06-05-2012 01:46 AM - edited 03-11-2019 04:15 PM
Hi,
Can some one help me to configure the firewall Cisco ASA5510 in HA Mode.
Enclosed Network diagram.
Solved! Go to Solution.
06-05-2012 03:24 AM
Here is a sample configuration to assist with failover configuration (Active/Standby):
Hope that helps.
06-05-2012 06:42 AM
To configure the inside, outside and dmz interfaces you just have to configure 2 ip addresses.
Eg:
interface e0/0
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.x standby x.x.x.y
no shut
interface e0/1
nameif inside
security-level 100
ip address a.a.a.a 255.255.255.x standby a.a.a.b
no shut
interface e0/2
nameif dmz
security-level 50
ip address c.c.c.c 255.255.255.x standby c.c.c.d
no shut
route outside 0.0.0.0 0.0.0.0 x.x.x.z
06-05-2012 03:24 AM
Here is a sample configuration to assist with failover configuration (Active/Standby):
Hope that helps.
06-05-2012 04:39 AM
Thanks Jennifer,
I have did this sucessfully need to configure the firewall interfaces also, Need to put some ip's on outside / inside and we have to create DMZ also. need help on routing too. I'll appreciate for this,
failover
failover lan unit primary
failover lan interface FAILOVER Ethernet0/3
failover replication http
failover interface ip FAILOVER 192.168.3.1 255.255.255.0 standby 192.168.3.2
-------------------------
failover
failover lan unit secondry
failover lan interface FAILOVER Ethernet0/3
failover replication http
failover interface ip FAILOVER 192.168.3.1 255.255.255.0 standby 192.168.3.2
Reg
Sanjeev
06-05-2012 06:42 AM
To configure the inside, outside and dmz interfaces you just have to configure 2 ip addresses.
Eg:
interface e0/0
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.x standby x.x.x.y
no shut
interface e0/1
nameif inside
security-level 100
ip address a.a.a.a 255.255.255.x standby a.a.a.b
no shut
interface e0/2
nameif dmz
security-level 50
ip address c.c.c.c 255.255.255.x standby c.c.c.d
no shut
route outside 0.0.0.0 0.0.0.0 x.x.x.z
06-05-2012 06:59 AM
Hi Jen,
I have applied the same and working,,,,,,,,clients asking to configure like below....as per the enclosed diagram....
routers and firwalls
link 1 : 172.16.1.0 255.255.255.252 ----- Outside int for Data on E0/0
Link 2 : 172.16.2.0 255.255.255.252 ----- Outside int for Voice on E0/3
DMZ : 10.28.63.33 255.255.255.240 standby 10.28.63.34 E0/2 with Vlan 100
Inside : 10.28.63.17 255.255.255.240 standby 10.28.63.18 255.255.255.240 with Vlan 102
On ASA Firewall –
My confusion is about route ........how to add route for all...?
Regards
Sanjeev
06-05-2012 07:24 AM
What subnets are behind each of the interfaces, and what is the next hop for each interface.
Once you provide those information, i can assist with the route statement.
06-05-2012 07:40 AM
Hi Jen,
Below is few more details...Pls. refer enclosed diagramm.
VLAN | Firewall ip | Ports | VLAN ID | VLAN Name | Gateways | IP range | Subnet mask | Network | |
Management | 2 | Management | 10.28.63.14 | 10.28.63.1 - 63.14 | 255.255.255.240 | 10.28.63.0/28 | |||
Security VLAN | Inside | 10.28.63.17/18 | 102 | Security | 10.28.63.30 | 10.28.63.17 - 63.30 | 255.255.255.240 | 10.28.63.16/28 | |
DMZ to Firewall | TECHM | 10.28.63.33/34 | 100 | DMZ | 10.28.63.46 | 10.28.63.33 - 63.46 | 255.255.255.240 | 10.28.63.32/28 | |
DMZ to DMPLS router 1 | L3 connectivity | 10.28.63.49 - 63.50 | 255.255.255.252 | 10.28.63.48/30 | |||||
DMZ to DMPLS router 2 | L3 connectvity | 10.28.63.53 - 63.54 | 255.255.255.252 | 10.28.63.52/30 |
Remark | Vlan ID | Vlan IP | Subnet Mask | Subnet | Vlan Name |
Agent VLAN1 on Core | 104 | 172.22.15.254 | 255.255.255.0 | Agent 1 Vlan | |
Agent Vlan2 on Core | 105 | 172.22.16.254 | 255.255.255.0 | Agent 2 Vlan |
routers and firwalls
link 1 : 172.16.1.0 255.255.255.252 ----- Outside int for Data on E0/0
Link 2 : 172.16.2.0 255.255.255.252 ----- Outside int for Voice on E0/3
DMZ : 10.28.63.33 255.255.255.240 standby 10.28.63.34 E0/2 with Vlan 100
Inside : 10.28.63.17 255.255.255.240 standby 10.28.63.18 255.255.255.240 with Vlan 102
Management IP for Core | 10.28.63.14 | ||
Management IP for C-DMZ | 10.28.63.10 | ||
Management IP for Access Switch | 10.28.63.11 | ||
Firewall Primary LAN IP | 10.28.63.17 | ||
Firewall Secondary LAN IP | 10.28.63.18 | ||
Firewall Primary DMZ IP | 10.28.63.33 | ||
Firewall Secondary DMZ IP | 10.28.63.34 |
06-05-2012 07:49 AM
Hmm, i am confused. Your diagram above does not correlate to your previous post.
Can you share your ASA configuration? I assume that you have configured all the interfaces?
Also, you haven't specified which networks/subnets are behind each of the ASA interfaces.
06-07-2012 02:51 AM
Still not configured will try with below...
interface Ethernet0/0
description Outside_Data
nameif outside
security-level 0
ip address
!
interface Ethernet0/1
Description Inside LAN Interface
no nameif
no security-level
no ip address
!
interface Ethernet0/1.102
Description Inside LAN Interface
vlan 102
nameif INSIDE
security-level 100
ip address 10.28.63.17 255.255.255.240 standby 10.28.63.18 255.255.255.240
no shut
interface Ethernet0/2
no nameif TechM
no security-level 50
no ip address
no shut
!
interface Ethernet0/2.100
Description CDMZ
vlan 100
nameif CDMZ
security-level 50
ip address 10.28.63.33 255.255.255.240 standby 10.28.63.34
no shut
exit
!
interface Ethernet0/3
description Outside Voice
nameif Outside_Voice
security-level 0
ip address
!
interface Management0/0
Description LAN/STATE Failover Interface
06-07-2012 04:10 AM
OK, looking good so far with the interface configuration.
06-07-2012 04:14 AM
Hi Jen,
My confusion is how to put route and how many route need to add..if need to add PAT also.
Sanjeev
06-07-2012 05:14 AM
It depends on how you would like to route those networks behind each interface.
Initially, you would need a default route for the Outside interface.
route outside 0.0.0.0 0.0.0.0
Does your voice network needs to reach the internet or they are internal only?
06-07-2012 05:52 AM
Actually i have two link towards outside one for Data and another for voice..with ip given below
routers and firwalls
link 1 : 172.16.1.0 255.255.255.252 ( Don't have standby IP will arrange shortly )
Link 2 : (not yet in production) 172.16.2.0 255.255.255.252 ( Don't have standby IP will arrange shortly )
for INSIDE ip address 10.28.63.17 255.255.255.240 standby 10.28.63.18 255.255.255.240 with vlan 102 and gateway
10.28.63.30
for DMZ ip address 10.28.63.33 255.255.255.240 standby 10.28.63.34 with vlan 100 and gateway10.28.63.46 255.255.255.240
So i have config like below..and please suggest for the best.....
TechMFWPRIM(config)# sh run
: Saved
:
ASA Version 8.4(2)
!
hostname TechMFWPRIM
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
description Outside Airtel_Data
nameif Outside_Data
security-level 0
ip address 172.16.1.2 255.255.255.252
!
interface Ethernet0/1
description Inside Airtel LAN Interface
no nameif
no security-level
no ip address
!
interface Ethernet0/1.102
description Inside Airtel LAN Interface
vlan 102
nameif INSIDE
security-level 100
ip address 10.28.63.17 255.255.255.240 standby 10.28.63.18
!
interface Ethernet0/2
no nameif
no security-level
no ip address
!
interface Ethernet0/2.100
description CDMZ
vlan 100
nameif CDMZ
security-level 50
ip address 10.28.63.33 255.255.255.240 standby 10.28.63.34
!
interface Ethernet0/3
description Outside_Voice
nameif Outside_Voice
security-level 0
ip address 172.16.2.2 255.255.255.252
!
interface Management0/0
description LAN Failover Interface
!
ftp mode passive
pager lines 24
logging asdm informational
mtu Outside_Data 1500
mtu INSIDE 1500
mtu CDMZ 1500
mtu Outside_Voice 1500
failover
failover lan unit primary
failover lan interface HA-SYNC Management0/0
failover replication http
failover interface ip HA-SYNC 192.168.3.1 255.255.255.0 standby 192.168.3.2
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
route Outside_Data 0.0.0.0 0.0.0.0 172.16.1.1 1
route Outside_Voice 0.0.0.0 0.0.0.0 172.16.2.1 2
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 10.28.0.0 255.255.255.240 INSIDE
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet 0.0.0.0 0.0.0.0 INSIDE
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username TIMFW password c.6Nu5hdpSeNFjvS encrypted
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:39242421493f5e1e7e9039247fa4ac00
: end
TechMFWPRIM(config)#
06-07-2012 07:04 PM
Please kindly be advised that you can't have 2 default routes on ASA firewall. Hence you can't have 2 Outside interfaces which will be connected to the Internet.
You would need to share your Outside Data and Outside Voice as one interface.
06-07-2012 11:13 PM
HI Jen,
Unable to understand, could you pls. suggest an example or do the amendment on my configuration, so this can done with your kind help.
Reg
Sanjeev
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide