You are on page 1of 114

ASA 8.

3 Licensing and High Availability

Lab Guide
Version 4.1

Part of the Fuel Series brought to you by the ASTEC team

November, 2010
2

Table of Contents
Introduction......................................................................................................................... 3
Log into the lab portal ........................................................................................................ 8
Exercise 1: Prepare for Launch Meeting.......................................................................... 10
Exercise 2: Verify Initial Connectivity (Baseline) ............................................................ 13
Exercise 3: Review ASA Configuration and Licenses....................................................... 32
Exercise 4: Configure Failover on the ASA Firewalls ..................................................... 42
Exercise 5: Fine-tune Failover Settings ........................................................................... 66
Exercise 6: Install ASDM and Review ASA Configuration .............................................. 68
Exercise 7: Test Failover on the ASA Firewall ................................................................ 84
Exercise 8: Disaster Recovery Backup ............................................................................. 96
Appendix A: Answers to Exercise Questions .................................................................. 103
Appendix B: Final ASA Configuration ........................................................................... 106

November, 2010 ASA Licensing and High Availability Lab Procedures


3

Introduction

Your company has successfully deployed an ASA 5510 firewall upgrade for Inside.local,
a mid-size organization that employs 500 people and is growing. They are very happy
with the deployed ASA and are calling upon you for your skills and knowledge on the
ASA to help deploy a second ASA in a high availability configuration.

After reviewing Inside.local’s requirements, you determine that an active/standby


configuration is best suited for them. You will discuss with Inside the difference between
active/active and active/standby and why you chose to proceed with an active/standby
design.

They have the second ASA onsite already racked and cabled with the factory default
configuration. They have created Vlans for the Inside and DMZ interfaces for both ASAs
and are using an unmanaged switch for the state and failover interfaces. There is a
scheduled outage to allow you to complete this deployment and for testing.
The customer is ready for you to do your ASA magic!

What precipitated the engagement?


 The organization’s network policy defines that any hardware failure causing
Internet down time cannot exceed 4 hours.
 There is an increasing number of remote workers who will connect using VPN to
gain access to work resources, and hardware failure should not prohibit their
ability to connect.
 The organization is also thinking about the future and cloud computing. As
applications become more cloud based, they want to position themselves with
high availability throughout the Internet connection.
 Future plans also include adding a second ISP link to provide redundancy.
 The customer purchased additional licenses and would like you to add this to the
ASA failover cluster.

Key requirements:
 You must provide the customer a logical topology diagram.
 You need to outline the key differences between an active/active and
active/standby design and why you chose an active/standby design.
 Configure the second ASA in the cluster and minimize any downtime.
 Create a test plan to test your new high availability design.
 Ensure this deployment aligns with future initiatives.
 Provide post-installation recommendations.

November, 2010 ASA Licensing and High Availability Lab Procedures


4

Logical Topology
The diagram below depicts the logical L3 and L2 topology of the network for this lab.
Please note that the UserPCs and Servers are VMware images and that if you shut down
any of these machines you will lose all changes. Please ensure that you use restart,
if/when needed. Unless otherwise specified, all logins are administrator and passwords
are cisco123, all in lower case, except for pc-inside.inside.local where the username is
johndoe and the password is cisco123.
L3
192.0.2.50
PC outside

Internet

ISP Router
.1

192.0.0.0/24

HA-State

192.168.60.4/30
.5 .6
HA-Failover
e0/3 e0/3
192.168.60.0/30 .253
.254
e0/0 e0/0
.1 .2
Primary Mgt Secondary
Mgt
Active ASA Standby
ASA
e0/1 .254 .253 e0/1
.254 e0/2 192.168.1.0/24 e0/2 .253
v600

.10

10.0.0.0/24 DMZ inside


v500

.1
lo0
10.0.255.1/32
Core-sw1
.1 .1

10.0.1.0/24 10.0.2.0/24
v10 v20

DHCP .10 .100

PC Inside
DC inside Exchange inside

November, 2010 ASA Licensing and High Availability Lab Procedures


5

L2
PC outside

Virtual Internet

ISP Router
ISP Router

e0/0 e0/0
e0/3 HA-State e0/3

Mgt HA-Failover Mgt ASA


ASA
e0/1 e0/1 e0/2
e0/2

v500 v600
v500 v600

g1/0/8 g1/0/7
g1/0/5 g1/0/6
PC Inside DMZ inside

v10 g1/0/3 g1/0/4 v600


Core-sw1

g1/0/1 g1/0/2
v20 v20

DC inside Exchange inside

November, 2010 ASA Licensing and High Availability Lab Procedures


6

Disclaimer
This lab is intended to be a sample of one way to configure the ASA to provide the
customer the required connectivity. There are many ways the ASA can be configured,
which vary depending on the situation and the customer’s goals/requirements. Please
ensure that you consult all current official Cisco documentation before proceeding with a
design or installation. This lab is primarily intended to be a learning tool and may not
necessarily follow best practice recommendation at all times in order to convey specific
information.

Current documentation for ASA can be found on CCO:

ASA 8.3 CLI Configuration Guide


http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/config.html

ASDM 6.3 for ASA 8.3 Configuration Guide


http://www.cisco.com/en/US/docs/security/asa/asa83/asdm63/configuration_guide/config.html

Cisco ASA 5500 Migration Guide for Version 8.3


http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html

Cisco ASA 5500 Series Getting Started Guide, 8.3


http://www.cisco.com/en/US/docs/security/asa/asa83/getting_started/5500/guide/getstart.html

ASA 8.3 CLI Series Configuration Guide, High Availability


http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/ha_overview.html

ASA 8.3 CLI Series Configuration Guide, High Availability – Active/Standby


http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/ha_active_standby.html

The labs were constructed using the following software versions:

ASA asa831-6-k8.bin
ASDM asdm-631.bin
AVC AnyConnect-win-2.5.0217-k9.pkg
VPN Client vpnclient-win-msi-5.0.07

Prerequisite knowledge
This lab is the second module in a series of ASA labs created by the ASTEC team. This
lab assumes that you have taken our first lab, ASA 8.3 Basics and New Features, or have
viewed the recorded tech session or have equivalent basic understanding of IP
technologies and the Cisco ASA 5500. It is suggested that you take the modules in the
recommended order unless you are already familiar with the information in the previous
modules.

November, 2010 ASA Licensing and High Availability Lab Procedures


7

*** Important ASA Lab Information***


The ASAs in the lab are configured with the configuration register set to boot from
ROMMON. This is part of Team ASTEC’s automation in preparing the ASA for your
lab. Once the ASA loads in your lab, it will have the factory-default configuration.

If you reload your ASA during the lab, it will initialize in ROMMON.
Should this happen, issue the following commands:

1- From ROMMON, type boot flash:asa831-6-k8.bin.


2- Once the ASA has reloaded, type copy startup-config running-config.

In this lab, we use the Cisco ASA 5510 appliance which has 1 Gigabyte of memory.

November, 2010 ASA Licensing and High Availability Lab Procedures


8

Log into the lab portal


These labs are browser agnostic and will work with most versions, however, they have
been tested using Firefox and Internet Explorer. The PC requirements are as follows: use
Java version 1.4.3 or better, disable pop up blockers and personal firewalls, and
disconnect any current VPN connections you may have running.

Open a browser and type https://128.107.69.132

Your proctor will provide you with the login and pod number information. Type this into
the Username/Password box and click Login. Also write this information below.

Username __________________________
Password __________________________
Pod number __________________________

November, 2010 ASA Licensing and High Availability Lab Procedures


9

Click Continue.

On the ASTEC Student Portal web page, when launching the web bookmarks to access
PC-Inside and PC-Outside, please click the Open in a new Browser icon.

November, 2010 ASA Licensing and High Availability Lab Procedures


10

Exercise 1: Prepare for Launch Meeting


Goal: Create simple diagrams and review IP address assignments in preparation for a
project launch meeting with the Inside.local Network team.

Hopefully most of this design was discussed as part of the pre-sales process and the
detailed design meetings that occurred in order to prepare an accurate statement of work.
Now the time has arrived to start the project. The Inside.local engineering team wants a
kickoff meeting to review exactly what you will be doing and provide you with any final
details you need to begin. The main focus of the meeting is to explain the difference
between active/active and active/standby high availability designs and explain some
testing that you will execute to validate the high availability design.

External IP addressing is as follows:


192.0.0.254 ASA_1 outside interface
192.0.0.253 ASA_2 outside interface
192.0.0.252 PAT address for InsideLAN network
192.0.0.251 NAT address for the DMZ web server
192.0.0.250 NAT address for the Email server

Internal IP addressing is as follows:


10.0.0.254 ASA_1 inside interface
10.0.0.253 ASA_2 inside interface
192.168.1.254 ASA_1 DMZ interface
192.168.1.253 ASA_2 DMZ interface
10.0.0.1 Internal L3 switch
10.0.2.10 Domain Controller
10.0.2.100 Exchange server
192.168.1.10 DMZ server
192.168.60.1 ASA_1 failover interface
192.168.60.2 ASA_2 failover interface
192.168.60.5 ASA_1 state interface
192.168.60.6 ASA_2 state interface

Lab Task: Review the diagram below and think through how it could be used to
storyboard the project for the customer.

November, 2010 ASA Licensing and High Availability Lab Procedures


11

192.0.2.50
PC outside

Internet

ISP Router
.1

192.0.0.0/24

HA-State

192.168.60.4/30
.5 .6
HA-Failover
e0/3 e0/3
192.168.60.0/30 .253
.254
e0/0 e0/0
.1 .2
Primary Mgt Secondary
Mgt
Active ASA Standby
ASA
e0/1 .254 .253 e0/1
.254 e0/2 192.168.1.0/24 e0/2 .253
v600

.10

10.0.0.0/24 DMZ inside


v500

.1
lo0
10.0.255.1/32
Core-sw1
.1 .1

10.0.1.0/24 10.0.2.0/24
v10 v20

DHCP .10 .100

PC Inside
DC inside Exchange inside

November, 2010 ASA Licensing and High Availability Lab Procedures


12

In discussions with Inside, they agreed and purchased a second ASA firewall and are
looking for your recommendation on a deployment design. You have reviewed their
network topology, services and future requirements.

You explained to Inside’s network manager the two high availability designs,
active/active and active/standby, and although both designs are valid and have pros and
cons, you tell the network manager you decided on an active/standby design, and
explained the reason for this decision.

The main reason for active/standby is the current limitation in active/active to support
VPN connections.

When the security appliance is configured for Active/Active Stateful Failover, you cannot
enable IPsec or SSL VPN. Therefore, these features are unavailable. VPN failover is
available for Active/Standby failover configurations only.

You verified that the two ASA firewalls are the same model with the same module, have
the same amount of RAM, and are running the same version of code.

November, 2010 ASA Licensing and High Availability Lab Procedures


13

Exercise 2: Verify Initial Connectivity (Baseline)


Goal: Execute some baseline tests to ensure the network is operational prior to beginning
the work.

From the ASTEC student portal, go to pc-inside.

November, 2010 ASA Licensing and High Availability Lab Procedures


14

Log in as johndoe with a password of cisco123.

Open a command prompt and issue the ipconfig command. There is a cmd prompt
shortcut on the desktop.

What is your IP address? _________________________


What is your subnet mask? ________________________
What is your default gateway? _____________________

From pc-inside.inside.local, ping the following destinations:

ping 10.0.1.1 pc-inside default gateway


ping 10.0.2.10 dc.inside.local
ping 10.0.2.100 exchange.inside.local
ping 10.0.0.254 ASA inside interface
ping 192.168.1.10 dmz.inside.local

November, 2010 ASA Licensing and High Availability Lab Procedures


15

November, 2010 ASA Licensing and High Availability Lab Procedures


16

From pc-inside, launch Internet Explorer and browse to the DMZ web server.
In the browser, type http://192.168.1.10.

From the ASTEC Student Portal, go to pc-outside.

November, 2010 ASA Licensing and High Availability Lab Procedures


17

Log in as administrator with a password of cisco123.

From the desktop, double click the VPN icon, highlight the Inside-ipsec profile and
Connect.

November, 2010 ASA Licensing and High Availability Lab Procedures


18

Provide johndoe/cisco123 as the credentials when prompted.

Once you are connected, open a command prompt and issue the following ping
commands:

ping 10.0.2.10 DC
ping 10.0.2.100 Exchange
ping 192.168.1.10 DMZ

November, 2010 ASA Licensing and High Availability Lab Procedures


19

From pc-outside, launch Internet Explorer and browse to the DMZ web server.
In the browser, type http://192.168.1.10.

November, 2010 ASA Licensing and High Availability Lab Procedures


20

Return to pc-inside and from the desktop, launch the OoB Console Access shortcut.

Select your pod number from the Pod Number drop-down box and select ASA 2 – ASA
High-Availability from the Content Package drop-down and click Access Console Map.

The console map is a customized webpage with hotspot icons. Clicking on these icons
launches a telnet session to a terminal server where the device console cables are
connected.

November, 2010 ASA Licensing and High Availability Lab Procedures


21

November, 2010 ASA Licensing and High Availability Lab Procedures


22

Click each of the ASA icons so that you can connect via the console. This will launch a
Telnet application which will connect to the ASA console ports.

Click in each of the telnet windows and press Enter twice in each of the terminal boxes.

You now have accessed the primary and the secondary ASAs. Remember that the
primary ASA is Inside.local’s production firewall. Notice the hostname is asa-lab.

The secondary ASA is Inside.local’s new ASA firewall and has the default hostname of
ciscoasa.

November, 2010 ASA Licensing and High Availability Lab Procedures


23

Now minimize the consoles web page, but leave the two Telnet console windows open.

This will make it easier to look at both ASA firewalls and to view the commands, and
compare and sync between both. It will also allow you to see what happens during
failover testing.

November, 2010 ASA Licensing and High Availability Lab Procedures


24

The enable password for the primary ASA (with the hostname asa-lab) is cisco123.
There is no enable password set for the secondary ASA. If you are prompted for a
password, just press Enter. Remember that this firewall has the factory default
configuration.

If the ASA firewalls are not in enable mode, type enable and press Enter. Type cisco123
as the password for the primary ASA and leave the password blank for the secondary
ASA.

Next, we will test connectivity from our primary ASA.

ping 10.0.0.1 inside L3 switch


ping 192.0.0.1 outside gateway
ping 192.168.1.10 DMZ server
ping 10.0.2.10 domain controller

November, 2010 ASA Licensing and High Availability Lab Procedures


25

Contact your proctor if you have any issues or if any of the pings fail before proceeding.

Issue the show version command.

November, 2010 ASA Licensing and High Availability Lab Procedures


26

Q2.1: What version of code is running on this ASA?

Q2.2: How many SSL VPN Peers are licensed?

Q2.3: How many UC Phone Proxy Sessions are licensed?

Q2.4: Are there any time-based licenses? If so, which features?

Q2.5: Is the running activation key time-based or permanent?

Switch to the other ASA firewall and type enable if you’re not already in enable mode.
The factory default setting does not have an enable password so just press Enter when
prompted for the password.

November, 2010 ASA Licensing and High Availability Lab Procedures


27

On the second ASA firewall, type show version.

November, 2010 ASA Licensing and High Availability Lab Procedures


28

Q2.6: What version of code is running on this ASA?

Q2.7: How many SSL VPN Peers are licensed?

Q2.8: How many UC Phone Proxy Sessions are licensed?

Q2.9: Are there any time-based licenses? If so, which features?

Q2.10: Is the running activation key time-based or permanent?

In your discussion with Inside’s manager, you explained the cabling recommendations
and requirements for the ASA failover and state interfaces.

You can use any unused Ethernet interface on the device as the failover link; however,
you cannot specify an interface that is currently configured with a name. The LAN
failover link interface is not configured as a normal networking interface; it exists for
failover communication only. This interface should only be used for the LAN failover
link (and optionally for the Stateful Failover link).

Connect the LAN failover link in one of the following ways:

 Using a switch, with no other device on the same network segment (broadcast
domain or VLAN) as the LAN failover interfaces of the ASA firewalls

 Using a crossover Ethernet cable to connect the ASA firewalls directly, without
the need for an external switch

However, when you use a crossover cable for the LAN failover link, if the LAN interface
fails, the link is brought down on both peers. This condition may hamper troubleshooting
efforts because you cannot easily determine which interface failed and caused the link to
come down.

With the exception of the ASA 5505, all the models support Stateful Failover.

To use Stateful Failover, you must configure a Stateful Failover link to pass all state
information. You have three options for configuring a Stateful Failover link:

 You can use a dedicated Ethernet interface for the Stateful Failover link.

 If you are using LAN-based failover, you can share the failover link.

 You can share a regular data interface, such as the inside interface. However, this
option is not recommended.

November, 2010 ASA Licensing and High Availability Lab Procedures


29

If you are using a dedicated Ethernet interface for the Stateful Failover link, you can use
either a switch or a crossover cable to directly connect the units. If you use a switch, no
other hosts or routers should be on this link.

When Stateful Failover is enabled, the active unit continually passes per-connection state
information to the standby unit. After a failover occurs, the same connection information
is available at the new active unit. Supported end-user applications are not required to
reconnect to keep the same communication session.

Inside’s manager would like to know precisely what information gets replicated to the
standby firewall. You help the manager understand this by sharing the following table:

After this discussion, the manager agrees to use a dedicated unmanaged layer 2 switch for
the state and failover interfaces for both ASA firewalls. The manager also had the
network engineer create two new Vlans to be used by the ASA’s Inside and DMZ
interfaces on their internal managed layer 3 switch.

November, 2010 ASA Licensing and High Availability Lab Procedures


30

As with all good engineers, you believe in verifying configurations and want to verify
this Vlan configuration before you proceed with your ASA configurations.

From the OoB Console Access page that you minimized earlier, click the Core-sw1 3750
console icon so that you can connect via the console. This will launch a Telnet
application which will connect to the 3750 switch console.

Press Enter twice in the terminal box.


Type administrator/cisco123 as the username/password to access the switch.

November, 2010 ASA Licensing and High Availability Lab Procedures


31

Issue the show vlan command.

Here we can see that the primary ASA’s inside interface is in Vlan 500 connected to
interface G1/0/5, and the DMZ interface is in Vlan 600 connected to interface G1/0/6.
We can also see that the standby ASA’s inside interface is also in Vlan 500 connected to
interface G1/0/8, and the DMZ interface is in Vlan 600 connected to interface G1/0/7.

November, 2010 ASA Licensing and High Availability Lab Procedures


32

Exercise 3: Review ASA Configuration and Licenses


Goal: The goal is to review the ASA configurations, specifically the interfaces, as we
need to configure two new interfaces, one for failover and the other for state information
replication. We also want to verify the current licensing on the ASA and add the new
time-based activation key with the new additional features. We will utilize the console
port to complete these tasks.

If you have closed your ASA console sessions, you will need to re-launch them.

Click the ASA so that you can connect via the console, (refer to the red arrows). This will
launch a Telnet application which will connect to the ASA console.

Press Enter twice in the terminal box.

November, 2010 ASA Licensing and High Availability Lab Procedures


33

From the console of the primary ASA, issue the show activation-key command.

November, 2010 ASA Licensing and High Availability Lab Procedures


34

Q3.1: What is the serial number for your ASA? ________________________________

In the table below, find your pod number and serial number. Record the activation key
that matches your serial number for the primary ASA.

What is your activation key? ________________________________________________

November, 2010 ASA Licensing and High Availability Lab Procedures


35

November, 2010 ASA Licensing and High Availability Lab Procedures


36

From the console of the secondary ASA, issue the show activation-key command and
also retrieve the serial number for this firewall.

The serial number is ______________________________________________________

In the table above, find your pod number and serial number. Record the activation key
that matches your serial number for the secondary ASA.
What is your activation key? ________________________________________________

Now that we have the new activation keys for the ASA firewalls, let’s add these.

November, 2010 ASA Licensing and High Availability Lab Procedures


37

****** You may want to open Notepad from pc-inside and type the activation keys
in Notepad. This will enable you to copy and paste as needed.********

From the console of the primary ASA, type configure terminal to get into global
configuration mode.
Type activation-key followed by your activation key for the primary ASA from the table
above.

Let’s do the same steps for the secondary ASA. From the console of the secondary ASA,
press Enter for the password.

Type activation-key followed by your activation key for the secondary ASA from the
table above.

We want to verify that the new activation keys are in effect.

November, 2010 ASA Licensing and High Availability Lab Procedures


38

From the console of the primary ASA, type show activation-key detail.

November, 2010 ASA Licensing and High Availability Lab Procedures


39

Q3.2: What has changed on the licensing?

Q3.3: Looking at the licensed features for this platform, how many SSL VPN Peers
licenses do we have?

Q3.4: How many UC Phone Proxy sessions?

Q3.5: Are there any time-based licenses, if so, which feature?

Q3.6: How many days are left?

As can be seen from the show activation-key detail command, we now have permanent
and time-based keys simultaneously enabled on this ASA.

November, 2010 ASA Licensing and High Availability Lab Procedures


40

Let’s next verify the activation-key on the secondary ASA.


From the console of the secondary ASA, type show activation-key detail.

Remember that you can tell the difference between the primary and secondary ASA by
looking at the firewall hostname. The primary ASA is called asa-lab while the secondary
ASA has the default name of ciscoasa.

November, 2010 ASA Licensing and High Availability Lab Procedures


41

Q3.7: Looking at the licensed features for this platform, how many SSL VPN Peers
licenses do we have?

Q3.8: How many UC Phone Proxy sessions?

Q3.9: Are there any time based licenses, if so, which feature?

Q3.10: How many days are left?

As can be seen from the show activation-key detail command, we now have permanent
and time-based keys simultaneously enabled on this ASA also.

Let’s next start the high availability active/standby configuration and then return and see
if this changes the licensing.

November, 2010 ASA Licensing and High Availability Lab Procedures


42

Exercise 4: Configure Failover on the ASA Firewalls


Goal: The goal is to configure the ASA firewalls into a high availability cluster using an
active/standby design.

From the console on the primary ASA, issue the show failover command. We can
confirm that failover has not been already configured.

Let’s verify the interfaces on this ASA. From the console of the primary ASA, type show
running-config interface.

November, 2010 ASA Licensing and High Availability Lab Procedures


43

Q4.1: How many unused and available interfaces do we have?

Although we could use one interface for state information and failover, it is best practice
to use separate interfaces and that is what we will configure.

If you use the failover link as the Stateful Failover link, you should use the fastest
Ethernet interface available. If you experience performance problems on that interface,
consider dedicating a separate interface for the Stateful Failover interface.

Since we have two available interfaces, interface management 0/0 and interface Ethernet
0/3, we will use interface management 0/0 as the failover link and interface Ethernet 0/3
as the Stateful failover link.

From the console on the primary ASA, if the ASA is not in global configuration mode,
type configure terminal to enter global configuration mode.

Issue the interface management 0/0 command and then type no shutdown. This will
enable this interface.

Type the following commands. This is letting the ASA know that it will be the primary
firewall in the active/standby cluster, that we will be using the management 0/0 interface
as the failover interface, and that we have named this interface failover. And lastly, we
assigned the IP address to this ASA and its standby mate.

failover lan unit primary


failover lan interface failover management0/0
failover interface ip failover 192.168.60.1 255.255.255.252 standby 192.168.60.2

November, 2010 ASA Licensing and High Availability Lab Procedures


44

Let’s see if failover is now enabled. Type the show failover command.

Notice that failover is still marked as off. We are missing one more failover command.
We also see that we have not enabled Stateful failover. Issue the show failover state
command. This command will indicate that stateful failover is disabled.

Let’s continue and configure the Stateful failover interface and then we will complete the
final command to enable failover.

November, 2010 ASA Licensing and High Availability Lab Procedures


45

Type interface Ethernet 0/3 from global configuration mode and no shutdown.

Type the following commands to configure the Stateful failover on the primary ASA.

failover link state ethernet0/3


failover interface ip state 192.168.60.5 255.255.255.252 standby 192.168.60.6

These commands are assigning a state of “link” to the Ethernet 0/3 interface and giving it
the name “state”. We configure the state IP address of this ASA and of the ASA’s
failover mate.

November, 2010 ASA Licensing and High Availability Lab Procedures


46

Finally type failover to enable failover.


Let’s type this command in the ASA console.

Issue the show failover command on the primary ASA. Let’s observe what this ASA
firewall is indicating here.

November, 2010 ASA Licensing and High Availability Lab Procedures


47

We can see this is the Primary unit and we can also see that the Secondary ASA has not
yet been detected. This is expected as we have not yet completed the secondary ASA
configuration.

Now let’s switch our focus to the secondary ASA. If you recall, this ASA is already
racked and cabled and is waiting to be configured.

November, 2010 ASA Licensing and High Availability Lab Procedures


48

From the console on the secondary ASA, type show failover. We can see that failover
has not been configured.

We need to see what interfaces are available so type show running-config interface.

As could be expected, only the Management 0/0 interface is configured with the
192.168.1.1 255.255.255.0 IP Address and its name is management. This is the default
factory setting. We also know that DHCP service is also enabled.

Let’s start with our configuration by disabling this interface.

November, 2010 ASA Licensing and High Availability Lab Procedures


49

From global configuration mode on the secondary ASA, issue the following commands:

interface management 0/0


no ip address
no nameif
no security-level
no shutdown

We could see that the primary ASA is trying to sync with the secondary ASA. This will
continue to fail until the secondary ASA is configured and is able to respond. The
secondary ASA configuration is very simple and straightforward. All we need to
configure is the failover interface. All the remaining configurations will be sent from the
primary ASA, including the state link interface information.

Let’s continue with the configuration. On the secondary ASA, type the following
commands:

failover lan interface failover management0/0


failover interface ip failover 192.168.60.1 255.255.255.252 standby 192.168.60.2
failover lan unit secondary
failover

November, 2010 ASA Licensing and High Availability Lab Procedures


50

Now we should see the primary ASA detect its mate and start with the configuration
replication. We should also see information regarding licensing. We will look into this
further in the next few steps. Another item to notice are the warning messages. It is
indicating: This command will not take effect until interface “inside” has been
assigned an IP address.

We need to investigate this further as this could potentially cause us problems in the
future.

From the console of the primary ASA, let’s review.

November, 2010 ASA Licensing and High Availability Lab Procedures


51

Let’s issue the show failover command on the primary ASA firewall.

We can see that failover is now on. We can also see that this ASA (This host) is Primary
and is the active unit. The secondary ASA (Other host) is in a Standby Ready state.
We next see all the monitored interfaces listed on both the primary and secondary ASA
firewall, and that they are in a normal (waiting) state.

What is missing from our configuration that is causing the monitored interfaces to be in a
normal (waiting) state instead of just a normal state?

Looking at the show failover command, we see the secondary ASA has the IP address
0.0.0.0 for all its interfaces. We forgot to assign the standby IP addresses for the
secondary firewall!

We need to add this configuration onto the primary ASA and watch this sync with the
secondary firewall.
From global configuration on the primary ASA, type the following commands:

November, 2010 ASA Licensing and High Availability Lab Procedures


52

interface Ethernet 0/0


ip address 192.0.0.254 255.255.255.0 standby 192.0.0.253

interface Ethernet 0/1


ip address 10.0.0.254 255.255.255.0 standby 10.0.0.253

interface Ethernet 0/2


ip address 192.168.1.254 255.255.255.0 standby 192.168.1.253

Let’s wait 10 seconds and be certain that the two ASA firewalls have synchronized their
configs and re-issue the show failover command.

November, 2010 ASA Licensing and High Availability Lab Procedures


53

This looks much better! All the monitored interfaces are in a normal state. We can see
that both ASA firewalls have their IP addresses and can now communicate with each
other over all monitored interfaces.

We did not configure the Stateful failover interface on our secondary ASA.

From the console on the secondary ASA, let’s issue the show failover state command
and confirm that these commands have been replicated between the two ASA firewalls.

November, 2010 ASA Licensing and High Availability Lab Procedures


54

Success! The two ASA firewalls have synchronized and we can see that Stateful failover
is now enabled.

Type show failover. We now can see that failover is enabled, that this is the secondary
unit, and we can also see that this ASA (This host) is in Standby Ready mode and that the
primary (Other host) is Active.

November, 2010 ASA Licensing and High Availability Lab Procedures


55

Let’s next review our interfaces. Type the show running-config interface command.
The management0/0 and Ethernet 0/3 interfaces, which are used for failover and state
replication, do not have any IP addresses associated with them.

November, 2010 ASA Licensing and High Availability Lab Procedures


56

Let’s next look at the licenses and spend some time to understand this.

Older versions of adaptive security appliance software required that the licenses match on
each unit. Starting with Version 8.3(1), you no longer need to install identical licenses.
Typically, you buy a license only for the primary unit; for Active/Standby failover, the
secondary unit inherits the primary license when it becomes active. If you have licenses
on both units, they combine into a single running failover cluster license.

The license usage of the two units combined cannot exceed the failover cluster license.
For example, you have two ASA 5510 adaptive security appliances with 250 SSL VPN
sessions each; because the platform limit is 250, the combined license allows 250 SSL
VPN sessions and not 500 SSL VPN sessions.

For the ASA 5505 and 5510 adaptive security appliances, both units require the Security
Plus license; the Base license does not support failover, so you cannot enable failover on
a standby unit that only has the Base license.

November, 2010 ASA Licensing and High Availability Lab Procedures


57

From the primary ASA firewall, issue the show version command.

November, 2010 ASA Licensing and High Availability Lab Procedures


58

Q4.2: Looking at the output of our command, what has changed?

Q4.3: How many days are left for the time-based licensed features?

Q4.4: How many UC Phone Proxy Sessions licenses are available?

Q4.5: Are any feature licenses exceeding the platform’s capacity?

November, 2010 ASA Licensing and High Availability Lab Procedures


59

Let’s test this by deactivating the time based licenses and compare the outputs again.

From the console of the primary ASA and from global configuration mode, type
activation-key followed by your time-based activation key.

Now re-issue the show version command.

November, 2010 ASA Licensing and High Availability Lab Procedures


60

Q4.6: Looking at the output of the show version command, what has changed?

Q4.7: How many days are left for the time-based licensed features?

Q4.8: How many UC Phone Proxy Sessions licenses are available?

Q4.9: Are any feature licenses exceeding the platform’s capacity?

With the ASA firewalls now configured in an active/standby cluster, their licenses are
aggregated and combined. The primary ASA only has the permanent licenses enabled
while the secondary ASA has both time-based and permanent licenses enabled.

November, 2010 ASA Licensing and High Availability Lab Procedures


61

Let’s test further by deactivating the time-based license on the secondary ASA.

From the console of the secondary ASA, in global configuration mode, type activation-
key followed by your time-based activation key.

Return to the console of the primary ASA and issue the show version command again.

November, 2010 ASA Licensing and High Availability Lab Procedures


62

November, 2010 ASA Licensing and High Availability Lab Procedures


63

We now see no time-based licenses anymore. We are combining both permanent licenses
from the two ASA firewalls. However, since both perpetual licenses are for 250 SSL
VPN sessions and the ASA 5510 limit is 250 SSL VPN sessions, this becomes the
maximum number.

Let’s reactivate both time-based licenses on each ASA firewall and start our test plan.

From the console of each ASA and from global configuration, type activation-key
followed by your activation key.

November, 2010 ASA Licensing and High Availability Lab Procedures


64

The following screenshot shows the primary ASA.

The following screenshot shows the secondary ASA.

The final step here is to save our configuration. Issue the write memory command on the
primary ASA. Notice how this gets synchronized with the secondary unit.

November, 2010 ASA Licensing and High Availability Lab Procedures


65

November, 2010 ASA Licensing and High Availability Lab Procedures


66

Exercise 5: Fine-tune Failover Settings


Goal: We will be configuring two additional settings on the ASA firewalls. We will
enable HTTP replication as part of the Stateful failover link and we will also secure
information being sent across the failover and Stateful failover links by setting a failover
key.

All information sent over the failover and Stateful Failover links is sent in clear text
unless you secure the communication with a failover key. If the ASA is used to terminate
VPN tunnels, this information includes any usernames, passwords and preshared keys
used for establishing the tunnels. Transmitting this sensitive data in clear text could pose
a significant security risk. We recommend securing the failover communication with a
failover key if you are using the ASA to terminate VPN tunnels.

From the console of the primary ASA and from global configuration, type the following
commands:

failover key cisco123


failover exec mate failover key cisco123

The failover exec mate command issues the failover key cisco123 command on the
secondary ASA.

Now the information sent over the failover and Stateful failover links will be secured.
This is recommended if the ASA will be terminating any VPN tunnels.

The next configuration will be to enable the replication of HTTP traffic.

November, 2010 ASA Licensing and High Availability Lab Procedures


67

By default, the ASA does not replicate HTTP session information when Stateful Failover
is enabled. Because HTTP sessions are typically short-lived, and because HTTP clients
typically retry failed connection attempts, not replicating HTTP sessions increases system
performance without causing serious data or connection loss. The failover replication http
command enables the Stateful replication of HTTP sessions in a Stateful Failover
environment, but it could have a negative impact upon system performance.

