Multiple Contexts configuration
First, the firewall has to be configured as Transparent and multi-context with the commands firewall transparent and mode multiple. This last command will ask a reboot in order to complete.
After the reboot, by default only one context exists, which is the context admin. If interfaces were already present, they all are now owned by this context.
The creation of the context PROD is done by using the context command. The context submode is the place where interface will be allocated in the future.
Transparent mode and Management
Now we need to configure the management access in order to be able to manage the device in the future.
On some platform, the management interface will be used to manage the device. In GNS3 such interface is not present so we need to manage it from a regular data interface.
As we are in transparent mode, physical interfaces cannot own an ip addresss :
ASA1# conf t
ASA1(config)# inter g0
Interface configuration commands:
channel-group Etherchannel/port bundling configuration
default Set a command to its defaults
description Interface specific description
exit Exit from interface configuration mode
help Interactive help for interface subcommands
lacp LACP interface subcommands
no Negate a command or set its defaults
shutdown Shutdown the selected interface
This is where the BVI interface comes into play. As in regular IOS, a BVI interface is an interface that represents a single broadcast domain. To configure it, be sure to go into the context where you want it to exist. To enter a context, use the changeto context command.
ip address 192.168.1.200 255.255.255.0
Now interfaces belonging to the bridge-domain 1 must be identified. This is configured using the bridge-group command under the solicited interface. As we configure the first interface, we can also give it a nameif and let the system assign the security level.
From here, the management network should be able to join the bridge network in GNS3 :
ASA1/admin# ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/10 ms
This operation needs to be done on the two firewalls. Do not forget to unshut the interface in the system context also.
Failover and Stateful configuration, Active/Standby
The failover configuration requires a dedicated link between ASA. In GNS3 the fourth interface is used for the failover and is placed in to VLAN 50.
The primary and secondary unit must be declared along with the interface and IP addresses which will be used :
failover lan unit primary
failover lan interface folink GigabitEthernet3
failover interface ip folink 22.214.171.124 255.255.255.0 standby 126.96.36.199
On the secondary box, the only change is the secondary option at the failover lan unit command. Something that is not intuitive with the CLI help is the configuration of the link, what the software wants you to specify if the future nameif of the interface you want to use for the failover link. You do not need to specify it under the under, the firewall will do it itself and add a description under the interface.
Also the failover interface ip command does not change between the two boxes. This is not like HSRP or VRRP. Here the primary ASA will use 188.8.131.52 and the standby ASA will use 184.108.40.206. The redundancy is done with some kind of MAC moving.
When this is complete you can check the state of operations with the command show failover :
ASA1# sh failover
Failover unit Primary
Failover LAN Interface: folink GigabitEthernet3 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 1 of 60 maximum
Version: Ours 8.4(2), Mate 8.4(2)
Last Failover at: 08:03:27 UTC Oct 22 2012
This host: Primary – Active
Active time: 359 (sec)
admin Interface management (192.168.1.200): Normal (Waiting)
Other host: Secondary – Standby Ready
Active time: 0 (sec)
admin Interface management (0.0.0.0): Normal (Waiting)
This is the output on the primary box. The secondary box output is very similar except it shows it as secondary.
Next we have the option to add a Stateful link. The Stateful link will be used to exchange states information between the two firewalls so that when a failover occurs the standby firewall already have all information about the opened sessions and the traffic will not be interrupted.
Without a Stateful link, all TCP sessions would be reset because existing flow coming to the standby firewall does not exist yet.
failover link folink GigabitEthernet3
Cisco recommends that the stateful failover link should be dedicated. To achieve High Availability you should also have redundant failover and stateful links.
The new output of the show failover command is completed with these information:
Stateful Failover Logical Update Statistics
Link : folink GigabitEthernet3 (up)
Stateful Obj xmit xerr rcv rerr
General 102 0 93 0
sys cmd 93 0 93 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 0 0 0 0
UDP conn 0 0 0 0
ARP tbl 0 0 0 0
L2BRIDGE Tbl 7 0 0 0
Xlate_Timeout 0 0 0 0
IPv6 ND tbl 0 0 0 0
SIP Session 0 0 0 0
Route Session 0 0 0 0
User-Identity 2 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 2 93
Xmit Q: 0 2 103
Also note that started from here, there is some configuration that will be replicated from the Primary unit to the Secondary unit.
Now that the failover and stateful configuration is done we can go on with the configuration of the PROD context which will be the virtual firewall for all the production traffic.
Remember the firewall is in Transparent mode. That means that the firewall will not be used as default next hop by the hosts and will just be a layer 2 hop.
As we have only one inside interface, we will need to have subinterface to accomplish the configuration. 802.1Q tag will be used to define on which subinterface the traffic should be processed.
Interface can only be created in the system context. Using the command changeto system context sends us to this context to create the interfaces. Next step is to allocate these new interfaces to the right context :
To check your topology, one thing we can do is to create a BVI interface that will represent a bridge-domain on the ASA. As the BVI is able to have an IP address, if the host in the corresponding VLAN is able to ping it, it means we also have Layer 2 connectivity.
To do this, we need to go to the corresponding context with the command changeto context PROD:
ip address 10.100.0.254 255.255.255.0
Now we can ping 10.100.0.254 from the host located in VLAN 100 :
So now we know the Layer 2 connectivity is ok, which is great because this is what we need for the transparent services.
Also note that on the secondary box, interfaces have been automatically replicated.
Next step is to configure the outside interface. The process is the same except the VLAN is not the same as the input VLAN. The reason why is that we could have Layer 2 loops if we configure the same VLAN on two different interfaces.
The creation of the interface Gig2.10 and G2.20 is done in system context and configuration in the existing bridge-group is done in the PROD context:
ASA1# sh run
ASA1/PROD# sh run
Note we can check the bridge-group configuration with the show bridge-group command:
ASA1/PROD# show bridge-group
Static mac-address entries: 0 (in use), 65535 (max)
Dynamic mac-address entries: 3 (in use), 65535 (max)
Bridge Group: 2
ERROR: BVI interface for this bridge-group does not exist.
Bridge Group: 1
Management System IP Address: 10.100.0.254 255.255.255.0
Management Current IP Address: 10.100.0.254 255.255.255.0
Management IPv6 Global Unicast Address(es):
Static mac-address entries: 0
Dynamic mac-address entries: 2
So now the Inside and Outside interface in G1.100 and G2.10 respectively are in the same bridge-group although they are not in the same VLAN from the switch perspective.
We can now configure the real gateway of the hosts which will be located at R1 and R2 with HSRP. As said before, the VLAN we need to configure for this is the VLAN 10 and 20:
encapsulation dot1Q 10
ip address 10.100.0.2 255.255.255.0
no cdp enable
standby 0 ip 10.100.0.1
standby 0 priority 200
encapsulation dot1Q 20
ip address 10.200.0.2 255.255.255.0
no cdp enable
standby 1 ip 10.200.0.1
standby 1 priority 200
Before testing the connectivity between the hosts and the gateway, it is a good idea to change the security level of the inside interfaces. Remember that by default the ASA will allow traffic to go from interface with higher security level to lower security level without explicit rule, you do need to explicitly accept the return traffic then.
access-list VLAN100_access_in extended permit icmp any any
access-list VLAN10_access_in extended permit icmp any any
From now, the host is able to ping its default gateway located on R1/R2 depending on the HSRP state.
The failover behavior can now be tested by issuing the command no failover active on the primary unit while pinging with one router to the host for example:
Success rate is 99 percent (1520/1521), round-trip min/avg/max = 4/17/236 ms