Mastering ASA Firewall: Narbik Kocharians CCIE #12410 R&S, Security, SP Piotr Matusiak CCIE #19860 R&S, Security

Mastering
ASA Firewall
www.MicronicsTraining.com
Narbik Kocharians
CCIE #12410
R&S, Security, SP
Piotr Matusiak
CCIE #19860
R&S, Security
Mastering ASA Firewall Workbook
Table of Content
LAB 1.1.
BASIC ASA CONFIGURATION ........................................................................................................
LAB 1.2.
BASIC SECURITY POLICY ...............................................................................................................
LAB 1.3.
DYNAMIC ROUTING PROTOCOLS ................................................................................................
LAB 1.4.
ASA MANAGEMENT ..........................................................................................................................
LAB 1.5.
STATIC NAT .........................................................................................................................................
LAB 1.6.
DYNAMIC NAT ....................................................................................................................................
LAB 1.7.
NAT EXEMPTION ...............................................................................................................................
LAB 1.8.
STATIC POLICY NAT.........................................................................................................................
LAB 1.9.
DYNAMIC POLICY NAT ....................................................................................................................
LAB 1.10.
MODULAR POLICY FRAMEWORK (MPF) ...................................................................................
LAB 1.11.
FTP ADVANCED INSPECTION ........................................................................................................
LAB 1.12.
HTTP ADVANCED INSPECTION .....................................................................................................
LAB 1.13.
INSTANT MESSAGING ADVANCED INSPECTION .....................................................................
LAB 1.14.
ESMTP ADVANCED INSPECTION ..................................................................................................
LAB 1.15.
DNS ADVANCED INSPECTION ........................................................................................................
LAB 1.16.
ICMP ADVANCED INSPECTION .....................................................................................................
LAB 1.17.
CONFIGURING VIRTUAL FIREWALLS ........................................................................................
LAB 1.18.
ACTIVE/STANDBY FAILOVER ........................................................................................................
LAB 1.19.
ACTIVE/ACTIVE FAILOVER ...........................................................................................................
LAB 1.20.
REDUNDANT INTERFACES .............................................................................................................
LAB 1.21.
TRANSPARENT FIREWALL .............................................................................................................
LAB 1.22.
THREAT DETECTION ........................................................................................................................
LAB 1.23.
CONTROLLING ICMP AND FRAGMENTED TRAFFIC .............................................................
LAB 1.24.
TIME BASED ACCESS CONTROL ...................................................................................................
LAB 1.25.
QOS - PRIORITY QUEUING ..............................................................................................................
LAB 1.26.
QOS TRAFFIC POLICING ..............................................................................................................
LAB 1.27.
QOS TRAFFIC SHAPING ................................................................................................................
LAB 1.28.
QOS TRAFFIC SHAPING WITH PRIORITIZATION .................................................................
LAB 1.29.
SLA ROUTE TRACKING ...................................................................................................................
LAB 1.30.
ASA IP SERVICES (DHCP).................................................................................................................
LAB 1.31.
URL FILTERING AND APPLETS BLOCKING ..............................................................................
LAB 1.32.
TROUBLESHOOTING USING PACKET TRACER AND CAPTURE TOOLS ...........................
LAB 1.33.
STATIC NAT (8.3+) ..............................................................................................................................
Page 2 of 33
LAB 1.34.
DYNAMIC NAT (8.3+) .........................................................................................................................
LAB 1.35.
BIDIRECTIONAL NAT (8.3+) ............................................................................................................
LAB 1.36.
SITE-TO-SITE IPSEC VPN USING PKI (ASA-ASA) ......................................................................
LAB 1.37.
SITE-TO-SITE IPSEC VPN USING PKI (STATIC IP IOS-ASA) ...................................................
LAB 1.38.
SITE-TO-SITE IPSEC VPN USING PKI (DYNAMIC IP IOS-ASA) ..............................................
LAB 1.39.
SITE-TO-SITE IPSEC VPN USING PSK (IOS-ASA HAIRPINNING) ..........................................
LAB 1.40.
CONFIGURING REMOTE ACCESS IPSEC VPN USING EASYVPN (IOS TO ASA)................
LAB 1.41.
CONFIGURING RA VPN USING CISCO VPN CLIENT AND ASA (PSK) ..................................
LAB 1.42.
CONFIGURING RA VPN USING CISCO VPN CLIENT AND ASA (PKI) ..................................
LAB 1.43.
IPSEC LOAD BALANCING (ASA CLUSTER) ................................................................................
LAB 1.44.
ANYCONNECT 3.0 BASIC SETUP ....................................................................................................
LAB 1.45.
ANYCONNECT 3.0 ADVANCED FEATURES .................................................................................
Page 3 of 33
Physical Topology
F0/1
F0/0
F0/1
F0/1
G0/1
F0/2
R1
F0/2
G0/0
R2
F0/4
F0/0
F0/6
SW2
F0/1
R4
F0/5
F0/0
F0/1
R5
SW1
F0/1
F0/0
R6
F0/4
F0/5
ASA1
F0/6
F0/10
E0/0
F0/11
E0/1
F0/12
E0/2
F0/13
E0/3
F0/14
C&C
F0/15
G0/0
F0/16
G0/1
F0/17
G0/2
F0/18
G0/3
E0/0
F0/10
E0/1
F0/11
E0/2
F0/12
E0/3
F0/13
ACS
F0/14
F0/15
ASA2
IPS
SW4
Page 4 of 33
PC
SW3
Inter-switch and Frame Relay connections

G0/1
F0/23-24
SW1
SW2
0
F0
/
19
-2
0
-2
F0/21-22
F0/21-22
F0
/1
9
F0/23-24
SW3
SW4
To R4: 204
To R5: 205
To R6: 206
R2
To R2: 502
To R4: 504
To R6: 506
S0/1/0
S0/1/0
R5
FR
S0/0/0
R4
S0/1/0
To R2: 402
To R5: 405
To R6: 406
To R2: 602
To R4: 604
To R5: 605
Page 5 of 33
R6
www.MicronicsTraining.com
This page is intentionally left blank.
Page 6 of 33
Active/Standby Failover
Lo0
Inside
R1
.1
F0/0
10.1.101.0/24
.10
E0/1
.11
E0/3
Stateful Failover Link
E0/2 .10
Lo0
.10
E0/1
E0/3
.10 E0/2
.4
F0/0
10.1.104.0/24
DMZ
E0/0
.11
E0/0
R4
Lo0
10.1.102.0/24
G0/0 .2
Outside
R2
Lab Setup:
R1s F0/0 and ASA1/ASA2 E0/1 interface should be configured in VLAN 101
R2s G0/0 and ASA1/ASA2 E0/0 interface should be configured in VLAN 102
R4s F0/0 and ASA1/ASA2 E0/2 interface should be configured in VLAN 104
ASA1 and ASA2 E0/3 interface should be configured in VLAN 254
Configure Telnet on all routers using password cisco
Configure static default route on all routers pointing to ASA.
IP Addressing:
Device
R1
R2
R4
Interface
Lo0
F0/0
Lo0
G0/0
Lo0
F0/0
IP address
1.1.1.1/24
10.1.101.1/24
2.2.2.2/24
10.1.102.2/24
4.4.4.4/24
10.1.104.4/24
Page 7 of 33
Task 1
Configure ASA interfaces as follow:
Physical Interface
Interface name
E0/0
IN
Security level
80
E0/1
OUT
E0/2
DMZ
50
IP address
Pri 10.1.101.10/24
Sby 10.1.101.11/24
Pri 10.1.102.10/24
Sby 10.1.102.11/24
Pri 10.1.104.10/24
Sby 10.1.104.11/24
Configure ASA2 device to back up ASA1 firewall in the event of failure. Configure
interface E0/3 as the Failover Link. This interface will be used to transmit failover control
messages. Assign a name of LAN_FO and active IP address of 10.1.254.10/24 with a
standby address of 10.1.254.11. Authenticate the failover control messages using a key
of cisco987. Configure host name of ASA-FW.
ASA failover uses a special link which must be configured appropriately to successfully monitor
state of primary ASA device. This link is a dedicated physical Ethernet interface. The best practice
is to use the fastest ASA interface possible as an amount of data traversing this link may be
significant and usually depends on the amount of data traverses all remaining interfaces. This link
may have two things to do (1) it must synchronize configuration, monitor ASA interfaces and send
those information to second ASA to continue working if primary ASA fails (2) it may carry stateful
information (like state table and translation table) to maintain all connections by second ASA in
case of failure.
Although, the first task does not require fast interface, the second may require significant
bandwidth of the interface. In addition to that, this link shouldnt be set up using crossover cable. It
is highly recommended to use switch for interconnection with PortFast configured on the switch
port.
In case of configuration, the interface used as failover link should be in UP state, meaning an
administrator must enter no shutdown command on that interface. No other configuration is
required. All failover configuration is done using failover. command.
Two very important commands are required (1) failover lan which is used for specifying what
interface will be used as failover link and (2) failover interface ip which configures IP address of
that link (note the IP address is configured here, not under the physical interface).
Note that all ASA interfaces must have standby IP addresses configured. It is usually omitted when
ASA is already pre-configured and we need to add failover to the existing configuration. Those
standby IP addresses will be used on secondary ASA as all interfaces must send out heartbeat
information on their subnet to check if there is standby interface ready on a given subnet.
The first ASA must be marked as primary unit and second ASA as secondary unit. A good
practice mandates usage of encryption key for securing failover communication.
Configuration of secondary ASA is similar to that it was on primary unit. All you need is to unshut
failover interface and configure it in the same way as it was on primary device. The one difference is
that secondary device must be marked as secondary unit.
The very last configuration command is simple failover which enables failover and starts
Page 8 of 33
communication between ASAs.

Note that you do not need to configure any IP addresses (except for failover link) on the secondary
ASA. After enabling failover, all configuration should be sent to the second device.
On primary ASA
ciscoasa(config)# hostname ASA-FW
ASA-FW(config)# interface e0/0
ASA-FW(config-if)# nameif OUT
INFO: Security level for "OUT" set to 0 by default.
ASA-FW(config-if)# ip address 10.1.102.10 255.255.255.0 standby 10.1.102.11
ASA-FW(config-if)# no shut
ASA-FW(config-if)# interface e0/1
ASA-FW(config-if)# nameif IN
INFO: Security level for "IN" set to 0 by default.
ASA-FW(config-if)# security-level 80
ASA-FW(config-if)# ip address 10.1.101.10 255.255.255.0 standby 10.1.101.11
ASA-FW(config-if)# no shut
ASA-FW(config-if)# interface e0/2
ASA-FW(config-subif)# nameif DMZ
INFO: Security level for "DMZ" set to 0 by default.
ASA-FW(config-subif)# security-level 50
ASA-FW(config-subif)# ip address 10.1.104.10 255.255.255.0 standby 10.1.104.11
ASA-FW(config-subif)# no shut
ASA-FW(config-subif)# exit
ASA-FW(config)# int e0/3
ASA-FW(config-if)# no sh
Do not forget to unshut that interface!
ASA-FW(config)# failover lan unit primary
ASA-FW(config)# failover lan interface LAN_FO e0/3
INFO: Non-failover interface config is cleared on Ethernet0/3 and its sub-interfaces
ASA-FW(config)# failover interface ip LAN_FO 10.1.254.10 255.255.255.0 standby 10.1.254.11
ASA-FW(config)# failover key cisco987
ASA-FW(config)# failover
You must enable failover at the endo of the configuration using failover command.
On secondary ASA
ciscoasa(config)# int e0/3
ciscoasa(config-if)# no sh
Same on the secondary ASA. You must manually unshut the interface for LAN failover.
ciscoasa(config)# failover lan unit secondary
ciscoasa(config-if)# failover lan interface LAN_FO e0/3
ciscoasa(config)# failover interface ip LAN_FO 10.1.254.10 255.255.255.0 standby 10.1.254.11
ciscoasa(config)# failover key cisco987
ciscoasa(config)# failover
ciscoasa(config)# .
Detected an Active mate
Beginning configuration replication from mate.
End configuration replication from mate.
ASA-FW(config)#
Page 9 of 33
**** WARNING ****

Configuration Replication is NOT performed from Standby unit to Active unit.
Configurations are no longer synchronized.
Note that you cannot configure the ASA using being on the Standby unit. Although, it is
possible to enable commands the config will NOT be synchronized between devices.
On Active ASA
ASA-FW(config)# sh failover
Failover On
Failover unit Primary
Failover LAN Interface: LAN_FO Ethernet0/3 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 3 of 250 maximum
Version: Ours 8.2(1), Mate 8.2(1)
Last Failover at: 17:08:59 UTC Jul 10 2010
This host: Primary - Active
Active time: 105 (sec)
slot 0: ASA5510 hw/sw rev (1.1/8.2(1)) status (Up Sys)
Interface OUT (10.1.102.10): Normal
Interface IN (10.1.101.10): Normal
Interface DMZ (10.1.104.10): Normal
slot 1: empty
Other host: Secondary - Standby Ready
slot 1: empty
Note the IP addresses in the brackets and normal state of those interfaces. The IP
addresses are simply Active and Standby IP address configured on the interface. If you see
0.0.0.0 there, it means you do not have Standby IP address configured on a particular
interface.
Also the state may be different. There may be Waiting, Non-Monitored and Normal states.
Since the ASA does not monitor subinterfaces by default you may see Non-Monitored state
very often when using subinterfaces. However, a Waiting state means there is a process of
communicating between interfaces in the same subnet on both ASA units. If this state is
displayed for too long (couple of minutes) that means the ASA has communication issues
with other ASA device meaning issues with L2 (switch) in most cases.
Stateful Failover Logical Update Statistics
Link : Unconfigured.
It is highly recommended to perform failover test after configuration. Below is an example
test which can easily verify if failover works fine.
1. Enable ICMP inspection to allow ICMP traffic go through the ASA
2. Start pinging R2 from R1 (Inside to Outside)
3. Make Standby ASA to become Active
4. Verify that failover took place and everyting is OK in means of verification
commands and check if ping is still going on.
FAILOVER TEST
1. Enable ICMP inspection on ASA (just to allow ICMP traffic to pass through the ASA)
ASA-FW(config)# policy-map global_policy
ASA-FW(config-pmap)# class inspection_default
ASA-FW(config-pmap-c)# inspect icmp
ASA-FW(config-pmap-c)# exit
ASA-FW(config-pmap)# exit
Page 10 of 33
2. Perform repeated ping from R1

R1#ping 10.1.102.2 rep 1000
3. On standby ASA enter command failover active to become an active device

ASA-FW(config)# failover active
Switching to Active
Failover On
Failover unit Secondary
Interface Policy 1
Last Failover at: 23:14:41 UTC Oct 17 2009
This host: Secondary - Active
Interface OUT (10.1.102.10): Normal (Waiting)
Interface IN (10.1.101.10): Normal (Waiting)
Interface DMZ (10.1.104.10): Normal (Waiting)
slot 1: empty
Other host: Primary - Standby Ready
slot 1: empty
Note that some of monitored interfaces have Waiting status. Do not worry. Just wait a bit
and run show failover command again. This may takes a while for interfaces to see each
other and update their status.
Failover On
Interface Policy 1
Last Failover at: 23:14:41 UTC Oct 17 2009
This host: Secondary - Active
slot 1: empty
Other host: Primary - Standby Ready
slot 1: empty
Page 11 of 33
4. Check R1 ping:
R1#ping 10.1.102.2 rep 1000
Type escape sequence to abort.
Sending 1000, 100-byte ICMP Echos to 10.1.102.2, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!
Success rate is 99 percent (999/1000), round-trip min/avg/max = 1/2/4 ms
Note that only one ping is lost. The failover is working quite fast.
Also keep in mind that you can use redundant interfaces along with failover.
Task 2
Configure ASA so that it will maintain TCP connections (including HTTP) in the event of
active device failure. Use the same interface which is already used for LAN Failover.
To use Stateful Failover, you must configure a Stateful Failover link to pass all state information.
You have three options for configuring a Stateful Failover link:
You can use a dedicated Ethernet interface for the Stateful Failover link.
If you are using LAN-based failover, you can share the failover link.
You can share a regular data interface, such as the inside interface (not recommended).
By default, ASA does not replicate HTTP session information when Stateful Failover is enabled.
Because HTTP sessions are typically short-lived, and because HTTP clients typically retry failed
connection attempts, not replicating HTTP sessions increases system performance without causing
serious data or connection loss.
On active ASA
ASA-FW(config)# failover link LAN_FO
ASA-FW(config)# failover replication http
Verification
Failover On
Page 12 of 33

Interface Policy 1
failover replication http
slot 1: empty
Other host: Secondary - Bulk Sync
slot 1: empty
Link : LAN_FO Ethernet0/3 (up)
Stateful Obj
xmit
xerr
General
3
0
sys cmd
3
0
up time
0
0
RPC services
0
0
TCP conn
0
0
UDP conn
0
0
ARP tbl
0
0
Xlate_Timeout
0
0
VPN IKE upd
0
0
VPN IPSEC upd
0
0
VPN CTCP upd
0
0
VPN SDI upd
0
0
VPN DHCP upd
0
0
SIP Session
0
0
rcv
3
3
0
0
0
0
0
0
0
0
0
0
0
0
rerr
0
0
0
0
0
0
0
0
0
0
0
0
0
0
Logical Update Queue Information

Cur
Max
Total
Recv Q:
0
8
3
Xmit Q:
0
26
36
ASA-FW(config)# sh failover interface
interface LAN_FO Ethernet0/3
System IP Address: 10.1.254.10 255.255.255.0
My IP Address
: 10.1.254.10
Other IP Address : 10.1.254.11
ASA-FW(config)# sh run all monitor
monitor-interface OUT
monitor-interface IN
monitor-interface DMZ
By default ASA monitors only physical interfaces; it does not monitor logical interfaces
of subinterfaces. This must be manually enabled using monitor-interface command.
There is also a feature called Remote Command Execution which is very useful when making
changes to the configuration in failover environment.
Because configuration commands are replicated from the active unit or context to the
standby unit or context, you can use the failover exec command to enter configuration
commands on the correct unit, no matter which unit you are logged-in to. For example, if
you are logged-in to the standby unit, you can use the failover exec active command to
send configuration changes to the active unit. Those changes are then replicated to the
standby unit.
Page 13 of 33
Task 3
Configure ASA so that it will use static MAC address on the outside interface in case
standby device boots first. Use MAC address of 0011.0011.0011 as Active and
0022.0022.0022 as Standby.
MAC addresses for the interfaces on the primary unit are used for the interfaces on the active unit.
However, if both units are not brought online at the same time and the secondary unit boots first
and becomes active, it uses the burned-in MAC addresses for its own interfaces. When the primary
unit comes online, the secondary unit will obtain the MAC addresses from the primary unit. This
change can disrupt network traffic. Configuring virtual MAC addresses for the interfaces ensures
that the secondary unit uses the correct MAC address when it is the active unit, even if it comes
online before the primary unit.
This command has no effect when ASA is configured for Active/Active failover. In A/A failover there
is a command mac address under failover group.
On active ASA
ASA-FW(config)# failover mac address e0/0 0011.0011.0011 0022.0022.0022
Verification (on Active unit)

ASA-FW(config)# sh int out
Interface Ethernet0/0 "OUT", is up, line protocol is up
Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
MAC address 0011.0011.0011, MTU 1500
IP address 10.1.102.10, subnet mask 255.255.255.0
1440 packets input, 173626 bytes, 0 no buffer
Received 50 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
1401 packets output, 167906 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
input queue (curr/max packets): hardware (0/25) software (0/0)
output queue (curr/max packets): hardware (0/3) software (0/0)
Traffic Statistics for "OUT":
1400 packets input, 142518 bytes
1401 packets output, 142508 bytes
0 packets dropped
1 minute input rate 0 pkts/sec, 24 bytes/sec
1 minute output rate 0 pkts/sec, 23 bytes/sec
1 minute drop rate, 0 pkts/sec
Verification (on Standby unit)

ASA-FW(config)# sh int out
Interface Ethernet0/0 "OUT", is up, line protocol is up
Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
MAC address 0022.0022.0022, MTU 1500
Page 14 of 33
10413 packets input, 1231356 bytes, 0 no buffer

Received 9 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
10427 packets output, 1232128 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
input queue (curr/max packets): hardware (1/5) software (0/0)
output queue (curr/max packets): hardware (0/3) software (0/0)
Traffic Statistics for "OUT":
0 packets dropped
ASA-FW(config)# failover exec mate sh failover
Failover On
Interface Policy 1
failover replication http
This host: Secondary - Standby Ready
slot 1: empty
Other host: Primary - Active
slot 1: empty
Stateful Obj
xmit
xerr
General
24
0
sys cmd
24
0
up time
0
0
RPC services
0
0
TCP conn
0
0
UDP conn
0
0
ARP tbl
0
0
Xlate_Timeout
0
0
VPN IKE upd
0
0
VPN IPSEC upd
0
0
VPN CTCP upd
0
0
VPN SDI upd
0
0
VPN DHCP upd
0
0
SIP Session
0
0
rcv
24
24
0
0
0
0
0
0
0
0
0
0
0
0

Cur
Max
Total
Recv Q:
0
5
219
Xmit Q:
0
1
24
Page 15 of 33
rerr
0
0
0
0
0
0
0
0
0
0
0
0
0
0
Active/Active Failover
Lo0
Inside1
Inside2
Lo0
R4
.4 F0/0
10.1.104.0/24
R1
.1 F0/0
.10
DMZ
E0/1.104
E0/1.101
Lo0
F0/0
CTX
1
CTX
2
E0/3
.5
.10
.13
E0/0
.10
E0/1.104
E0/1.101
.10
E0/2
R5
10.1.101.0/24
.11
.11
FO
E0/3
CTX
1
E0/2 .11 .11
CTX
2
.12
E0/0
10.1.105.0/24
10.1.102.0/24
Lo0
G0/0 .2
Outside
R2
Lab Setup:
R2s G0/0 and ASAs E0/0 interface should be configured in VLAN 102
R5s F0/0 and ASAs E0/2 interface should be configured in VLAN 105
Configure Telnet on all routers using password cisco
Configure static default route on all routers pointing to ASA
IP Addressing:
Device
R1
R2
R4
R5
Interface
Lo0
F0/0
Lo0
G0/0
Lo0
F0/0
Lo0
F0/0
IP address
1.1.1.1/24
10.1.101.1/24
2.2.2.2/24
10.1.102.2/24
4.4.4.4/24
10.1.104.4/24
5.5.5.5/24
10.1.105.5/24
Page 16 of 33
Task 1
Configure ASA1 with a hostname of ASA-FW and the following security contexts:
Context name:
CTX1
CTX2
Interfaces:
E0/0 Outside
E0/0 Outside
E0/1.101 Inside
E0/1.104 Inside
E0/2 DMZ
Context file:
CTX1.cfg
CTX2.cfg
The context configuration should be stored on the Flash memory.
Configure interfaces for new contexts as follow:
Context
Interface name
Security level
CTX1
Inside
100
Outside
0
DMZ
50
CTX2
Inside
100
Outside
0
IP address
10.1.101.10/24
10.1.102.10/24
10.1.105.10/24
10.1.104.10/24
10.1.102.12/24
In the Active/Active (A/A) implementation of failover, both appliances in the failover pair process
traffic. To accomplish this, two contexts are needed, as is depicted in the diagram above. On the left
appliance, CTX1 performs an active role and CTX2 a standby role. On the right appliance, CTX1 is
standby and CTX2 is active.
The configuration required in this task is very similar to the configuration of single ASA device. The
ASA must be converted to multiple mode, security contexts must be created and appropriate
interfaces allocated. Then interfaces must be configured as requested inside respective context.
On SW3
SW3(config-if)#int f0/11
SW3(config-if)#sw tru enca dot
SW3(config-if)#sw mo tru
SW3(config)#vlan 101
SW3(config-vlan)#exi
SW3(config-vlan)#exit
On both ASA devices

ciscoasa# conf t
ciscoasa(config)# mode multiple
WARNING: This command will change the behavior of the device
WARNING: This command will initiate a Reboot
Proceed with change mode? [confirm]
Convert the system configuration? [confirm]
!
The old running configuration file will be written to flash
The admin context configuration will be written to flash
The new running configuration file was written to flash
Security context mode: multiple
Page 17 of 33
***
*** --- SHUTDOWN NOW --***
*** Message to all terminals:
***
***
change mode
Rebooting....
<output ommited>
On ASA1
ciscoasa(config)# hostname ASA-FW
ASA-FW(config-if)# int e0/1
ASA-FW(config-if)# int e0/1.101
ASA-FW(config-subif)# vlan 101
ASA-FW(config-subif)# no sh
ASA-FW(config-subif)# int e0/1.104
ASA-FW(config-subif)# vlan 104
ASA-FW(config-subif)# no sh
ASA-FW(config-subif)# int e0/2
ASA-FW(config-if)# context CTX1
Creating context 'CTX1'... Done. (2)
Depends on your previous configuration you may get a message saying:
ERROR: Identify admin context first, using the 'admin-context' command
Then, you need to create admin context first and tell the ASA to use that context for
administrative purposes. Both things can be done using the following command:
ASA-FW(config)# admin-context admin
Creating context 'admin'... Done. (2)
Unfortunately, the above command does not specify when admin context is going to write its
configuration. Hence, we need to specify that manually:
ASA-FW(config)# context admin
ASA-FW(config-ctx)# config-url disk0:/admin.ctx
WARNING: Could not fetch the URL disk0:/admin.ctx
INFO: Creating context with default config
INFO: Admin context will take some time to come up .... please wait.
Note that it is wise to check if there is no file with previous configuration stored on
the flash before configuring config URL. If there is a file with the same name already, it
will be imported and used inside the context.
ASA-FW(config-ctx)# sh disk0: | in cfg|CFG
164 724
Oct 19 2009 18:38:50 admin.cfg
166 1437
Oct 19 2009 18:38:50 old_running.cfg
ASA-FW(config-ctx)# config-url disk0:CTX1.cfg
INFO: Converting disk0:CTX1.cfg to disk0:/CTX1.cfg
WARNING: Could not fetch the URL disk0:/CTX1.cfg
ASA-FW(config-ctx)# allocate-interface e0/1.101
ASA-FW(config-ctx)# allocate-interface e0/0
Page 18 of 33

ASA-FW(config-ctx)# context CTX2
ASA-FW(config-ctx)# config-url disk0:CTX2.cfg
INFO: Converting disk0:CTX2.cfg to disk0:/CTX2.cfg
WARNING: Could not fetch the URL disk0:/CTX2.cfg
ASA-FW(config-ctx)# allocate-interface e0/1.104
ASA-FW(config-ctx)# changeto context CTX1
ASA-FW/CTX1(config)# int e0/1.101
ASA-FW/CTX1(config-if)# ip add 10.1.101.10 255.255.255.0
ASA-FW/CTX1(config-if)# nameif Inside
INFO: Security level for "Inside" set to 100 by default.
ASA-FW/CTX1(config-if)# int e0/0
ASA-FW/CTX1(config-if)# nameif Outside
INFO: Security level for "Outside" set to 0 by default.
ASA-FW/CTX1(config-if)# nameif DMZ
INFO: Security level for "DMZ" set to 0 by default.
ASA-FW/CTX1(config-if)# security-level 50
ASA-FW/CTX1(config-if)# changeto context CTX2
ASA-FW/CTX2(config-if)# nameif Inside
INFO: Security level for "Inside" set to 100 by default.
ASA-FW/CTX2(config-if)# nameif Outside
INFO: Security level for "Outside" set to 0 by default.
ASA-FW/CTX2(config-if)# exit
Verification
ASA-FW/CTX2(config)# ping 10.1.104.4
!!!!!
!!!!!
ASA-FW/CTX2(config)# sh int ip brief
Interface
IP-Address
Ethernet0/1.104
10.1.104.10
Ethernet0/0
10.1.102.12
OK? Method Status

YES manual up
YES manual up
ASA-FW/CTX2(config)# changeto context CTX1

!!!!!
Page 19 of 33
Protocol
up
up

!!!!!
!!!!!
ASA-FW/CTX1(config)# sh int ip brief
Interface
IP-Address
Ethernet0/1.101
10.1.101.10
Ethernet0/2
10.1.105.10
Ethernet0/0
10.1.102.10
OK?
YES
YES
YES
Method
manual
manual
manual
Status
up
up
up
Protocol
up
up
up
Task 2
Configure Active/Active failover between ASA1 and ASA2 so that the context CTX1 is
active on ASA1 and standby on ASA2 whilst the context CTX2 is active on ASA2 and
standby on ASA1. As there is a shared interface among both devices, ensure that
packet classification is based on MAC addresses. Use interface E0/3 as failover LAN
and stateful link with IP address of 10.1.254.10/24 (VLAN 254). All standby IP
addresses should be derived from the last octet of primary IP address plus one (e.g. if
primary IP address is 10.1.1.10 the standby IP address will be 10.1.1.11). Secure
failover transmission with a key of cisco456.
Change the command line prompt to show hostname, context and current state of the
context for better visibility.
In Active/Standby failover, failover is performed on a unit basis. One unit is active while the other
unit is standby. In Active/Active, one context is active while the same context on the other ASA is in
standby state.
ASA uses failover groups to manage contexts. Each ASA supports up to two failover groups as
there can only be two ASAs in the failover pair. By default all security contexts are assigned to the
failover group 1.
You can control the distribution of active contexts between the ASAs by controlling each context's
membership in a failover group. Within the failover group configuration mode the "primary"
command gives the primary ASA higher priority for failover group 1. However, the "secondary"
command under failover group 2 gives secondary ASA higher priority for this failover group.
Assigning a primary or secondary priority to a failover group specifies which unit the failover group
becomes active on when both units boot simultaneously. If one unit boots before the other, both
failover groups become active on that unit. When the other unit comes online, any failover groups
that have the secondary unit as a priority do not become active on the second unit unless the
failover group is configured with the "preempt" command or is manually forced using "no
failover active" command.
Page 20 of 33
On ASA1
ASA-FW/CTX1(config)# changeto system
ASA-FW(config)# failover group 1
ASA-FW(config-fover-group)# primary
ASA-FW(config-fover-group)# preempt
ASA-FW(config-fover-group)# failover group 2
ASA-FW(config-fover-group)# secondary
ASA-FW(config-fover-group)# preempt
ASA-FW(config-fover-group)# context CTX1
ASA-FW(config-ctx)# join-failover-group 1
ASA-FW(config-ctx)# context CTX2
ASA-FW(config-ctx)# join-failover-group 2
ASA-FW(config-ctx)# exit
ASA-FW(config)# failover lan unit primary
ASA-FW(config)# failover lan interface LAN_FO e0/3
ASA-FW(config)# failover interface ip LAN_FO 10.1.254.10 255.255.255.0 standby 10.1.254.11
ASA-FW(config)# failover key cisco456
ASA-FW(config)# failover link LAN_FO
ASA-FW(config)# failover
The failover configuration is exactly the same as it was for Active/Standby failover.
Remember that when adding failover to the existing configuration, you must configure
standby IP addresses for all interfaces inside the security contexts.
ASA-FW(config)# changeto con CTX2
ASA-FW/CTX2(config-if)# ip add 10.1.104.10 255.255.255.0 standby 10.1.104.11
ASA-FW(config)# changeto con CTX1
ASA-FW/CTX1(config-if)# changeto system
In multiple context mode, you can view the extended prompt when you log in to the system
execution space or the admin context. Within a non-admin context, you only see the default
prompt, which is the hostname and the context name.
The ability to add information to a prompt allows you to see at-a-glance which adaptive
security appliance you are logged into when you have multiple modules. During a failover,
this feature is useful when both adaptive security appliances have the same hostname.
ASA-FW(config)# prompt hostname context priority state
ASA-FW/pri/act(config)#
Note that in Active/Active failover the ASA automatically generates different MAC
addresses on shared interfaces. You do NOT need to configure mac-address auto in A/A
failover scenario.
On SW3
SW3(config)#int f0/13
SW3(config-if)#sw mo acc
SW3(config-if)#sw acc vl 254
Page 21 of 33
% Access VLAN does not exist. Creating vlan 254

SW3(config-if)#exi
On SW4
Switch(config)#ho SW4
SW4(config-if)#sw tru enca dot
SW4(config-if)#sw mo tru
SW4(config-if)#int ran f0/19 - 24
SW4(config-if-range)#sw tru enca dot
SW4(config-if-range)#sw mo tru
SW4(config-if-range)#exi
On ASA2
On secondary ASA there is only basic failover configuration required. After configuring
and enabling failover, the secondary unit contacts the primary unit and copies
configuration for all contexts and system execution space.
As you can see both failover groups are active on the primary ASA at the beginning.
However, after configuration replication the secondary ASA preempts failover group 2.
ciscoasa(config)# no failover
ciscoasa(config)# failover lan unit secondary
ciscoasa(config)# int e0/3
ciscoasa(config-if)# no sh
ciscoasa(config-if)# failover lan interface LAN_FO e0/3
ciscoasa(config)# failover interface ip LAN_FO 10.1.254.10 255.255.255.0 standby 10.1.254.11
ciscoasa(config)# failover key cisco456
ciscoasa(config)# failover link LAN_FO
ciscoasa(config)# failover
ciscoasa(config)# .
Detected an Active mate
ciscoasa(config)# Removing context 'admin' (1)... Done
INFO: Admin context is required to get the interfaces
Creating context 'admin'... Done. (2)
WARNING: Skip fetching the URL disk0:/admin.cfg
INFO: Admin context will take some time to come up .... please wait.
WARNING: Skip fetching the URL disk0:/CTX1.cfg
Page 22 of 33
WARNING: Skip fetching the URL disk0:/CTX2.cfg

Group 1 Detected Active mate
Group 2 Detected Active mate
End configuration replication from mate.
Group 2 preempt mate
ASA-FW/sec/stby(config)#
Verification
ASA-FW/pri/act(config)# sh failover
Failover On
Interface Policy 1
Group 1 last failover at: 05:37:45 UTC Jul 17 2010
This host:
Group 1
Group 2
Primary
State:
Active time:
State:
Active time:
Active
701 (sec)
Standby Ready
597 (sec)

CTX1 Interface Inside (10.1.101.10): Normal (Not-Monitored)
CTX1 Interface Outside (10.1.102.10): Normal
CTX1 Interface DMZ (10.1.105.10): Normal
slot 1: empty
Other host:
Group 1
Group 2
Secondary
State:
Active time:
State:
Active time:
Standby Ready
0 (sec)
Active
103 (sec)

slot 1: empty
Stateful Obj
xmit
xerr
General
15
0
sys cmd
15
0
up time
0
0
RPC services
0
0
TCP conn
0
0
UDP conn
0
0
ARP tbl
0
0
Xlate_Timeout
0
0
SIP Session
0
0
rcv
15
15
0
0
0
0
0
0
0

Cur
Max
Total
Recv Q:
0
1
16
Page 23 of 33
rerr
0
0
0
0
0
0
0
0
0
Xmit Q:
16
Note that the status for Inside interface in both contexts is Normal (Not-Monitored).
This is because by default ASA does not monitor subinterfaces or logical interfaces. To
enable monitoring for those interfaces there should be monitor-interface Inside command
configured in each of security contexts.
ASA-FW/pri/act(config)# sh failover group 1
This host:
Primary
State:
Active time:
Active
829 (sec)

Other host:
Secondary
State:
Active time:
Standby Ready
0 (sec)

Status: Configured.
RPC services
0
0
TCP conn
0
0
UDP conn
0
0
ARP tbl
0
0
Xlate_Timeout
0
0
SIP Session
0
0
0
0
0
0
0
0
0
0
0
0
0
0
ASA-FW/pri/act(config)# sh failover group 2

This host:
Primary
State:
Active time:
Standby Ready
597 (sec)

Other host:
Secondary
State:
Active time:
Active
248 (sec)

Status: Configured.
RPC services
0
0
TCP conn
0
0
UDP conn
0
0
ARP tbl
0
0
Xlate_Timeout
0
0
SIP Session
0
0
0
0
0
0
0
0
0
0
0
0
0
0
ASA-FW/pri/act(config)# sh failover interface

interface LAN_FO Ethernet0/3
System IP Address: 10.1.254.10 255.255.255.0
My IP Address
: 10.1.254.10
Other IP Address : 10.1.254.11
Page 24 of 33
ASA-FW/pri/act(config)# changeto context CTX1

ASA-FW/CTX1/pri/act(config)# sh int e0/0
Interface Ethernet0/0 "Outside", is up, line protocol is up
MAC address 1200.0000.a300, MTU 1500
Traffic Statistics for "Outside":
0 packets dropped
ASA-FW/CTX1/pri/act(config)# sh int e0/1.101
Interface Ethernet0/1.101 "Inside", is up, line protocol is up
MAC address 1200.0165.03b0, MTU 1500
Traffic Statistics for "Inside":
0 packets dropped
ASA-FW/CTX1/pri/act(config)# changeto context CTX2
ASA-FW/CTX2/pri/stby(config)# sh int e0/0
MAC address 1200.0000.04b5, MTU 1500
0 packets dropped
ASA-FW/CTX2/pri/stby(config)# sh int e0/1.104
Interface Ethernet0/1.104 "Inside", is up, line protocol is up
MAC address 1200.0168.04b6, MTU 1500
Traffic Statistics for "Inside":
0 packets dropped
Note: Enable ICMP inspection in both security contexts to ease the verification. Since we
are on Primary ASA in CTX2 security context (which is standby), we cannot configure any
commands. However we can use Remote Command Execution feature to configure remotely Active
context on the second device.
Unfortunately, this tool cannot be used for changing security context (changeto command
does not work). Hence, to make changes to CTX1 we need to do it manually.
ASA-FW/CTX2/pri/stby(config)# policy-map global_policy
**** WARNING ****
ASA-FW/CTX2/pri/stby(config-pmap)#
ASA-FW/CTX2/pri/stby(config-pmap)# exi
**** WARNING ****
ASA-FW/CTX2/pri/stby(config)# sh run policy-map
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
Page 25 of 33
inspect
inspect
inspect
inspect
inspect
inspect
inspect
inspect
inspect
!
rsh
rtsp
skinny
esmtp
sqlnet
sunrpc
tftp
sip
xdmcp
Note: No ICMP Inspection
ASA-FW/CTX2/pri/stby(config)# failover exec mate policy-map global_policy

ASA-FW/CTX2/pri/stby(config)# failover exec mate class inspection_default
ASA-FW/CTX2/pri/stby(config)# failover exec mate inspect icmp
ASA-FW/CTX2/pri/stby(config)# sh run policy-map
!
parameters
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp ICMP Inspection is now enabled (configured on Active and sychronized over the
Failover link)
!
ASA-FW/CTX2/pri/stby(config)# sh failover exec mate
Active unit Failover EXEC is at mpf-policy-map-class sub-command mode
ASA-FW/CTX2/pri/stby(config)# failover exec mate show run policy-map
!
parameters
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
!
ASA-FW/CTX2/pri/stby(config)# changeto context CTX1
ASA-FW/CTX1/pri/act(config)# policy-map global_policy
Page 26 of 33
ASA-FW/CTX1/pri/act(config-pmap)# class inspection_default

ASA-FW/CTX1/pri/act(config-pmap-c)# inspect icmp
ASA-FW/CTX1/pri/act(config-pmap-c)# exi
ASA-FW/CTX1/pri/act(config-pmap)# exi
R1#p 10.1.102.2
!!!!!
R1#p 10.1.105.5
!!!!!
R5#p 10.1.102.2
!!!!!
R4#p 10.1.102.2
.....
Success rate is 0 percent (0/5)
Ping on R4 is not successful because there is no route back on R2. It has nothing to do
with ASA packets classification. After adding a route back, the ping in successful.
R2(config)#ip route 10.1.104.0 255.255.255.0 10.1.102.12
R4#p 10.1.102.2
!!!!!
It is highly recommended to perform failover test after configuration. The best test in
this situation would be shutting down switch port for DMZ interface of CTX1 security
context and check if failover moves CTX1 over to the secondary ASA.
FAILOVER TEST:
SW23#conf t
Enter configuration commands, one per line.
SW3(config-if)#shut
End with CNTL/Z.
ASA-FW/CTX1/pri/stby(config)# changeto system

ASA-FW/pri/stby(config)# sh failover
Failover On
Interface Policy 1
Page 27 of 33
This host:
Group 1
Group 2
Primary
State:
Active time:
State:
Active time:
Failed
1570 (sec)
Standby Ready
597 (sec)

CTX1 Interface DMZ (10.1.105.11): No Link (Waiting)
slot 1: empty
Other host:
Group 1
Group 2
Secondary
State:
Active time:
State:
Active time:
Active
40 (sec)
Active
1012 (sec)

CTX1 Interface DMZ (10.1.105.10): Normal (Waiting)
slot 1: empty
Stateful Obj
xmit
xerr
General
139
0
sys cmd
136
0
up time
0
0
RPC services
0
0
TCP conn
0
0
UDP conn
0
0
ARP tbl
3
0
Xlate_Timeout
0
0
SIP Session
0
0
rcv
138
136
0
0
0
0
2
0
0
rerr
0
0
0
0
0
0
0
0
0

Cur
Max
Total
Recv Q:
0
1
138
Xmit Q:
0
1
139
Note that now both security contexts are active on the secondary ASA.
We can bring the switch port back up now and see if primary ASA preempts CTX1 context.
Bring the switch port back up.
SW3#conf t
Enter configuration commands, one per line.
SW3(config-if)#no shut
End with CNTL/Z.
ASA-FW/pri/act(config)#
Group 1 preempt mate
Failover On
Interface Policy 1
Page 28 of 33

This host:
Group 1
Group 2
Primary
State:
Active time:
State:
Active time:
Active
1601 (sec)
Standby Ready
597 (sec)

CTX1 Interface Outside (10.1.102.10): Normal (Waiting)
slot 1: empty
Other host:
Group 1
Group 2
Secondary
State:
Active time:
State:
Active time:
Standby Ready
210 (sec)
Active
1215 (sec)

CTX1 Interface Outside (10.1.102.11): Normal (Waiting)
slot 1: empty
Stateful Obj
xmit
xerr
General
166
0
sys cmd
163
0
up time
0
0
RPC services
0
0
TCP conn
0
0
UDP conn
0
0
ARP tbl
3
0
Xlate_Timeout
0
0
SIP Session
0
0
rcv
165
163
0
0
0
0
2
0
0
rerr
0
0
0
0
0
0
0
0
0

Cur
Max
Total
Recv Q:
0
1
165
Xmit Q:
0
1
166
You may see Normal (Waiting) state for DMZ link for a while. This is because the ASA
uses keepalives between the interfaces to detect failure. Wait a bit and re-issue the
command again.
If you see waiting state for a long time this may indicate problem with L2
configuration. Check if both interfaces are reachable and switchports are configured
correctly.
Failover On
Interface Policy 1
This host:
Group 1
Group 2
Primary
State:
Active time:
State:
Active
1711 (sec)
Standby Ready
Page 29 of 33
Active time:
597 (sec)

slot 1: empty
Other host:
Group 1
Group 2
Secondary
State:
Active time:
State:
Active time:
Standby Ready
210 (sec)
Active
1325 (sec)

slot 1: empty
Stateful Obj
xmit
xerr
General
188
0
sys cmd
185
0
up time
0
0
RPC services
0
0
TCP conn
0
0
UDP conn
0
0
ARP tbl
3
0
Xlate_Timeout
0
0
SIP Session
0
0
rcv
187
185
0
0
0
0
2
0
0
rerr
0
0
0
0
0
0
0
0
0

Cur
Max
Total
Recv Q:
0
1
187
Xmit Q:
0
1
188
Task 3
To improve failover speed between two ASAs, configure both, unit and interface poll
time to exchange hello packets on every 500ms. Set the hold time to 5sec. Also, ensure
that the ASA will perform switchover for context CTX1 if minimum two interfaces fail.
Configure ASA to monitor all its interfaces.
If you want failover to occur faster, decrease the failover unit poll time, which specifies how often
hello messages are sent on the failover link. The hold time value specifies the amount of time that
ASA will wait (after lost three consecutive hellos) before declaring the peer unit failed and triggering
a failover.
You can also specify those parameters for monitored interfaces, as ASA sends hello packets out of
each monitored data interface to monitor interface health.
Also, there is a default failover policy which specifies a percentage or a number of the interfaces
which must failed before ASA triggers a failover. The default is 1 meaning the failover will trigger
when only one interface fails.
Page 30 of 33
On Primary ASA
ASA-FW/pri/act(config)# changeto system
ASA-FW/pri/act(config)# failover polltime unit msec 500 holdtime 5
ASA-FW/pri/act(config)# failover group 1
ASA-FW/pri/act(config-fover-group)# interface-policy 2
ASA-FW/pri/act(config-fover-group)# polltime interface msec 500 holdtime 5
ASA-FW/pri/act(config-fover-group)# failover group 2
ASA-FW/pri/act(config-fover-group)# polltime interface msec 500 holdtime 5
ASA-FW/pri/act(config-fover-group)# exi
Note that Unit Pooltime and Interface Policy are configured under the failover groups.
ASA-FW/CTX1/pri/act(config)# monitor-interface Inside
Interface monitoring is configured in each security context and this is only one command
related to the failover configured in this place. This is because this is the place where
the ASA has access to the IP address of the interface.
Rest of failover commands are configured under the system context.
ASA-FW/CTX2/pri/stby(config)# failover exec active monitor-interface Inside
Verification
Failover On
Unit Poll frequency 500 milliseconds, holdtime 5 seconds
Interface Policy 1
This host:
Group 1
Group 2
Primary
State:
Active time:
State:
Active time:
Active
3114 (sec)
Standby Ready
597 (sec)

CTX1 Interface Inside (10.1.101.10): Normal
slot 1: empty
Other host:
Group 1
Group 2
Secondary
State:
Active time:
State:
Active time:
Standby Ready
210 (sec)
Active
2728 (sec)

Page 31 of 33
slot 1: empty
Stateful Obj
xmit
xerr
General
368
0
sys cmd
365
0
up time
0
0
RPC services
0
0
TCP conn
0
0
UDP conn
0
0
ARP tbl
3
0
Xlate_Timeout
0
0
SIP Session
0
0
rcv
367
365
0
0
0
0
2
0
0
rerr
0
0
0
0
0
0
0
0
0

Cur
Max
Total
Recv Q:
0
1
367
Xmit Q:
0
1
368
ASA-FW/CTX1/pri/act(config)# sh monitor-interface
Interface Inside (10.1.101.10): Normal
Interface Outside (10.1.102.10): Normal
Other host: Secondary - Standby Ready
ASA-FW/CTX2/pri/stby(config)# sh monitor-interface
This host: Primary - Standby Ready
Other host: Secondary - Active
Task 4
You have been noticed by you companys networking team that they plan to deploy
another router on the outside network to connect to another ISP for redundancy and
load sharing. You must act proactively and ensure that any asymmetric traffic (including
HTTP) caused by redundant ISPs will be handled by the ASA in both contexts.
In Active/Active designs, there is a greater chance for asymmetric routing. This means that one unit
may receive a return packet for a connection originated through its peer unit. Because this unit
does not have any connection information for this packet, the packet is dropped. This is most
common when there are two ISPs with BGP and packet can return from a different ISP.
This can be prevented on the ASA by using ASR Groups (Asynchronous Routing Groups)
configured on the interface inside the context. When an asr-group is configured on the interface
and it receives a packet for which it has no session information, it checks the session information
for the other interfaces that are in the same ASR Group. Then, instead of being dropped, the Layer 2
header is re-written and the packet is redirected to the other unit.
Page 32 of 33
On Primary ASA
ASA-FW/pri/act(config)# failover group 1
ASA-FW/pri/act(config-fover-group)# replication http
ASA-FW/pri/act(config-fover-group)# failover group 2
ASA-FW/pri/act(config-fover-group)# replication http
ASA-FW/pri/act(config-fover-group)# changeto context CTX1
ASA-FW/CTX1/pri/act(config)# interface e0/0
ASA-FW/CTX1/pri/act(config-if)# asr-group 1
ASA-FW/CTX1/pri/act(config-if)# changeto context CTX2
ASA-FW/CTX2/pri/stby(config)# failover exec active interface e0/0
ASA-FW/CTX2/pri/stby(config)# failover exec active asr-group 1
Verification
ASA-FW/CTX2/pri/stby(config)# failover exec active sh interface e0/0 detail
MAC address 1200.0000.0400, MTU 1500
0 packets dropped
Control Point Interface States:
Interface number is 1
Interface config status is active
Interface state is active
Asymmetrical Routing Statistics:
Received 0 packets
Transmitted 0 packets
Dropped 0 packets
ASA-FW/CTX2/pri/stby(config)# changeto context CTX1
ASA-FW/CTX1/pri/act(config)# sh interface e0/0 detail
MAC address 1200.0000.0500, MTU 1500
1955 packets dropped
Control Point Interface States:
Interface number is 2
Interface config status is active
Interface state is active
Asymmetrical Routing Statistics:
Received 0 packets
Transmitted 0 packets
Dropped 0 packets
Page 33 of 33

Mastering ASA Firewall: Narbik Kocharians CCIE #12410 R&S, Security, SP Piotr Matusiak CCIE #19860 R&S, Security

Uploaded by

Copyright:

Available Formats

Mastering ASA Firewall: Narbik Kocharians CCIE #12410 R&S, Security, SP Piotr Matusiak CCIE #19860 R&S, Security

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Mastering ASA Firewall: Narbik Kocharians CCIE #12410 R&S, Security, SP Piotr Matusiak CCIE #19860 R&S, Security

Uploaded by

Copyright:

Available Formats

Mastering

Mastering ASA Firewall Workbook

BASIC ASA CONFIGURATION ........................................................................................................

BASIC SECURITY POLICY ...............................................................................................................

DYNAMIC ROUTING PROTOCOLS ................................................................................................

ASA MANAGEMENT ..........................................................................................................................

STATIC NAT .........................................................................................................................................

DYNAMIC NAT ....................................................................................................................................

NAT EXEMPTION ...............................................................................................................................

STATIC POLICY NAT.........................................................................................................................

DYNAMIC POLICY NAT ....................................................................................................................

MODULAR POLICY FRAMEWORK (MPF) ...................................................................................

FTP ADVANCED INSPECTION ........................................................................................................

HTTP ADVANCED INSPECTION .....................................................................................................

INSTANT MESSAGING ADVANCED INSPECTION .....................................................................

ESMTP ADVANCED INSPECTION ..................................................................................................

DNS ADVANCED INSPECTION ........................................................................................................

ICMP ADVANCED INSPECTION .....................................................................................................

CONFIGURING VIRTUAL FIREWALLS ........................................................................................

ACTIVE/STANDBY FAILOVER ........................................................................................................

ACTIVE/ACTIVE FAILOVER ...........................................................................................................

REDUNDANT INTERFACES .............................................................................................................

TRANSPARENT FIREWALL .............................................................................................................

THREAT DETECTION ........................................................................................................................

CONTROLLING ICMP AND FRAGMENTED TRAFFIC .............................................................

TIME BASED ACCESS CONTROL ...................................................................................................

QOS - PRIORITY QUEUING ..............................................................................................................

QOS TRAFFIC POLICING ..............................................................................................................

QOS TRAFFIC SHAPING ................................................................................................................

QOS TRAFFIC SHAPING WITH PRIORITIZATION .................................................................

SLA ROUTE TRACKING ...................................................................................................................

ASA IP SERVICES (DHCP).................................................................................................................

URL FILTERING AND APPLETS BLOCKING ..............................................................................

TROUBLESHOOTING USING PACKET TRACER AND CAPTURE TOOLS ...........................

STATIC NAT (8.3+) ..............................................................................................................................

Mastering ASA Firewall Workbook

DYNAMIC NAT (8.3+) .........................................................................................................................

BIDIRECTIONAL NAT (8.3+) ............................................................................................................

SITE-TO-SITE IPSEC VPN USING PKI (ASA-ASA) ......................................................................

SITE-TO-SITE IPSEC VPN USING PKI (STATIC IP IOS-ASA) ...................................................

SITE-TO-SITE IPSEC VPN USING PKI (DYNAMIC IP IOS-ASA) ..............................................

SITE-TO-SITE IPSEC VPN USING PSK (IOS-ASA HAIRPINNING) ..........................................

CONFIGURING REMOTE ACCESS IPSEC VPN USING EASYVPN (IOS TO ASA)................

IPSEC LOAD BALANCING (ASA CLUSTER) ................................................................................

ANYCONNECT 3.0 BASIC SETUP ....................................................................................................

ANYCONNECT 3.0 ADVANCED FEATURES .................................................................................

Mastering ASA Firewall Workbook

Mastering ASA Firewall Workbook

Inter-switch and Frame Relay connections

Mastering ASA Firewall Workbook

This page is intentionally left blank.

Mastering ASA Firewall Workbook

Stateful Failover Link

Mastering ASA Firewall Workbook

Mastering ASA Firewall Workbook

communication between ASAs.

Mastering ASA Firewall Workbook

**** WARNING ****

WARNING