- Cisco Asa Vpn Cluster
- Cisco Asa Vpn Cluster Anyconnect
- Asa Vpn Cluster Configuration
- Cisco Asa Remote Access Vpn Cluster
Hardware Firewalls In fact, Cisco ASA is a security device that combines firewall, antivirus, antispam, IDS/IPS engine, IPsec VPN, SSL VPN, anti-phishing, and web filtering, and content inspection capabilities. 1) Obtain One UCC with multiple SANs (Subject Alternative Name extensions) with each ASA FQDN/IP included. Therefore you need one UCC certificate with the CN for the cluster FQDN and/or cluster IP, and SANs for each ASA in hte cluster: ASA-1 FQDN and/or IP, ASA-2 FQDN and/or IP, and so on.
Cisco ASA stands for Cisco Adaptive Security Appliance.
Cisco ASA acts as both firewall and VPN device.
This article explains how to setup and configure high availability (failover) between two Cisco ASA devices.
On a production environment, it is highly recommended to implement two Cisco ASA firewall (or VPN) in high available mode. This way, if the primary ASA fails, the secondary becomes active automatically without any downtime.
Cisco Asa Vpn Cluster
The following diagram explains on a high-level the ip-address that are assigned to the primary and secondary cisco ASA devices in this example.
In the above diagram:
In the above diagram:
- ext0 – Assign your external ip-address to this interface. ext0 indicates that this is connected to the port 0 on the device.
- int1 – Assign your internal ip-address to this interface. int1 indicates that this is connected to the port 1 on the device.
- fail3 – Assign an internal ip-address to this interface that will be used between the primary and secondary devices during failover. fail3 indicates that this is connected to the port 3 on the device.
On the Cisco ASA 5520 model, it has 4 ports on the back, marked as 0, 1, 2 and 3. In our example, we’ll be using port 0, 1, and 3 as explained above.
Other than the 4 network ports, you’ll also see slots marked as mgmt, usb, usb, console, aux, flash card.
While the example mentioned here was done on Cisco ASA 5520 model, the same configurations will work on other Cisco ASA 5500 series. i.e Cisco ASA 5510, Cisco ASA 5505 etc.,
1. Setup failover interface on Primary ASA
Connect your laptop serial port to the primary ASA device using the console cable that came with the device.
Use PuTTY -> Select “Serial” -> Make sure serial line is set to “Com1” -> and speed is set to “9600”
Execute the following commands to mark the port 0/3 as failover lan unit primary.
2. Assign the failover ip-address on Primary ASA using LANFAIL
Execute the following commands which will assign “10.10.1.1” (the one marked as fail0 in the diagram above) to the 0/3 interface on the primary device. This device should also know what is the failover ip-address of the standby. In this example, it is 10.10.1.2
You should also specify a failover key. Make sure the same key is used when you are configuring failover on the secondary device. In this example, the failover key is “secretkey”
Cisco Asa Vpn Cluster Anyconnect
3. Assign the External ip-address on Primary ASA
Execute the following commands which will assign “174.121.83.47” (the one marked as ext0 in the diagram above) to the 0/0 interface on the primary device. This device should also know what is the external ip-address of the standby ASA device. In this example, it is 174.121.83.48
4. Assign the Internal ip-address on Primary ASA
Execute the following commands which will assign “192.168.1.47” (the one marked as int0 in the diagram above) to the 0/1 interface on the primary device. This device should also know what is the internal ip-address of the standby ASA device. In this example, it is 192.168.1.48
5. Verify the configuration on Primary ASA
Execute the following commands to verify the failover configuration that has been setup so far on the Cisco ASA primary device.
6. Setup failover interface on Secondary ASA
Connect your laptop serial port to the secondary ASA device using the console cable that came with the device.
Use putty -> Select “Serial” -> Make sure serial line is set to “Com1” -> and speed is set to “9600”
Execute the following commands to mark the port 0/3 as failover lan unit secondary
7. Assign the failover ip-address on Secondary ASA using LANFAIL
Execute the following commands which specifies the primary LANFAIL ip-address is 10.10.1.1 and standby is 10.10.1.2
You should also specify a failover key. Make sure the same key that you used while configuring primary ASA is used here also. In this example, the failover key is “secretkey”
8. Automatic Configuration Copy from Primary to Secondary ASA
On you configure the LANFAIL as shown above, all other configurations are automatically copied from the primary Cisco ASA device to the standby cisco ASA device.
Asa Vpn Cluster Configuration
9. Setup Additional Configuration on ASA Primary
Cisco Asa Remote Access Vpn Cluster
Setup additional configurations on the Cisco ASA primary device as shown below. This includes, hostname setup, domain name setup, route setup, allow http and ssh on internal ip-address for the cisco ASA primary.
Note: All the above configuration will be copied over automatically to the Cisco ASA standby device, as the failover is already configured. The only thing you need to setup on Cisco ASA standby is the hostname as “FW-STANDBY” as shown below.
Finally, view the current running configuration, and write it to the memory as shown below.
> Add your comment
If you enjoyed this article, you might also like..
Next post: Backup Your Files/Folders on Ubuntu Desktop using Pybackpack GUI Tool
Previous post: 9 Linux Parted Command Examples – mkpart, mkpartfs, resize partitions