Configuration
- Starting on the unit that will be the PRIMARY,with multiple mode and context already in place,configure it in the system context. Failover gorup 1 is the default failover group. Create the first of the two failover groups
ASA1(config)#failover group 1 - Tell the failover system that the PRIMARY unit should be active for any context in this "failover group #1"
primary - Optionally, tell the system to take over the active role 2 minutes after a reboot by the primary unit for this group
preempt 120 - Do the same for failover group 2
failover group 2 - Tell the failover system that the "SECONDARY" unit should be active for any context in this "failover group #2"
secondary - Request a preempt 2 minutes after reboot if by the secondary unit for this group
preempt 120 - Tell the system that each of the contexts are assigned to 1 of the 2 failover groups
ASA1(config)#context Ctx-1
ASA1(config-ctx)#join-failover-gorup 1
ASA1(config-ctx)#exitASA1(config)#context Ctx-2
ASA1(config-ctx)#join-failover-group 2
- Prepare the failover interfaces (the lan fail and stateful link). Go to the these interfaces and unshut the ports.
no shutdown - Tell this physical box its "priority" or title (Primary or Secondary).This priority(name) never changes for this physical unit on ASA1
failover lan unit primary - Configure the names and IP addresses for the 2 failover connections on ASA1
failover lan interface fail-config G4
failover link fail-state G5
failover interface ip fail-config 1.1.1.1 255.255.255.252 standby 1.1.1.2
failover interface ip fail-state 2.2.2.1 255.255.255.252 standby 2.2.2.2 - Set the prompt to include which context(if any) we are working in.
prompt hostname context - Change from the sytem execution space to the context of Ctx-1 in order to add the standby addresses
changeto context Ctx-1
int G1
ip address 10.0.0.1 255.255.255.0 standby 10.0.0.2
int G3
mac-address cc1e.6783.1111 standby cc1e.6783.2222 //optionally add MAC addresses on the shared interface for this context
ip address 192.168.1.171 255.255.255.0 standby 192.168.1.181
- Change from Ctx-1 and move to the context of Ctx-2 in order to add standby addresses
changeto context Ctx-2
interface ctx2_inside
ip address 10.2.2.1 255.255.255.0 standby 10.2.2.2
interface ctx2_outside
mac-address cc1e.6783.3333 standby cc1e.6783.4444
ip address 192.168.1.172 255.255.255.0 standby 192.168.1.182 - Move back to teh sytem execution space and turn on failover
changeto system
failover
- Save the system config and all the contexts individual configs at the same time
write mem all
show failover state - Go to secondary firewall, verify it is in multiple mode which is required for active/active. check same hardware, same number of interface, model,same function, etc.
show mode - Tell this ASA what priority(title) it will have.Primary or Secondary
failover lan unit secondary - Makesure failver interface is up.Define failover interface name and IPs
failover lan interface fail-config G4
failover interface ip fail-config 1.1.1.1 255.255.255.252 standby 1.1.1.2 - Tun on failover
failover
prompt hostname priority context state
To rectify Asymmetric routing if there is any, use ASR group. Add the interface to ASR group(under routing) in each context. Maximum of 2 failover groups can be created.
Configuring Support for Asymmetrically Routed Packets
When running in Active/Active failover, a unit may receive a return packet for a connection that originated through its peer unit. Because the ASA that receives the packet does not have any connection information for the packet, the packet is dropped. This most commonly occurs when the two ASAs in an Active/Active failover pair are connected to different service providers and the outbound connection does not use a NAT address.
You can prevent the return packets from being dropped using the asr-group command on interfaces where this is likely to occur. When an interface configured with the asr-group command receives a packet for which it has no session information, it checks the session information for the other interfaces that are in the same group. If it does not find a match, the packet is dropped. If it finds a match, then one of the following actions occurs:
•If the incoming traffic originated on a peer unit, some or all of the layer 2 header is rewritten and the packet is redirected to the other unit. This redirection continues as long as the session is active.
•If the incoming traffic originated on a different interface on the same unit, some or all of the layer 2 header is rewritten and the packet is reinjected into the stream.
-----
How the Security Appliance Classifies Packets
Each packet that enters the ASA must be classified, so that the ASA can determine to which context to send a packet. This section includes the following topics:
Valid Classifier Criteria
This section describes the criteria used by the classifier, and includes the following topics:
Unique Interfaces
If only one context is associated with the ingress interface, the ASA classifies the packet into that context. In transparent firewall mode, unique interfaces for contexts are required, so this method is used to classify packets at all times.
Unique MAC Addresses
If multiple contexts share an interface, then the classifier uses the interface MAC address. The ASA lets you assign a different MAC address in each context to the same shared interface, whether it is a shared physical interface or a shared subinterface. By default, shared interfaces do not have unique MAC addresses; the interface uses the physical interface burned-in MAC address in every context. An upstream router cannot route directly to a context without unique MAC addresses. You can set the MAC addresses manually when you configure each interface (see the "Configuring the MAC Address" section), or you can automatically generate MAC addresses (see the "Automatically Assigning MAC Addresses to Context Interfaces" section).
NAT Configuration
If you do not have unique MAC addresses, then the classifier intercepts the packet and performs a destination IP address lookup. All other fields are ignored; only the destination IP address is used. To use the destination address for classification, the classifier must have knowledge about the subnets located behind each security context. The classifier relies on the NAT configuration to determine the subnets in each context. The classifier matches the destination IP address to either a static command or a global command. In the case of the global command, the classifier does not need a matching natcommand or an active NAT session to classify the packet. Whether the packet can communicate with the destination IP address after classification depends on how you configure NAT and NAT control.
For example, the classifier gains knowledge about subnets 10.10.10.0, 10.20.10.0 and 10.30.10.0 when the context administrators configure staticcommands in each context:
•Context A:
static (inside,shared) 10.10.10.0 10.10.10.0 netmask 255.255.255.0
•Context B:
static (inside,shared) 10.20.10.0 10.20.10.0 netmask 255.255.255.0
•Context C:
static (inside,shared) 10.30.10.0 10.30.10.0 netmask 255.255.255.0
No comments:
Post a Comment