Cisco ASA Firewall Active/Standby config

Balaji BandiUncategorized

Firewall 1 Configuration

config t
!
hostname FW1
!
interface Ethernet0
nameif management
security-level 0
ip address 192.168.1.65 255.255.255.0
no shutdown
!
interface Ethernet1
channel-group 1 mode active
no nameif
no security-level
no ip address
no shutdown
!
interface Ethernet2
channel-group 1 mode active
no nameif
no security-level
no ip address
no shutdown
!
interface Ethernet3
channel-group 1 mode active
no nameif
no security-level
no ip address
no shutdown
!
interface Port-channel1
no nameif
no security-level
no ip address
no shutdown
!
interface Port-channel1.200
vlan 200
nameif dmz
security-level 0
ip address 10.10.20.254 255.255.255.0
no shutdown
!
interface Port-channel1.300
vlan 300
nameif inside
security-level 100
ip address 10.10.30.254 255.255.255.0
no shutdown
!
interface Port-channel1.400
vlan 400
nameif outside
security-level 0
ip address 10.10.40.254 255.255.255.0
no shutdown
!
mtu dmz 1500
mtu inside 1500
mtu outside 1500
mtu management 1500

http server enable
http 192.168.1.0 255.255.255.0 management
management-access management
username cisco password 3USUcOPFUiMCO4Jk encrypted
!

FW# show run | begin aaa
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
aaa authorization command LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access management
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
anyconnect-essentials
username cisco password 3USUcOPFUiMCO4Jk encrypted
!
class-map inspection_default
FW# show run all ssl
ssl server-version any
ssl client-version any
ssl encryption rc4-sha1 dhe-aes128-sha1 dhe-aes256-sha1 aes128-sha1 aes256-sha1 3des-sha1
ssl certificate-authentication fca-timeout 2

ASA ACTIVE / Standby
=======================
config t
interface Ethernet4
no shutdown

interface Port-channel1.300
vlan 300
nameif inside
security-level 100
ip address 20.20.20.254 255.255.255.0
no shutdown

failover lan unit primary
failover lan interface FAILOVER Ethernet4

failover link FAILOVER Ethernet4

failover interface ip FAILOVER 40.40.40.1 255.255.255.0 standby 40.40.40.2

failover

interface Port-channel1.300
ip address 20.20.20.254 255.255.255.0 standby 20.20.20.253

interface Port-channel1.400
ip address 192.168.1.65 255.255.255.0 standby 192.168.1.66

FW2 ( Standby)

failover lan unit secondary
failover lan interface FAILOVER Ethernet4
failover link FAILOVER Ethernet4
failover interface ip FAILOVER 40.40.40.1 255.255.255.0 standby 40.40.40.2
failover

interface Ethernet4
no shutdown

MONITORING INTERFACE

monitor-interface inside
monitor-interface outside
monitor-interface management

TESTING FAILOVER

FW1/pri/act(config)# no failover active
FW1/pri/act(config)# Waiting for the earlier webvpn instance to terminate…
Previous instance shut down. Starting a new one.

    Switching to Standby

FW1/pri/stby(config)#
FW1/pri/stby(config)#
FW1/pri/stby(config)# fail
FW1/pri/stby(config)# failover ac
FW1/pri/stby(config)# show mon
FW1/pri/stby(config)# show monitor-interface
This host: Primary – Standby Ready
Interface management (192.168.1.66): Normal (Monitored)
Interface inside (20.20.20.253): Normal (Monitored)
Interface outside (10.10.40.253): Normal (Monitored)
Other host: Secondary – Active
Interface management (192.168.1.65): Normal (Monitored)
Interface inside (20.20.20.254): Normal (Monitored)
Interface outside (10.10.40.254): Normal (Monitored)
FW1/pri/stby(config)# failover active
Waiting for the earlier webvpn instance to terminate…
Previous instance shut down. Starting a new one.

    Switching to Active

FW1/pri/act# show monitor-interface
This host: Primary – Active
Interface management (192.168.1.65): Normal (Monitored)
Interface inside (20.20.20.254): Normal (Monitored)
Interface outside (10.10.40.254): Normal (Monitored)
Other host: Secondary – Standby Ready
Interface management (192.168.1.66): Normal (Monitored)
Interface inside (20.20.20.253): Normal (Monitored)
Interface outside (10.10.40.253): Normal (Monitored)

happy Labiiiiinnnnnnnnnnnnnnnnnnnnnnnnnng!!!!!!!!!!!!!!!!!!!