Re: firewall redundant

suthomas1 · ‎02-07-2011

Experts,

Good day. i am configuring new cisco firewall for redundancy. i used cisco documentation, but having trouble in getting it properly.

i have 2 interfaces as of now.

interface global: 192.168.100.10 /24
interface local: 172.16.20.10 /24

first one is to configure for twin asa in active/standby & second one is to configure active/standby mode for 2 firewall module within same 4500 switch.

you can use the same above interface ranges for both configurations.

please help me with basic configs. the config for firewall module on 4500 is giving me hard time . Please help to configure alongwith the vlan definitions for the modules. Also, the link failover interface & stateful interface is getting me confused.

appreciate all help for this.

thank you all in advance

PAUL GILBERT ARIAS · ‎02-07-2011

Here is the configuration guide for failover using FWSM:

http://www.cisco.com/en/US/docs/security/fwsm/fwsm32/configuration/guide/fail_f.html#wp1064158

The commands used on the switch are:

firewall multiple-vlan-interfaces

firewall switch 1 module 4 vlan-group 1

firewall vlan-group 1 2,5

Here we assume that the module is on slot 4 and that the two interfaces are assigned to VLAN2 and VLAN5.

Makre sure this VLANs exist on the switch.

If your question is not about the FWSM then please accept my appologies.

suthomas1 · ‎02-07-2011

Thanks Paul for extending your valuable help.

the failover has to work within a single 4500 having two fws modules.

i read that documentation, but i am getting stuck to understand if there is a need for configuration with failover link interface & stateful link interface.

if so,how & where to configure & lay these out to fit the failover properly.

Apologies if my question isnt clear.do let me know if that seems to be so.

thanks in advance.

PAUL GILBERT ARIAS · ‎02-07-2011

Let's see if I can help you with that:

First you should have both modules installed on the chassis (Lets say slot 3 and 4)

Then you have to create the VLANs you want the firewall to protect. On the switch:

SW(config)# vlan 10

SW(config-vlan)#name INSIDE

SW(config)# vlan 20

SW(config-vlan)#name OUTSIDE

Then you can create the VLAN that will serve and failover link

SW(config)# vlan 30

SW(config-vlan)#name FAILOVER

Then you have to define the VLAN in a Firewall VLAN group

firewall vlan-group 1 10,20,30

Then attach the VLAN group to the FWSM. (I am not 100% sure about the sequence of those commands)

firewall module 3 vlan-group 1

firewall module 4 vlan-group 2

After that you should be able to access each FWSM and add the rest of the commands, for example, set the basic config and failover commands on each unit.

Let me know if this helps.

Here is the config guide:

http://www.cisco.com/en/US/partner/docs/security/fwsm/fwsm32/configuration/guide/fail_f.html#wp1140822

suthomas1 · ‎02-07-2011

thanks. shouldnt vlan group 2 also be put in.

failover interface( as i know) is used for link information related to failover. if so, is there another interface to keep the state table in failover configuration.

lastly, layer 3 interface for all these will be done on the firewall ? please correct my understanding.

thank you.

PAUL GILBERT ARIAS · ‎02-07-2011

you can use the failover link interface and failover state interface separatly. Just add the necessary vlans and configure them on the two FWSM modules.

Layer 3 interfaces can still be FWSMs.

suthomas1 · ‎02-08-2011

i did following lines to achieve this:

int vlan10

nameif global

security-level 0

ip address 172.16.1.1 255.255.255.0 standby 172.16.1.100

int vlan20

nameif local

security-level 100

ip address 192.168.112.1 255.255.255.0 standby 192.168.112.100

int vlan60

nameif HA-fail

security-level 22

ip address 192.168.115.1 255.255.255.248 standby 192.168.115.5

int vlan70

nameif HA-state

security-level 32

ip address 192.168.125.1 255.255.255.248 standby 192.168.125.5

primary module :

failover lan unit primary

failover lan interface HA-FAIL vlan60

failover link HA-STATE vlan70

secondary:

failover lan unit secondary

failover lan interface HA-FAIL vlan60

failover link HA-STATE vlan70

firewall module 3 vlan-group 91

firewall module 4 vlan-group 92

firewall vlan-group 91 10,20, 60,70

this is not helping to take effect. failover output shows stateful link : unconfigured. when vlan70 & 60 are used with failover lines, error says both vlans are already configured.

appreciate help!

PAUL GILBERT ARIAS · ‎02-08-2011

You need to change a few things.

Please remove the configuration of int Vlan 60 and int van 70 but make sure the interfaces are configured just without the name, IP and security level.

then add the following commands:

failover interface ip HA-fail 192.168.115.1 255.255.255.248 standby 192.168.115.5

failover interface ip HA-STATE 192.168.125.1 255.255.255.248 standby 192.168.125.5

Make sure you apply those commands on both units.

suthomas1 · ‎02-08-2011

what is the reason for udoing the security level, ip address from interface for this configuration.i will try these configurations today noon.

thanks.

suthomas1 · ‎02-10-2011

Hi Experts,

post configuration, both show as active. failover interface is up on both module.

configuration is posted in file attached.

failover history shows no active unit found. this seems on both module.all the vlan are specified in vlan-groups of chasis.

should the ping from one unit to another units HA-fail interface be possible. there are some errors also seen , given in the file, which based on cisco is not problematic.

please help with suggestions . appreciate all help, thanks.

suthomas1 · ‎02-11-2011

re-attached the file. missed earlier.

thanks, please help.