Task list
- Change the mode to multiple
- Context definition and assign interfaces
- Assign primary and secondary IP address
- Failover configuration
Step 1: First we have to change the default mode of single to multiple. A reboot is required. Only multiple mode supports contexts, which are needed to build virtual firewalls.
ASA1(config)# mode multiple
WARNING: This command will change the behavior of the device
WARNING: This command will initiate a Reboot
Proceed with change mode? [confirm]
Convert the system configuration? [confirm]
Step 2: Since the ASA is now in multiple context mode, we could define contexts named CON-A and CON-B. We must also provide the location of configuration file. Finally the interfaces should also be assigned. The interfaces must be un shut and if needed subinterfaces must be created at the system context.
ciscoasa# conf t
ciscoasa(config)# context CON-A
Creating context 'CON-A'... Done. (2)
ciscoasa(config-ctx)# config-url disk0:/con-a.cfg
WARNING: Could not fetch the URL disk0:/con-a.cfg
INFO: Creating context with default config
ciscoasa(config-ctx)# allocate-interface GigabitEthernet 0.100
ciscoasa(config-ctx)# allocate-interface GigabitEthernet 1.10
ciscoasa(config-ctx)# context CON-B
Creating context 'CON-B'... Done. (3)
ciscoasa(config-ctx)# config-url disk0:/con-b.cfg
WARNING: Could not fetch the URL disk0:/con-b.cfg
INFO: Creating context with default config
ciscoasa(config-ctx)# allocate-interface GigabitEthernet 0.200
ciscoasa(config-ctx)# allocate-interface GigabitEthernet 1.20
Step 3: Now we can assign IP address and nameif to the interfaces from the respective contexts. For that we have to change to each context. The primary IP address will be used by the active device from each context.
ciscoasa(config-ctx)# changeto context CON-A
ciscoasa/CON-A(config)# interface GigabitEthernet 0.100
ciscoasa/CON-A(config-if)# nameif INSIDE
INFO: Security level for "INSIDE" set to 100 by default.
ciscoasa/CON-A(config-if)# ip address 10.0.100.1 255.255.255.0 standby 10.0.100.2
ciscoasa/CON-A(config-if)# interface GigabitEthernet 0.10
ciscoasa/CON-A(config-if)# nameif OUTSIDE
INFO: Security level for "OUTSIDE" set to 0 by default.
ciscoasa/CON-A(config-if)# ip add 10.0.10.1 255.255.255.0 standby 10.0.10.2
ciscoasa/CON-A(config-if)# changeto context CON-B
ciscoasa/CON-B(config)# interface gigabitEthernet 1.20
ciscoasa/CON-B(config-if)# nameif OUTSIDE
INFO: Security level for "OUTSIDE" set to 0 by default.
ciscoasa/CON-B(config-if)# ip address 10.0.20.1 255.255.255.0 standby 10.0.20.2
ciscoasa/CON-B(config-if)# interface gigabitEthernet 0.200
ciscoasa/CON-B(config-if)# nameif INSIDE
INFO: Security level for "INSIDE" set to 100 by default.
ciscoasa/CON-B(config-if)# ip address 10.0.200.1 255.255.255.0 standby 10.0.200.2
Step 4: The failover configurations are made in the system context. ASA1 is defined as the primary unit. A failover interface for heart beats must also be defined. The failover interface is named FAILOVER and assigned primary and standby IP address. Another link is defined for the state information updates. The state information link is named STATE and also assigned IP address. Finally we define the primary and secondary groups. These groups are assigned to contexts. The last step is to enable failover.
ASA1/CON-B(config-if)# changeto system
ASA1(config)# failover lan unit primary
ASA1(config)# failover lan interface FAILOVER GigabitEthernet5
ASA1(config)# failover link STATE GigabitEthernet4
ASA1(config)# failover interface ip FAILOVER 10.0.0.1 255.255.255.0 standby 10.0.0.2
ASA1(config)# failover interface ip STATE 10.0.1.1 255.255.255.0 standby 10.0.1.2
ASA1(config)# failover group 1
ASA1(config-fover-group)# primary
ASA1(config-fover-group)# failover group 2
ASA1(config-fover-group)# secondary
ASA1(config-fover-group)# context CON-A
ASA1(config-ctx)# join-failover-group 1
ASA1(config-ctx)# context CON-B
ASA1(config-ctx)# join-failover-group 2
ASA1(config-ctx)# failover
On the ASA2 we just have to define the unit as secondary, assign an interface for failover and enable failover.
ASA2(config)# failover lan unit secondary
ASA2(config)# failover lan interface FAILOVER GigabitEthernet5
INFO: Non-failover interface config is cleared on GigabitEthernet5 and its sub-interfaces
ASA2(config)# failover interface ip FAILOVER 10.0.0.1 255.255.255.0 standby 10.0.0.2
ASA2(config)# failover
For clarity we could change the prompt to display which firewall is active. The default prompt consists of hostname and context. We could add priority and state which gives a better view of at which device we are consoled to.
ASA1# conf t
ASA1(config)# prompt hostname context priority state
ASA1/pri/act(config)# end
We could verify the failover state with the command show failover. The output shows that this firewall is active the group 1 and in standby for group 2.
ASA1/pri/act# show failover Failover On Failover unit Primary Failover LAN Interface: FAILOVER GigabitEthernet5 (up) Unit Poll frequency 1 seconds, holdtime 15 seconds Interface Poll frequency 5 seconds, holdtime 25 seconds Interface Policy 1 Monitored Interfaces 4 of 60 maximum Version: Ours 8.4(2), Mate 8.4(2) Group 1 last failover at: 17:25:07 UTC May 12 2012 Group 2 last failover at: 17:10:04 UTC May 12 2012 This host: Primary Group 1 State: Active Active time: 348 (sec) Group 2 State: Standby Ready Active time: 0 (sec) CON-A Interface INSIDE (10.0.100.1): Normal (Monitored) CON-A Interface OUTSIDE (10.0.10.1): Normal (Monitored) CON-B Interface INSIDE (10.0.200.2): Normal (Monitored) CON-B Interface OUTSIDE (10.0.20.2): Normal (Monitored) Other host: Secondary Group 1 State: Standby Ready Active time: 1048 (sec) Group 2 State: Active Active time: 1396 (sec) CON-A Interface INSIDE (10.0.100.2): Normal (Monitored) CON-A Interface OUTSIDE (10.0.10.2): Normal (Monitored) CON-B Interface INSIDE (10.0.200.1): Normal (Monitored) CON-B Interface OUTSIDE (10.0.20.1): Normal (Monitored) Stateful Failover Logical Update Statistics Link : STATE GigabitEthernet4 (up) Stateful Obj xmit xerr rcv rerr General 166 0 169 0 sys cmd 166 0 166 0 up time 0 0 0 0 RPC services 0 0 0 0 TCP conn 0 0 0 0 UDP conn 0 0 0 0 ARP tbl 0 0 0 0 Xlate_Timeout 0 0 0 0 IPv6 ND tbl 0 0 0 0 SIP Session 0 0 0 0 Route Session 0 0 0 0 User-Identity 0 0 3 0 Logical Update Queue Information Cur Max Total Recv Q: 0 2 1416 Xmit Q: 0 1 166 ASA1/pri/act#