20-2013 11:32 AM
I am designing a N/W with fully redundancy following equipment. it's my exact requirment
1: 2 Cores (3750) (i have configured successfully with HSRP)
2: 2 Firewall ASA-5510
Following design options;
DESIGN :
Core Switches are using HSRP
Vlans are active on one switch (primary) at a time
CONNECT BOTH CORES WITH 2 ASA
ASA R0(redundant interface=E0+E1)-------------------both Cores (HSRP)
ASA E0 --------------- Core 1 (F3/48) + ASA E1 ---------- Core 2 (F3/48)
ASA E2 --------------- DMZ Switch
ASA E3 --------------- Outside Switch
ASA R0(redundant interface=E0+E1)-------------------both Cores (HSRP)
ASA E0 --------------- Core 2 (F4/48) + ASA E1 ---------- Core 1 (F4/48)
ASA E2 --------------- DMZ Switch
ASA E3 --------------- Outside Switch
Unfortunatelly i am short of time and my project is behinde the schedule.
Please share your experience and suggest better solution.
I have done Core switches configuration with HSRP Successfully. and i want to just configure both ASA with full redundancy.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: