ASA firewall HA

HA Network Design with ASA Firewall 


In this Lab, ISP1 will be Primary and ISP2 will be backup link.

If  ISP1 or R1 or SW4 down, ISP2 must take over the traffic.


In this lab,

- ASA Active/ Standby

- HSRP, Track , IP SLA

- VLAN, Trunk, EtherChannel, Inter-VLAN routing 

- OSPF and Static Route

- NAT 


TRY ON: 

Task 1 ASA (Active and Standby)

 Configure ASA2 device to back up ASA1 firewall in the event of failure. 

 Configure interface G0/0 as the Failover Link. This interface will be used to transit failover control messages. 

 Assign a name of FAILOVERLINK and active IP address of 10.0.254.1/24 with a standby address of 10.0.254.1/24. 

 Authenticate the failover control messages using a key of "AMS@CISCO". Configure host name of ASA1.

Task 2 (HSRP on R1 and R2)

 Configure R1 as primary reliable gateway to reach the internet and R2 as secondary gateway for VLAN 10 and 11.

 Use Cisco proprietary protocol for gateway redundancy 

 Set the hello interval to 1 second and dead interval to 3 seconds for faster failed gateway detection.

 Ensure that control plane is secured using an MD5 hash of the key AMS_HSRP.

 Use following table for IP addressing:

Switch  Interface IP Address Virtual IP Priority 

R1 Interface E0/0 10.0.255.1/29 10.0.255.3 120

R2 Interface E0/0 10.0.255.2/29 10.0.255.3 120


Task 3 OSPF

 Configure OSPF on CS, ASA, R1 and R2 as area 0.

 Configure inter-vlan routing on CS for VLAN 10 and 11.

Task 4 NAT

 Configure NAT on R1 and R2 so that vlan 10 and 11 user can access the internet.


Solution 

Task 1 (ASA Active and Standby)

ASA1

ASA1(config)# interface GigabitEthernet0/0

ASA1(config-if)#no shutdown

ASA1(config-if)# exit

ASA1(config)#failover lan unit primary

ASA1(config)#failover lan interface FAILOVERLINK  GigabitEthernet0/0

ASA1(config)#failover interface ip FAILOVERLINK 10.0.254.1 255.255.255.0 standby 10.0.254.2


ASA1(config)#failover link FAILOVERLINK


ASA1(config)# interface gigabitEthernet 0/1

ASA1(config-if)# nameif outside

ASA1(config-if)# no shutdown

ASA1(config-if)#ip address 10.0.255.4 255.255.255.248 standby 10.0.255.5

ASA1(config-if)# exit


ASA1(config)# interface gigabitEthernet 0/2

ASA1(config-if)# nameif inside

ASA1(config-if)# no shutdown

ASA1(config-if)# ip address 10.0.255.9 255.255.255.248 standby 10.0.255.10 


ASA1(config)# failover

ASA1(config)# monitor-interface inside 

ASA1(config)# monitor-interface outside


ASA2

ASA2(config)# interface gigabitEthernet 0/0

ASA2(config-if)#no shutdown


ASA2(config)# failover lan unit secondary

ASA2(config)# failover lan interface FAILOVERLINK  GigabitEthernet0/0

INFO: Non-failover interface config is cleared on GigabitEthernet0/3 and its sub-interfaces

ASA2(config)#failover interface ip FAILOVERLINK 10.0.254.1 255.255.255.0 standby 10.0.254.2

ASA2(config)#failover link FAILOVERLINK

ASA2(config)#failover

Detected an Active mate

Beginning configuration replication from mate.

WARNING: Disabling auto import may affect Smart Licensing

Creating trustpoint "_SmartCallHome_ServerCA" and installing certificate...


Trustpoint CA certificate accepted.


WARNING: Trustpoint _SmartCallHome_ServerCA is already authenticated.

End configuration replication from mate.

ASA1(config)#


Verification 

ASA1# show failover | in host

        This host: Primary - Active 

        Other host: Secondary - Standby Ready 

ASA1#


ASA1# sh run failover 

failover

failover lan unit primary

failover lan interface FAILOVERLINK GigabitEthernet0/0

failover link FAILOVERLINK GigabitEthernet0/0

failover interface ip FAILOVERLINK 10.0.254.1 255.255.255.0 standby 10.0.254.2

ASA1#


Task 2 HSRP

R1

R1(config)#interface Ethernet0/0

R1(config-if)# ip address 10.0.255.1 255.255.255.248

R1(config-if)# standby 1 ip 10.0.255.3

R1(config-if)# standby 1 timers 1 3

R1(config-if)# standby 1 priority 120

R1(config-if)# standby 1 preempt

R1(config-if)# standby 1 authentication AMS_HSRP

R1(config-if)# standby 1 track 1 decrement 40


R2

R2(config-if)# ip address 10.0.255.2 255.255.255.248

R2(config-if)# standby 1 ip 10.0.255.3

R2(config-if)# standby 1 timers 1 3

R2(config-if)# standby 1 preempt

R2(config-if)# standby 1 authentication AMS_HSRP

R2(config-if)#no shut


Verification 

R1#show standby brief 

                     P indicates configured to preempt.

                     |

Interface   Grp  Pri P State   Active          Standby         Virtual IP

Et0/0       1    120 P Active  local           10.0.255.2      10.0.255.3

R1#


Task 3 Inter-VLAN routing and OSPF

CS

CS(config)#vlan 10

CS(config-vlan)#name HR

CS(config-vlan)#vlan 11

CS(config-vlan)#name ADMIN

CS(config-vlan)#vlan 101

CS(config-vlan)#name ASA

CS(config-vlan)#exit


CS(config)#ip routing

CS(config)#interface Vlan10

CS(config-if)# ip address 10.0.0.1 255.255.255.0

CS(config-if)#no shut

CS(config-if)#exit

CS(config)#interface Vlan11

CS(config-if)# ip address 10.0.1.1 255.255.255.0

CS(config-if)#no shut

CS(config-if)#exit

CS(config)#interface Vlan101

CS(config-if)# ip address 10.0.255.11 255.255.255.248

CS(config-if)#no shut

CS(config-if)#exit


CS(config-if)#interface Ethernet0/0

CS(config-if)# switchport access vlan 101

CS(config-if)# switchport mode access

CS(config-if)# spanning-tree portfast

CS(config-if)#interface Ethernet0/1

CS(config-if)# switchport access vlan 101

CS(config-if)# switchport mode access

CS(config-if)# spanning-tree portfast


CS(config-if)#interface Ethernet0/2

CS(config-if)# switchport access vlan 10

CS(config-if)# switchport mode access

CS(config-if)# spanning-tree portfast


CS(config-if)#interface Ethernet0/3

CS(config-if)# switchport access vlan 11

CS(config-if)# switchport mode access

CS(config-if)# spanning-tree portfast


CS(config-if)#interface Ethernet1/0

CS(config-if)# switchport access vlan 10

CS(config-if)# switchport mode access

CS(config-if)# spanning-tree portfast


OSPF

CS(config)#router ospf 10

CS(config-router)# router-id 4.4.4.4

CS(config-router)# network 10.0.0.0 0.0.1.255 area 0

CS(config-router)# network 10.0.255.0 0.0.0.255 area 0

CS(config-router)#exit


CS(config)#ip route 0.0.0.0 0.0.0.0 10.0.255.9


ASA1(config)# router ospf 10 

ASA1(config-router)#  network 10.0.255.0 255.255.255.0 area 0

ASA1(config-router)# exit


R1(config)#router ospf 10

R1(config-router)# router-id 1.1.1.1

R1(config-router)# network 10.0.255.1 0.0.0.0 area 0

R1(config-router)#exit


R2(config)#router ospf 10

R2(config-router)# router-id 2.2.2.2

R2(config-router)# network 10.0.255.2 0.0.0.0 area 0

R2(config-router)#exit


Task 4 NAT and IP SLA


R1

R1(config)#interface Ethernet0/0

R1(config-if)# ip address 10.0.255.1 255.255.255.248

R1(config-if)# ip nat inside

R1(config-if)#exit


R1(config)#interface Ethernet0/1

R1(config-if)# ip address 100.0.11.2 255.255.255.252

R1(config-if)# ip nat outside

R1(config-if)#no shut


R1(config)#ip nat inside source list NAT_ACL interface Ethernet0/1 overload


R1(config)#ip route 0.0.0.0 0.0.0.0 100.0.11.1


R1(config)#ip sla 1

R1(config-ip-sla)#icmp-echo 100.0.11.1

R1(config-ip-sla-echo)# threshold 250

R1(config-ip-sla-echo)# timeout 300

R1(config-ip-sla-echo)# frequency 5

R1(config-ip-sla-echo)#exit


R1(config)#ip sla schedule 1 life forever start-time now


R1(config)#track 1 ip sla 1

R1(config-track)# delay down 1 up 1

R1(config-track)#exit


R1(config)#interface Ethernet0/0

R1(config-if)# standby 1 track 1 decrement 40

R1(config-if)#exit


R2

R2(config)#interface Ethernet0/0

R2(config-if)# ip address 10.0.255.2 255.255.255.248

R2(config-if)# ip nat inside

R2(config-if)#exit


R2(config)#interface Ethernet0/1

R2(config-if)# ip address 100.0.22.2 255.255.255.252

R2(config-if)# ip nat outside

R2(config-if)#no shut

R2(config)#ip nat inside source list NAT_ACL interface Ethernet0/1 overload


ISP

ISP1(config)#interface Ethernet0/0

ISP1(config-if)# ip address 100.0.11.1 255.255.255.252

ISP1(config-if)#no shut

ISP1(config-if)#exit


ISP1(config)#interface Loopback0

ISP1(config-if)# ip address 8.8.8.8 255.255.255.255

ISP1(config-if)#exit


ISP2(config)#interface Ethernet0/0

ISP2(config-if)# ip address 100.0.22.1 255.255.255.252

ISP2(config-if)#no shut

ISP2(config-if)#exit

ISP1(config)#interface Loopback0

ISP1(config-if)# ip address 8.8.8.8 255.255.255.255

ISP1(config-if)#exit


Verification 

TEST-PC#sh ip int bri | ex unas

Interface                  IP-Address      OK? Method Status                Protocol

Ethernet0/0                10.0.0.10       YES manual up                    up      


TEST-PC#


TEST-PC#ping 8.8.8.8

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/3 ms

TEST-PC#


TEST-PC#traceroute 8.8.8.8 numeric 

Type escape sequence to abort.

Tracing the route to 8.8.8.8

VRF info: (vrf in name/id, vrf out name/id)

  1 10.0.0.1 1 msec 2 msec 1 msec

  2 10.0.255.1 3 msec 2 msec 3 msec

  3 100.0.11.1 3 msec *  9 msec

TEST-PC#


Failover test

ISP1 failover 

IF ISP1 or R1 down, it will go through CS>>ASA1>>SW4>>SW5>>R2 

IF SW4 down, ASA1 will be standby. So will go through CS>>ASA2>>SW5>>R2 

TEST-PC#traceroute 8.8.8.8 numeric 

Type escape sequence to abort.

Tracing the route to 8.8.8.8

VRF info: (vrf in name/id, vrf out name/id)

  1 10.0.0.1 0 msec 1 msec 0 msec

  2 10.0.255.2 2 msec 2 msec 2 msec

  3 100.0.22.1 2 msec *  3 msec

TEST-PC#



Credit:

Comments

Popular posts from this blog

FortiGate-100D: EXT2-fs(sdb1):previous I/O error to superblock detection

SFTP (CrushFTP serevr) renew Certificate

Check the cisco device MAC address and IP address