![]() ![]() This includes, hostname setup, domain name setup, route setup, allow http and ssh on internal ip-address for the cisco ASA primary. Setup additional configurations on the Cisco ASA primary device as shown below. Setup Additional Configuration on ASA Primary On you configure the LANFAIL as shown above, all other configurations are automatically copied from the primary Cisco ASA device to the standby cisco ASA device. Automatic Configuration Copy from Primary to Secondary ASA In this example, the failover key is “secretkey” failover interface ip LANFAIL 10.10.1.1 255.255.255.0 standby 10.10.1.2 Make sure the same key that you used while configuring primary ASA is used here also. Assign the failover ip-address on Secondary ASA using LANFAILĮxecute the following commands which specifies the primary LANFAIL ip-address is 10.10.1.1 and standby is 10.10.1.2 Use putty -> Select “Serial” -> Make sure serial line is set to “Com1” -> and speed is set to “9600”Įxecute the following commands to mark the port 0/3 as failover lan unit secondary enįailover lan interface LANFAIL gigabitEthernet 0/3 7. Setup failover interface on Secondary ASAĬonnect your laptop serial port to the secondary ASA device using the console cable that came with the device. Verify the configuration on Primary ASAĮxecute the following commands to verify the failover configuration that has been setup so far on the Cisco ASA primary device. In this example, it is 192.168.1.48 interface gigabitEthernet 0/1 This device should also know what is the internal ip-address of the standby ASA device. Assign the Internal ip-address on Primary ASAĮxecute the following commands which will assign “192.168.1.47” (the one marked as int0 in the diagram above) to the 0/1 interface on the primary device. In this example, it is 174.121.83.48 show run ![]() This device should also know what is the external ip-address of the standby ASA device. Assign the External ip-address on Primary ASAĮxecute the following commands which will assign “174.121.83.47” (the one marked as ext0 in the diagram above) to the 0/0 interface on the primary device. In this example, the failover key is “secretkey” failover lan interface LANFAIL gigabitethernet 0/3įailover interfaces ip LANFAIL 10.10.1.1 255.255.255.0 standby 10.10.1.2 Make sure the same key is used when you are configuring failover on the secondary device. This device should also know what is the failover ip-address of the standby. Assign the failover ip-address on Primary ASA using LANFAILĮxecute the following commands which will assign “10.10.1.1” (the one marked as fail0 in the diagram above) to the 0/3 interface on the primary device. Use PuTTY -> Select “Serial” -> Make sure serial line is set to “Com1” -> and speed is set to “9600”Įxecute the following commands to mark the port 0/3 as failover lan unit primary. Setup failover interface on Primary ASAĬonnect your laptop serial port to the primary ASA device using the console cable that came with the device. While the example mentioned here was done on Cisco ASA 5520 model, the same configurations will work on other Cisco ASA 5500 series. Other than the 4 network ports, you’ll also see slots marked as mgmt, usb, usb, console, aux, flash card. In our example, we’ll be using port 0, 1, and 3 as explained above. On the Cisco ASA 5520 model, it has 4 ports on the back, marked as 0, 1, 2 and 3. fail3 indicates that this is connected to the port 3 on the device. fail3 – Assign an internal ip-address to this interface that will be used between the primary and secondary devices during failover.int1 indicates that this is connected to the port 1 on the device. int1 – Assign your internal ip-address to this interface.ext0 indicates that this is connected to the port 0 on the device. ext0 – Assign your external ip-address to this interface.The following diagram explains on a high-level the ip-address that are assigned to the primary and secondary cisco ASA devices in this example. This way, if the primary ASA fails, the secondary becomes active automatically without any downtime. On a production environment, it is highly recommended to implement two Cisco ASA firewall (or VPN) in high available mode. This article explains how to setup and configure high availability (failover) between two Cisco ASA devices. Cisco ASA stands for Cisco Adaptive Security Appliance.Ĭisco ASA acts as both firewall and VPN device. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |