Cisco ASA Active Standby Failover Configuration

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hi my name is Sean and in this video I'm going to show you how to configure active standby failover on a Cisco ASA firewall this is the network topology I'm going to use for this demonstration I have an inside host call as PC - one that connects to a router the router connects to two AAA firewalls on their inside and phase which is g0 with a switch in between them and the ASF firewalls also connect to an outside host called as PC - - on their outside interface which is ge3 this switch in the middle it is used to replicate the information the failover information between both the firewalls de one is the regular failover interface and GE two is the stateful failover interface okay so let's get started on the router I have absolutely no configuration I just have the IP addresses assigned onto the interfaces and I have a static route configured for the 172 16.0 at zero subnet which is the outside subnet you can see that here the outside PC is on the 172 16/20 for subnet so I just have a static route pointing to 192 168 1 2 which is going to be my inside interface of the firewall you can see that here 192 168 1 dot 2 on the ASA's I have no configuration at all you can see the only thing I have on the firewalls is the interfaces are administratively up that is I have a no shutdown issued on the interfaces ok and before we start configuring I want you to notice the hostname on both the firewalls now this is going to be my primary firewall for the failover and the hostname is set videos and this is my secondary firewall which is the hostname of cert videos - SEC now I want you to notice this because oh are we going to see something interesting happening with the hostname once the failover is configured okay so let's get started first I'm going to configure the the primary firewall ok so the first command is failover LAN unit primary now this command essentially says that this firewall is going to be the primary firewall for the failover okay next we need to designate an interface for failover so I'm going to say failover LAN interface and I'm going to call this link as a full link you can call it whatever you want and my failure word link is going to be G 1 that is Gigabit Ethernet 1 I have it marked here in the topology GE 1 ok oops ok so now it's fine next we need to assign an IP address to the failure word link so I'm going to say failover interface IP name of the interface is a full link and the IP address that I'm going to assign is 192 168 2.2 and the standby IP address is 192 168 2.3 okay so 192 168 2.2 255 255 255 at 0 stand by 192 then oops I'm sorry about that ok I'll type that again failover interface ok IP fo link 192 168 Alps I'm sorry that was my num lock okay one more time failover interface IP fo link 192 162 a 2 to 5 5 to 5 5 to 5 5.0 standby 192 168 2.3 ok so that's fine now and I'm going to configure a key for the failover so I'm going to say failover key set videos that calm ok and the last command to activate the failover is way lower ok so that's all the configuration on the primary firewall next I'm going to hop on to the secondary firewall and the configuration of the secondary firewall is going to be exactly the same as that on the primary firewall ok so I'm going to say failover land unit secondary ok and then failover land enter face f4 link and the same interface gig 1 you can see that here ok big one is for regular failover ok big one and an IP address failover interface IP fo link now you need to assign the IP address is in the same order that you assign in the primary firewall you can see that here 190 168 2.2 so I'm going to say 192 162 that to 255 255 255 0 stand by 192 168 2.3 okay and my key is going to be the same cert videos calm and finally failover to activate ok so it says detected an active made and beginning configuration replication from the mate you can see the same message here beginning configuration replication sending to me now you can say you can ignore this error message that you see here I think that is a genus message we can ignore this for the moment and it says end configuration replication to mate which means the failure is properly configured now now we can check the failover status with the command show failover ok so it says failover on this unit is the primary and what is the failover interface so we have failover configured now I want you to notice something here the hostname on the primary firewall was set videos which is correct however on the secondary firewall you can see the hostname is also set videos that's because the configuration was replicated from the primary or the active firewall to the standby firewall so it takes the same hostname as the primary firewall so how do we differentiate between the primary and the secondary firewall the command to do this is prompt hostname priority state ok tight ok so now you see cert videos this is the primary firewall and this is the one that is active right now ok I'm going to say write memory to write the configuration to memory and the command to write the configuration on the standby firewall is right standby okay this command causes a firewall configuration replication to happen you can see that here okay so you should be able to see the hostname change on the secondary firewall as well they you said it says cert videos is the host name it's a secondary firewall and it's in standby currently okay so now we can proceed with the interface configuration show interface IP brief okay now I'm going to configure Gigabit Ethernet 0 that is my inside interface GE 0 so I'm going to configure that first interface G 0 ok IP address 192 168 1 dot 2 that is what is written here 192 168 1 dot 2 to 5 5 to 5 5 to 500 standby 192 168 2.3 I'm sorry 1.3 standby IP address is 1.3 ok and name is inside ok and I'm going to say no shut ok now this this configuration should already be replicating on the secondary firewall because we have failover configured so you should be able to see it here show interface IP brief and there you can see that ok and that next we will quick will quickly configure the outside interface which is de 3 here ok so I'm going to set interface gig 3 IP address is 170 216 1.2 and the standby is 1.3 ok so I'm going to say 172 16 1.2 255 255 255 0 standby 170 216 1.3 ok name is going to be outside and I'm going to say no now before we proceed any further I just want to check out the configuration of the interface gig 0 yeah I thought so I'm going to change the security level to 100 interface gig 0 security level 100 ok so we're good to go now let's try pinging try to ping the outside host PC to from pc1 now I'm using a virtual pc simulator to simulate both the host machines so I'm on PC one right now and I'm going to ping the outside host which is 172 16 1.4 okay so it doesn't work and it shouldn't be working Biggers we don't have any routing configured on the firewall so I'm going to add a route on the firewall that says IP route and I'm going to route I'm going to add a route for the 10 subnet which is the 10 subnet of the inside subnet so I'm going to say 10 dot 0 dot turned out ok 10.1.1.10 to 5 5 0 and I'm going to forward the traffic to this interface from the aasa' I'm going to forward it to this interface ok 192 168 1.1 ok I'm sorry it it is only route route inside ok cool so let's try to ping once again ping and it doesn't work that's because we do not have an access list configured on the firewall show run access list so let's quickly configure a couple of access lists one for the inside and one for the outside interface access list I'm going to call it inside in permit perm and IP any-any and access - list outside in prevent IP any-any okay and let's attach this to the interfaces access group inside in inbound on the inside interface in interface inside ok and access - group outside in inbound on the outside interface ok now let's try to ping the outside host ok there you can see it is working fine now so that's that's how you configure failover on a Cisco ASA firewall now lastly before we before I finish the video I want to show you how to configure stateful failover ok the command for stateful failover is failover link that I'm going to call the stateful failure word link as SF link and the interface for stateful failover is GE to GE to is the stateful failover interface so I'm going to say G to okay and I'm going to assign an IP address failover interface IP SF link the IP address for the stateful failover is 192 168 3.2 and the standby is 3.3 okay so 192 168 3.2 standby 192 168 3.3 okay I forgot the subnet mask 255.255.255.0 ray or the standby firewall because we already have failover configured so I'm going to just say right standby okay and now we can check the stateful failure configuration or status show failover and now you can see the stateful failover is activated you can see the statistics here not much happening here though so stateful failure is configured and the last command I want to talk about is failover replication HTTP now this command is used if you want to replicate your HTTP sessions between both the firewalls okay so that's how you configure active standby failover on a Cisco is a firewall thank you for watching

Info

Channel: Shyam Raj

Views: 60,936

Rating: undefined out of 5

Keywords: cisco asa, failover

Id: 5fs1WZOH4zg

Channel Id: undefined

Length: 12min 38sec (758 seconds)

Published: Sat Feb 15 2014