Let's first work on the ASA1 which will be our primary unit.Ĭiscoasa(config-if)#description inside-intĬiscoasa(config-if)#ip add 10.1.1.1 255.255.255.0 standby 10.1.1.2Ĭiscoasa(config)#failover lan unit primaryĬiscoasa(config)#failover lan interface failover-int GigabitEthernet2Ĭiscoasa(config)#failover link stateful-int GigabitEthernet3Ĭiscoasa(config)#failover interface ip failover-int 10.1.2.1 255.255.255.0 standby 10.1.2.2Ĭiscoasa(config)#failover interface ip stateful-int 10.1.3.1 255.255.255.0 standby 10.1.3.2 There is one inside interface on each ASA which connects to the LAN. There is one stateful failover link on each ASA to communicate and pass all state related information. There is one failover interface on each ASA to send hello messages, mac address exchange and other information. We won't get too much into the configuration of the outside interface / NAT in this blogtorial but I will save this for another post. Secondary Firewall interface GigabitEthernet0/0įailover interface ip FAILOVER 172.16.0.1 255.255.255.252 standby 172.16.0.We have two outside interfaces on each ASA to connect to two different ISPs and we will advertise our public address upstream. Using the command “ show failover” will display information on the failover state of the local appliance, such as whether Failover is turned on, Failover Priority, Failover Interface, Timers, State (local), State of other host etcįull Configuration Primary Firewall interface GigabitEthernet0/0įailover lan interface FAILOVER GigabitEthernet0/2įailover interface ip FAILOVER 172.16.0.1 255.255.255.252 standby 172.16.0.2įailover link FAILOVER GigabitEthernet0/2 Use the same commands on both appliances, but ensure to specify “failover lan unit primary” only on the preferred Primary/Active appliance and specify “failover lan unit secondary” on the preferred Secondary/Standby appliance. Step 6 – Enable Failover on the Firewall failover Configure Stateful Failover InterfaceĬonfigure Stateful Failover (notice we are sharing the same interface for both Failover and Stateful Failover) failover link FAILOVER GigabitEthernet0/2 Un-shutdown the interface used to be configured for failoverĬonfigure failover interface called “FAILOVER” on Gig0/2 failover lan interface FAILOVER GigabitEthernet0/2Ĭonfigure IP address on the Failover Interface failover interface ip FAILOVER 172.16.0.1 255.255.255.252 standby 172.16.0.2Ĭonfigure a Failover Key (to ensure traffic is encrypted when sent between devices) failover key cisco1234Ĭonfigure the Firewall as either Primary OR Secondary (NOT BOTH) failover lan unit primary | secondary The Cisco ASAv virtual appliance version 9.5(2) was used in this configuration, refer to the previous post on how to configure ASAv in GNS3.Īctive/Standby Failover Configuration ExampleĬonfigure the INSIDE and OUTSIDE interfaces with the Active and Standby IP address The purpose of this blog post is to document the steps to configure the Cisco ASA firewalls in Active/Standby Failover mode.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |