ASA firewall HA
HA Network Design with ASA Firewall
In this Lab, ISP1 will be Primary and ISP2 will be backup link.
If ISP1 or R1 or SW4 down, ISP2 must take over the traffic.
In this lab,
- ASA Active/ Standby
- HSRP, Track , IP SLA
- VLAN, Trunk, EtherChannel, Inter-VLAN routing
- OSPF and Static Route
- NAT
TRY ON:
Task 1 ASA (Active and Standby)
Configure ASA2 device to back up ASA1 firewall in the event of failure.
Configure interface G0/0 as the Failover Link. This interface will be used to transit failover control messages.
Assign a name of FAILOVERLINK and active IP address of 10.0.254.1/24 with a standby address of 10.0.254.1/24.
Authenticate the failover control messages using a key of "AMS@CISCO". Configure host name of ASA1.
Task 2 (HSRP on R1 and R2)
Configure R1 as primary reliable gateway to reach the internet and R2 as secondary gateway for VLAN 10 and 11.
Use Cisco proprietary protocol for gateway redundancy
Set the hello interval to 1 second and dead interval to 3 seconds for faster failed gateway detection.
Ensure that control plane is secured using an MD5 hash of the key AMS_HSRP.
Use following table for IP addressing:
Switch Interface IP Address Virtual IP Priority
R1 Interface E0/0 10.0.255.1/29 10.0.255.3 120
R2 Interface E0/0 10.0.255.2/29 10.0.255.3 120
Task 3 OSPF
Configure OSPF on CS, ASA, R1 and R2 as area 0.
Configure inter-vlan routing on CS for VLAN 10 and 11.
Task 4 NAT
Configure NAT on R1 and R2 so that vlan 10 and 11 user can access the internet.
Solution
Task 1 (ASA Active and Standby)
ASA1
ASA1(config)# interface GigabitEthernet0/0
ASA1(config-if)#no shutdown
ASA1(config-if)# exit
ASA1(config)#failover lan unit primary
ASA1(config)#failover lan interface FAILOVERLINK GigabitEthernet0/0
ASA1(config)#failover interface ip FAILOVERLINK 10.0.254.1 255.255.255.0 standby 10.0.254.2
ASA1(config)#failover link FAILOVERLINK
ASA1(config)# interface gigabitEthernet 0/1
ASA1(config-if)# nameif outside
ASA1(config-if)# no shutdown
ASA1(config-if)#ip address 10.0.255.4 255.255.255.248 standby 10.0.255.5
ASA1(config-if)# exit
ASA1(config)# interface gigabitEthernet 0/2
ASA1(config-if)# nameif inside
ASA1(config-if)# no shutdown
ASA1(config-if)# ip address 10.0.255.9 255.255.255.248 standby 10.0.255.10
ASA1(config)# failover
ASA1(config)# monitor-interface inside
ASA1(config)# monitor-interface outside
ASA2
ASA2(config)# interface gigabitEthernet 0/0
ASA2(config-if)#no shutdown
ASA2(config)# failover lan unit secondary
ASA2(config)# failover lan interface FAILOVERLINK GigabitEthernet0/0
INFO: Non-failover interface config is cleared on GigabitEthernet0/3 and its sub-interfaces
ASA2(config)#failover interface ip FAILOVERLINK 10.0.254.1 255.255.255.0 standby 10.0.254.2
ASA2(config)#failover link FAILOVERLINK
ASA2(config)#failover
Detected an Active mate
Beginning configuration replication from mate.
WARNING: Disabling auto import may affect Smart Licensing
Creating trustpoint "_SmartCallHome_ServerCA" and installing certificate...
Trustpoint CA certificate accepted.
WARNING: Trustpoint _SmartCallHome_ServerCA is already authenticated.
End configuration replication from mate.
ASA1(config)#
Verification
ASA1# show failover | in host
This host: Primary - Active
Other host: Secondary - Standby Ready
ASA1#
ASA1# sh run failover
failover
failover lan unit primary
failover lan interface FAILOVERLINK GigabitEthernet0/0
failover link FAILOVERLINK GigabitEthernet0/0
failover interface ip FAILOVERLINK 10.0.254.1 255.255.255.0 standby 10.0.254.2
ASA1#
Task 2 HSRP
R1
R1(config)#interface Ethernet0/0
R1(config-if)# ip address 10.0.255.1 255.255.255.248
R1(config-if)# standby 1 ip 10.0.255.3
R1(config-if)# standby 1 timers 1 3
R1(config-if)# standby 1 priority 120
R1(config-if)# standby 1 preempt
R1(config-if)# standby 1 authentication AMS_HSRP
R1(config-if)# standby 1 track 1 decrement 40
R2
R2(config-if)# ip address 10.0.255.2 255.255.255.248
R2(config-if)# standby 1 ip 10.0.255.3
R2(config-if)# standby 1 timers 1 3
R2(config-if)# standby 1 preempt
R2(config-if)# standby 1 authentication AMS_HSRP
R2(config-if)#no shut
Verification
R1#show standby brief
P indicates configured to preempt.
|
Interface Grp Pri P State Active Standby Virtual IP
Et0/0 1 120 P Active local 10.0.255.2 10.0.255.3
R1#
Task 3 Inter-VLAN routing and OSPF
CS
CS(config)#vlan 10
CS(config-vlan)#name HR
CS(config-vlan)#vlan 11
CS(config-vlan)#name ADMIN
CS(config-vlan)#vlan 101
CS(config-vlan)#name ASA
CS(config-vlan)#exit
CS(config)#ip routing
CS(config)#interface Vlan10
CS(config-if)# ip address 10.0.0.1 255.255.255.0
CS(config-if)#no shut
CS(config-if)#exit
CS(config)#interface Vlan11
CS(config-if)# ip address 10.0.1.1 255.255.255.0
CS(config-if)#no shut
CS(config-if)#exit
CS(config)#interface Vlan101
CS(config-if)# ip address 10.0.255.11 255.255.255.248
CS(config-if)#no shut
CS(config-if)#exit
CS(config-if)#interface Ethernet0/0
CS(config-if)# switchport access vlan 101
CS(config-if)# switchport mode access
CS(config-if)# spanning-tree portfast
CS(config-if)#interface Ethernet0/1
CS(config-if)# switchport access vlan 101
CS(config-if)# switchport mode access
CS(config-if)# spanning-tree portfast
CS(config-if)#interface Ethernet0/2
CS(config-if)# switchport access vlan 10
CS(config-if)# switchport mode access
CS(config-if)# spanning-tree portfast
CS(config-if)#interface Ethernet0/3
CS(config-if)# switchport access vlan 11
CS(config-if)# switchport mode access
CS(config-if)# spanning-tree portfast
CS(config-if)#interface Ethernet1/0
CS(config-if)# switchport access vlan 10
CS(config-if)# switchport mode access
CS(config-if)# spanning-tree portfast
OSPF
CS(config)#router ospf 10
CS(config-router)# router-id 4.4.4.4
CS(config-router)# network 10.0.0.0 0.0.1.255 area 0
CS(config-router)# network 10.0.255.0 0.0.0.255 area 0
CS(config-router)#exit
CS(config)#ip route 0.0.0.0 0.0.0.0 10.0.255.9
ASA1(config)# router ospf 10
ASA1(config-router)# network 10.0.255.0 255.255.255.0 area 0
ASA1(config-router)# exit
R1(config)#router ospf 10
R1(config-router)# router-id 1.1.1.1
R1(config-router)# network 10.0.255.1 0.0.0.0 area 0
R1(config-router)#exit
R2(config)#router ospf 10
R2(config-router)# router-id 2.2.2.2
R2(config-router)# network 10.0.255.2 0.0.0.0 area 0
R2(config-router)#exit
Task 4 NAT and IP SLA
R1
R1(config)#interface Ethernet0/0
R1(config-if)# ip address 10.0.255.1 255.255.255.248
R1(config-if)# ip nat inside
R1(config-if)#exit
R1(config)#interface Ethernet0/1
R1(config-if)# ip address 100.0.11.2 255.255.255.252
R1(config-if)# ip nat outside
R1(config-if)#no shut
R1(config)#ip nat inside source list NAT_ACL interface Ethernet0/1 overload
R1(config)#ip route 0.0.0.0 0.0.0.0 100.0.11.1
R1(config)#ip sla 1
R1(config-ip-sla)#icmp-echo 100.0.11.1
R1(config-ip-sla-echo)# threshold 250
R1(config-ip-sla-echo)# timeout 300
R1(config-ip-sla-echo)# frequency 5
R1(config-ip-sla-echo)#exit
R1(config)#ip sla schedule 1 life forever start-time now
R1(config)#track 1 ip sla 1
R1(config-track)# delay down 1 up 1
R1(config-track)#exit
R1(config)#interface Ethernet0/0
R1(config-if)# standby 1 track 1 decrement 40
R1(config-if)#exit
R2
R2(config)#interface Ethernet0/0
R2(config-if)# ip address 10.0.255.2 255.255.255.248
R2(config-if)# ip nat inside
R2(config-if)#exit
R2(config)#interface Ethernet0/1
R2(config-if)# ip address 100.0.22.2 255.255.255.252
R2(config-if)# ip nat outside
R2(config-if)#no shut
R2(config)#ip nat inside source list NAT_ACL interface Ethernet0/1 overload
ISP
ISP1(config)#interface Ethernet0/0
ISP1(config-if)# ip address 100.0.11.1 255.255.255.252
ISP1(config-if)#no shut
ISP1(config-if)#exit
ISP1(config)#interface Loopback0
ISP1(config-if)# ip address 8.8.8.8 255.255.255.255
ISP1(config-if)#exit
ISP2(config)#interface Ethernet0/0
ISP2(config-if)# ip address 100.0.22.1 255.255.255.252
ISP2(config-if)#no shut
ISP2(config-if)#exit
ISP1(config)#interface Loopback0
ISP1(config-if)# ip address 8.8.8.8 255.255.255.255
ISP1(config-if)#exit
Verification
TEST-PC#sh ip int bri | ex unas
Interface IP-Address OK? Method Status Protocol
Ethernet0/0 10.0.0.10 YES manual up up
TEST-PC#
TEST-PC#ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/3 ms
TEST-PC#
TEST-PC#traceroute 8.8.8.8 numeric
Type escape sequence to abort.
Tracing the route to 8.8.8.8
VRF info: (vrf in name/id, vrf out name/id)
1 10.0.0.1 1 msec 2 msec 1 msec
2 10.0.255.1 3 msec 2 msec 3 msec
3 100.0.11.1 3 msec * 9 msec
TEST-PC#
Failover test
ISP1 failover
IF ISP1 or R1 down, it will go through CS>>ASA1>>SW4>>SW5>>R2
IF SW4 down, ASA1 will be standby. So will go through CS>>ASA2>>SW5>>R2
TEST-PC#traceroute 8.8.8.8 numeric
Type escape sequence to abort.
Tracing the route to 8.8.8.8
VRF info: (vrf in name/id, vrf out name/id)
1 10.0.0.1 0 msec 1 msec 0 msec
2 10.0.255.2 2 msec 2 msec 2 msec
3 100.0.22.1 2 msec * 3 msec
TEST-PC#
Credit:
Comments
Post a Comment