Solved: Configuration ASA 5510 Complete Redundancy

saleemsattar · ‎03-17-2013

I want to configure ASA 5510 with complete redundancy first time.

I have already studied all material from cisco web site. but there are avalible alot of material.

and i'm confused about the exact my requirment material.

please help me about this scenario.

This is current configuration:

--------------------------------------------------------------------------------------

active# sh running-config

: Saved

:

ASA Version 8.2(5)

!

hostname active

domain-name dhalahore.org

enable password 2KFQnbNIdI.2KYOU encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

description Inside to the Core Switches

duplex full

nameif Inside

security-level 100

ip address 192.168.10.249 255.255.255.0 standby 192.168.10.250

interface Ethernet0/1

speed 100

duplex full

no nameif

security-level 100

ip address 192.168.11.249 255.255.255.0 standby 192.168.11.250

interface Ethernet0/2

description public Server - DMZ

duplex full

nameif DMZ

security-level 50

ip address 10.1.1.1 255.255.255.0 standby 10.1.1.2

interface Ethernet0/3

description outside to the internet via router

duplex full

nameif Outside

security-level 0

ip address x.x.x.x 255.255.255.248 standby Y.Y.Y.Y

interface Management0/0

description LAN/STATE Failover Interface

management-only

ftp mode passive

clock timezone PST 5

dns domain-lookup DMZ

dns domain-lookup Outside

dns server-group DEFAULT-DNS

name-server 10.1.1.254

name-server 10.1.1.253

dns server-group DefaultDNS

domain-name dhalahore.org

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list 102 extended permit icmp any any

access-list 102 extended permit ip any any

access-list 102 extended permit tcp any any eq www

access-list no-nat extended permit ip 172.16.20.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list no-nat extended permit ip 172.16.30.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list no-nat extended permit ip 172.16.40.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list no-nat extended permit ip 172.16.10.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list no-nat extended permit ip 192.168.10.0 255.255.255.0 10.1.1.0 255.255.255.0

pager lines 24

logging asdm informational

mtu Inside 1500

mtu DMZ 1500

mtu Outside 1500

failover

failover lan unit primary

failover lan interface FAILOVER Management0/0

failover polltime unit 1 holdtime 3

failover polltime interface 3 holdtime 15

failover key *****

failover link FAILOVER Management0/0

failover interface ip FAILOVER 172.16.254.254 255.255.255.0 standby 172.16.254.250

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat-control

nat (Inside) 0 access-list no-nat

static (DMZ,Outside) tcp interface www 10.1.1.254 www netmask 255.255.255.255

access-group 102 in interface DMZ

access-group 102 in interface Outside

route Outside 0.0.0.0 0.0.0.0 x.x.x.x

route Inside 172.16.10.0 255.255.255.0 192.168.10.253 1

route Inside 172.16.20.0 255.255.255.0 192.168.10.253 1

route Inside 172.16.30.0 255.255.255.0 192.168.10.253 1

route Inside 172.16.40.0 255.255.255.0 192.168.10.253 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet 192.168.10.249 255.255.255.255 Inside

telnet 0.0.0.0 0.0.0.0 Inside

--------------------------------------------------------------------------------------------------------------------------------------

Julio Carvajal · ‎03-19-2013

Hello Saleem,

Lets say that you were going to run LACP and the ASA would be the Active side,

interface gigabitEthernet 0/1

channel-group 1 mode active

interface gigabitEthernet 0/3

channel-group 1 mode active

exit

interface port-channel 1

nameif TEST

ip address 2.2.2.2 255.255.255.0

no shut

interface gigabitEthernet 0/3

no shut

interface gigabitEthernet 0/1

no shut

That's the example man,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Jennifer Halim · ‎03-17-2013

You haven't configured "nameif" for interface Ethernet0/1.

What is the status of your "show failover" output?

ASA only works in Active/Standby failover mode.

saleemsattar · ‎03-17-2013

Failover is working fine.

Please ignore my current configuration .... i want to configure from scratch level.

it should be Active/ standby and vss.

Julio Carvajal · ‎03-17-2013

Hello Saleem,

If failover is working fine, not sure what you need from us?

Oh I think I got it, you want us to configure it from scratch based on the diagram you upload right.. A lot of work

Regards,

Julio Carvajal

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

saleemsattar · ‎03-17-2013

Please see the below link:

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/interface_start.pdf

i want to configur asa with complete redundancy.

Julio Carvajal · ‎03-17-2013

We still need more information,

what do you want to accomplish? Etherchannels, just redundant interfaces,

If you want a solution or reply ASAP to the discussions you post here you got to be as specific as possible

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

saleemsattar · ‎03-18-2013

i just need etherchannel for e0/0 inside acitve asa and e0/1 inside passive asa.

got my point?

Julio Carvajal · ‎03-18-2013

Hello Saleem,

Yeah, just got it...

So an etherchannel will be built, but witch ports will create the logical bundle E0/0 and witch other?? Remember that they must belong to each box, you cannot use cross-stack on the ASA.

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

saleemsattar · ‎03-18-2013

E0/0 and E0/1.

Julio Carvajal · ‎03-19-2013

Hello Saleem,

Lets say that you were going to run LACP and the ASA would be the Active side,

interface gigabitEthernet 0/1

channel-group 1 mode active

interface gigabitEthernet 0/3

channel-group 1 mode active

exit

interface port-channel 1

nameif TEST

ip address 2.2.2.2 255.255.255.0

no shut

interface gigabitEthernet 0/3

no shut

interface gigabitEthernet 0/1

no shut

That's the example man,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

saleemsattar · ‎03-20-2013

I am designing a N/W with fully redundancy following equipment. it's my exact requirment

1: 2 Cores (3750) (i have configured successfully with HSRP)

2: 2 Firewall ASA-5510

Following design options;

DESIGN :

Core Switches are using HSRP

Vlans are active on one switch (primary) at a time

CONNECT BOTH CORES WITH 2 ASA

ASA R0(redundant interface=E0+E1)-------------------both Cores (HSRP)

ASA E0 --------------- Core 1 (F3/48) + ASA E1 ---------- Core 2 (F3/48)

ASA E2 --------------- DMZ Switch

ASA E3 --------------- Outside Switch

ASA R0(redundant interface=E0+E1)-------------------both Cores (HSRP)

ASA E0 --------------- Core 2 (F4/48) + ASA E1 ---------- Core 1 (F4/48)

ASA E2 --------------- DMZ Switch

ASA E3 --------------- Outside Switch

Unfortunatelly i am short of time and my project is behinde the schedule.

Please share your experience and suggest better solution.

I have done Core switches configuration with HSRP Successfully. and i want to just configure both ASA with full redundancy.