From global configuration on the primary ASA, type failover replication http.

Let’s save our work. Type write memory.

November, 2010 ASA Licensing and High Availability Lab Procedures


68

Exercise 6: Install ASDM and Review ASA Configuration


Goal: The goal is to install the ASDM on pc-inside.inside.local, which we will be using
to review the configuration on the ASA.

On pc-inside.inside.local, point your Internet Explorer to https://10.0.0.254 , which is the


IP address of the inside interface on the ASA.

Click “Continue to this website (not recommended)”.

Click the Install ASDM Launcher and Run ASDM button.

November, 2010 ASA Licensing and High Availability Lab Procedures


69

Type administrator and cisco123 in the username and password boxes.

Click Run.

November, 2010 ASA Licensing and High Availability Lab Procedures


70

Click Run again.

Click Next twice.

November, 2010 ASA Licensing and High Availability Lab Procedures


71

Click Install.

November, 2010 ASA Licensing and High Availability Lab Procedures


72

Then click Finish to complete the installation.

Let’s log onto the ASA’s inside IP address of 10.0.0.254 using the local administrator
account and cisco123 password.

November, 2010 ASA Licensing and High Availability Lab Procedures


73

Check Always trust content from this publisher and click Yes.

The ASDM will start loading the ASA’s configuration.

November, 2010 ASA Licensing and High Availability Lab Procedures


74

This is the home view in the ASDM. From here we can view lots of valuable information
such as Device information, Interface status and IP addressing, Traffic status, System
Resources status and Failover Status.

Let’s click the Details link the Failover Status.

This will take us to the ASDM monitoring page. This is the equivalent of the show
failover CLI command. We can also see that we could execute commands from here,
such as changing the role of the ASA to Standby or Reloading the Standby unit.

November, 2010 ASA Licensing and High Availability Lab Procedures


75

Let’s next look at the licensing through the ASDM. Navigate to Configuration > Device
Management > Licensing > Activation Key.

November, 2010 ASA Licensing and High Availability Lab Procedures


76

Displayed here is the unit’s serial number, the activation keys for the permanent and
time-based licenses as well as the effective running license for the high availability
cluster.

Select the time-based license activation key and click Show license details.

November, 2010 ASA Licensing and High Availability Lab Procedures


77

We can see the license features, license value and duration for this activation key.
Click OK.

November, 2010 ASA Licensing and High Availability Lab Procedures


78

From the Activation Key page, click the Show information of license specifically
purchased for this device alone. This is how you would see what effective licenses are
enabled for this ASA firewall as opposed to the ASA firewall cluster.

November, 2010 ASA Licensing and High Availability Lab Procedures


79

Click OK.

Let’s review the high availability configuration on the ASDM.


Click Configuration > Device Management > High Availability > Failover.

November, 2010 ASA Licensing and High Availability Lab Procedures


80

We can graphically see that failover is enabled, and there is a failover shared key which
is used to secure the information sent through the failover and stateful failover interfaces.
We next can see all the IP addressing for the LAN Failover and State Failover interfaces
and that we enabled HTTP replication.

November, 2010 ASA Licensing and High Availability Lab Procedures


81

Let’s select the Interfaces tab.

From here we can see that the three interfaces, Inside, Outside and DMZ are being
monitored. You can monitor up to 250 interfaces divided between all contexts.

The ASA determines the health of the other unit by monitoring the failover link. When a
unit does not receive three consecutive hello messages on the failover link, the unit sends
interface hello messages on each interface, including the failover interface, to validate
whether or not the peer interface is responsive. The action that the ASA takes depends
upon the response from the other unit. The following are possible actions:

 If the ASA receives a response on the failover interface, then it does not fail over.

 If the ASA does not receive a response on the failover link, but it does receive a
response on another interface, then the unit does not failover. The failover link is
marked as failed. You should restore the failover link as soon as possible because
the unit cannot fail over to the standby while the failover link is down.

 If the ASA does not receive a response on any interface, then the standby unit
switches to active mode and classifies the other unit as failed.
You can configure the frequency of the hello messages and the hold time before failover
occurs. A faster poll time and shorter hold time speed the detection of unit failures and

November, 2010 ASA Licensing and High Availability Lab Procedures


82

make failover occur more quickly, but it can also cause “false” failures due to network
congestion delaying the keepalive packets.

Now select the Criteria tab. From here we can configure and fine-tune the interface
polling frequency and what criteria would trigger a failover.

Let’s next select the MAC Addresses tab.

November, 2010 ASA Licensing and High Availability Lab Procedures


83

In Active/Standby failover, the MAC addresses for the primary unit are always associated
with the active IP addresses. If the secondary unit boots first and becomes active, it uses
the burned-in MAC address for its interfaces. When the primary unit comes online, the
secondary unit obtains the MAC addresses from the primary unit. The change can disrupt
network traffic.

You can configure virtual MAC addresses for each interface to ensure that the secondary
unit uses the correct MAC addresses when it is the active unit, even if it comes online
before the primary unit. If you do not specify virtual MAC addresses the failover pair
uses the burned-in NIC addresses as the MAC addresses.

You cannot configure a virtual MAC address for the failover or Stateful Failover links.
The MAC and IP addresses for those links do not change during failover.

Close the ASDM. We will now start with the failover test.

November, 2010 ASA Licensing and High Availability Lab Procedures


84

Exercise 7: Test Failover on the ASA Firewall


Goal: We will test the active/standby high availability configuration. From pc-outside,
we will establish a VPN session and connect to the FTP server in the DMZ. As we copy a
large 252 MB file, we will force a failover between the two ASA firewalls and observe
the VPN session and file transfer status.

From pc-inside, stagger the two ASA console sessions so that both are visible and issue
the show failover command on both ASA firewalls.

We see that the primary ASA is the Active unit and that the secondary is the Standby
unit.

November, 2010 ASA Licensing and High Availability Lab Procedures


85

From pc-outside, verify if the VPN session is still established (notice the lock icon in the
taskbar). If it is not, click Connect and provide johndoe/cisco123 as the
username/password when prompted.

Open a command prompt and ping the FTP server at 192.168.1.10 to verify connectivity.

November, 2010 ASA Licensing and High Availability Lab Procedures


86

Next open Internet Explorer and type ftp://192.168.1.10 in the Address bar and select the
FTP-file.cab file.

November, 2010 ASA Licensing and High Availability Lab Procedures


87

When prompted, click Save. Select the Desktop for the Save location.

November, 2010 ASA Licensing and High Availability Lab Procedures


88

While the 252 MB file is being copied to the desktop of pc-outside, return to the pc-
inside PC and issue the no failover active command from the primary ASA or failover
exec mate no failover active from the secondary ASA.

*****Caution*****
Only typing no failover tells the ASA not to participate in a failover cluster. This
would in fact break the failover cluster and cause the secondary ASA to become
active and assume the primary’s ASA IP addresses. But because the primary ASA is
still up, you would get IP addressing conflicts.

There is an alternative command to use on the secondary ASA which switches the
ASA active role. From the secondary ASA, issue the failover exec mate no failover
active command. This is a safer command to send to the ASA.

The failover exec mate command indicates to the ASA that this command is for its
failover mate.

Both commands are displayed below, please use only one.

November, 2010 ASA Licensing and High Availability Lab Procedures


89

1- Using the no failover active on the primary ASA

OR

2- Using the failover exec mate no failover active command on the secondary ASA

November, 2010 ASA Licensing and High Availability Lab Procedures


90

Notice how this forces an immediate failover without a confirmation prompt. The
primary unit indicates that it is now in a standby state and that the secondary unit has
taken over the active role.

Let’s return to pc-outside and look at the FTP file transfer. We see that the VPN
connection is still established and the file copy is still going.

November, 2010 ASA Licensing and High Availability Lab Procedures


91

Let’s toggle between pc-outside, where the FTP file is being copied, and the pc-inside to
see the status of the ASA firewalls and their Active/Standby status.

November, 2010 ASA Licensing and High Availability Lab Procedures


92

We can see that the roles have reversed between the primary and secondary ASAs as far
as who is Active and who is in Standby mode.

We also see that the FTP file transfer never got interrupted and the VPN session never
got disconnected.

November, 2010 ASA Licensing and High Availability Lab Procedures


93

We next can see that the file transfer is now complete.

November, 2010 ASA Licensing and High Availability Lab Procedures


94

Returning to the console of the primary ASA firewall, issue the show failover command.
We can see the primary is now in Standby Ready mode. Issue show failover from the
console of the secondary ASA also.

We want to reset the primary ASA as the Active unit. This could be accomplished in two
ways as seen previously: we could console to the secondary ASA and issue the no
failover active command, or from the primary ASA console, issue the failover exec
mate no failover active command. If you recall from earlier, the failover exec mate
command is sending the command to the ASA’s mate, so if issued from the primary
ASA, then this command is sent to the secondary ASA.

November, 2010 ASA Licensing and High Availability Lab Procedures


95

Again, we can see the Active and Standby roles being switched between the two ASA
firewalls.

November, 2010 ASA Licensing and High Availability Lab Procedures


96

Exercise 8: Disaster Recovery Backup

It is always an excellent idea to back up the configuration data. ASDM has a backup
utility built-in that will create a ZIP file on your PC with the configuration and any other
data required to recover the ASA in a failure. This is also excellent data to present to the
customer as part of final documentation for the project along with the ASA activation
key.

From pc-inside, launch ASDM.


Type administrator/cisco123 as the username/password when prompted.

From ASDM, click Tools and select Backup Configurations from the drop-down menu.

November, 2010 ASA Licensing and High Availability Lab Procedures


97

This opens a Backup Configurations dialog box. Notice we have several options for what
we want to back up using this backup wizard. What is different between running a
backup using this tool as opposed to backing up your startup-config to a TFTP server?
What about SSL VPN configurations, how have you backed these up in the past? You
could select Backup All and this would grey out all the boxes and back up all your ASA
files and configs.

November, 2010 ASA Licensing and High Availability Lab Procedures


98

Let’s go ahead and select Backup All in the check box.

November, 2010 ASA Licensing and High Availability Lab Procedures


99

Let’s click the Browse Local… button and browse to the Desktop. Type ASA-backup in
the File name. Click Select File.

November, 2010 ASA Licensing and High Availability Lab Procedures


100

Click Backup.

We see the progress bar as all the selected items get backed up to the desktop.

Click Close when the backup finishes.

Now what would happen if we selected to backup CSD image or Plug-ins but we had
none of these on the Flash?

November, 2010 ASA Licensing and High Availability Lab Procedures


101

We see below that we would get a Failure message that those items are not available.

Click OK.

On the desktop, we can now see the backed-up file, ASA-backup.zip.

November, 2010 ASA Licensing and High Availability Lab Procedures


102

Now we have a process to restore configs or any other relevant file to our ASA!

Congratulations. This completes the lab! 

November, 2010 ASA Licensing and High Availability Lab Procedures


103

Appendix A: Answers to Exercise Questions

Q2.1: What version of code is running on this ASA? The ASA is running the 8.3(1)6
version of code.

Q2.2: How many SSL VPN Peers are licensed? The license is for 250 SSL VPN Peers.

Q2.3: How many UC Phone Proxy Sessions are licensed? There are 24 UC Phone
Proxy installed licenses.

Q2.4: Are there any time-based licenses? If so, which features? No, there is no time-
based license on this ASA.

Q2.5: Is the running activation key time-based or permanent? Only a permanent


license is installed on this ASA. We can see this because the licenses are perpetual.

Q2.6: What version of code is running on this ASA? The ASA is running the 8.3(1)6
version of code. We need identical version of code to enable high availability.

Q2.7: How many SSL VPN Peers are licensed? The license is for 250 SSL VPN
Peers.

Q2.8: How many UC Phone Proxy Sessions are licensed? There are 24 UC Phone
Proxy installed licenses.

Q2.9: Are there any time-based licenses? If so, which features? No, there is no time-
based license on this ASA.

Q2.10: Is the running activation key time-based or permanent? Only a permanent


license is installed on this ASA.

Q3.1: What is the serial number for your ASA? Answers will vary on each ASA.

Q3.2: What has changed on the licensing? We now have permanent and time based
licenses on this ASA.

Q3.3: Looking at the licensed features for this platform, how many SSL VPN Peers
licenses do we have? We still have 250 SSL VPN licenses.

Q3.4: How many UC Phone Proxy sessions? We now have 50 UC Phone Proxy
licenses.

November, 2010 ASA Licensing and High Availability Lab Procedures


104

Q3.5: Are there any time-based licenses, if so, which feature? There are now several
time-based licenses, including Botnet Traffic Filter, SSL VPN Peers, and Intercompany
Media Engine.

Q3.6: How many days are left? This answer will vary.

Q3.7: Looking at the licensed features for this platform, how many SSL VPN Peers
licenses do we have? There are 250 SSL VPN Peers licenses.

Q3.8: How many UC Phone Proxy sessions? We now have 74 UC Phone Proxy
sessions licenses.

Q3.9: Are there any time based licenses, if so, which feature? There are now several
time based licenses, including Botnet Traffic Filter, SSL VPN Peers, and Intercompany
Media Engine.

Q3.10: How many days are left? This answer will vary.

Q4.1: How many unused and available interfaces do we have? We have two
available unused interfaces.

Q4.2: Looking at the output of our command, what has changed? The ASA license
has changed because it is aggregating the licenses from the secondary ASA up to the
platform’s maximum capacity.

Q4.3: How many days are left for the time-based licensed features? Answer will
vary but it will aggregate the numbers of the primary and secondary ASA.

Q4.4: How many UC Phone Proxy Sessions licenses are available? There is 100 UC
Phone Proxy sessions license, which is the maximum number for an ASA 5510. Each
ASA had 24 permanent and 50 time based UC Phone Proxy licenses. Cumulatively, this
numbers exceeds 100 so the ASA caps this number at 100.

Q4.5: Are any feature licenses exceeding the platform’s capacity? Yes, the SSL VPN
Peers and the UC Phone Proxy sessions now exceed the platform’s maximum capacity.

Q4.6: Looking at the output of the show version command, what has changed? By
deactivating one of the ASA firewall’s time-based licenses, we are decrementing that
value from the high availability cluster’s running license configuration.

Q4.7: How many days are left for the time-based licensed features? This answer will
vary but we are decrementing the value by one for the time-based licenses.

Q4.8: How many UC Phone Proxy Sessions licenses are available? Once deactivating
one of the time based license, the cumulative permanent licenses of 24 from each ASA
and the 50 time based licenses on 1 of the ASA firewalls makes this number now at 98.

November, 2010 ASA Licensing and High Availability Lab Procedures


105

Q4.9: Are any feature licenses exceeding the platform’s capacity? Yes, the SSL VPN
Peers is exceeding the ASA 5510 maximum capacity and gets capped at 250.

November, 2010 ASA Licensing and High Availability Lab Procedures


106

Appendix B: Final ASA Configuration

Primary ASA

ASA Version 8.3(1)6


hostname asa-lab
domain-name inside.local
enable password 9jNfZuG3TC5tCVH0 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
description Interface_2_Internet
nameif outside
security-level 0
ip address 192.0.0.254 255.255.255.0 standby 192.0.0.253
interface Ethernet0/1
description Interface_2_InsideLAN
nameif inside
security-level 100
ip address 10.0.0.254 255.255.255.0 standby 10.0.0.253
interface Ethernet0/2
description Interface_2_DMZ
nameif dmz
security-level 50
ip address 192.168.1.254 255.255.255.0 standby 192.168.1.253
interface Ethernet0/3
description STATE Failover Interface
interface Management0/0
description LAN Failover Interface
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name inside.local
object network InsideLAN
subnet 10.0.0.0 255.0.0.0
description Inside-10-Network
object network Outside_PAT_Address
host 192.0.0.252
description Address_2_PAT_InsideLAN
object network Email_NAT_IP_Address
host 192.0.0.250
description NAT-Address-4-EmailServer
object network Email_server
host 10.0.2.100
description Inside_email_server
object network DMZ_server
host 192.168.1.10
description DMZ_Web_Server
object network Web_NAT_IP_Address
host 192.0.0.251
description NAT-Address-4-WebServer
object network VPN-IP-Pool
subnet 10.1.1.0 255.255.255.192

November, 2010 ASA Licensing and High Availability Lab Procedures


107

object network DMZnetwork


subnet 192.168.1.0 255.255.255.0
description DMZ network
access-list outside_access_in remark ACE to allow SMTP traffic to the email server
access-list outside_access_in extended permit tcp any object Email_server eq smtp
access-list outside_access_in remark ACE to allow HTTP traffic to the web server
access-list outside_access_in extended permit tcp any object DMZ_server eq www
access-list outside_access_in extended permit tcp any object DMZ_server eq ftp
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip local pool inside-ipsec-vpn-pool 10.1.1.1-10.1.1.50 mask 255.255.255.0
failover
failover lan unit primary
failover lan interface failover Management0/0
failover replication http
failover link state Ethernet0/3
failover interface ip failover 192.168.60.1 255.255.255.252 standby 192.168.60.2
failover interface ip state 192.168.60.5 255.255.255.252 standby 192.168.60.6
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo-reply outside
icmp deny any outside
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
nat (inside,outside) source static InsideLAN InsideLAN destination static VPN-IP-Pool VPN-IP-Pool
nat (dmz,outside) source static DMZnetwork DMZnetwork destination static VPN-IP-Pool VPN-IP-Pool
object network Email_server
nat (inside,outside) static Email_NAT_IP_Address
object network DMZ_server
nat (dmz,outside) static Web_NAT_IP_Address
nat (inside,outside) after-auto source dynamic InsideLAN Outside_PAT_Address
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 192.0.0.1 1
route inside 10.0.0.0 255.0.0.0 10.0.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server AD-server protocol ldap
aaa-server AD-server (inside) host 10.0.2.10
ldap-base-dn dc=inside,dc=local
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn cn=administrator,cn=users,dc=inside,dc=local
server-type microsoft
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable

November, 2010 ASA Licensing and High Availability Lab Procedures


108

http 10.0.0.0 255.0.0.0 inside


no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
service resetoutside
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA
ESP-AES-128-MD5
ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-
3DES-MD5 ESP-DES-S
HA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 10.0.0.0 255.0.0.0 inside
telnet timeout 5
ssh 10.0.0.0 255.0.0.0 inside
ssh timeout 5
console timeout 0
tls-proxy maximum-session 125
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy inside-ipsec-tunnelgroup internal
group-policy inside-ipsec-tunnelgroup attributes
wins-server value 10.0.2.10
dns-server value 10.0.2.10
vpn-tunnel-protocol IPSec

November, 2010 ASA Licensing and High Availability Lab Procedures


109

default-domain value inside.local


username administrator password e1z89R3cZe9Kt6Ib encrypted privilege 15
username janedoe password 6r/4Scprwy80gY.x encrypted privilege 0
username janedoe attributes
vpn-group-policy inside-ipsec-tunnelgroup
tunnel-group inside-ipsec-tunnelgroup type remote-access
tunnel-group inside-ipsec-tunnelgroup general-attributes
address-pool inside-ipsec-vpn-pool
authentication-server-group AD-server
default-group-policy inside-ipsec-tunnelgroup
tunnel-group inside-ipsec-tunnelgroup ipsec-attributes
pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
service-policy global_policy global
prompt hostname context
service call-home
call-home
contact-email-addr johndoe@inside.local
contact-name JohnDoe
contract-id 123456789
customer-id 145689
phone-number 1-234-567-8901
sender from johndoe@inside.local
sender reply-to secops@inside.local
site-id 1
street-address 123 ABC street, Nowherville, ZX
mail-server 10.0.2.100 priority 1
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic

November, 2010 ASA Licensing and High Availability Lab Procedures


110

subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
profile Inside
destination address email johndoe@inside.local
destination transport-method email
subscribe-to-alert-group configuration export full
Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e
: end

Secondary ASA

ASA Version 8.3(1)6


hostname asa-lab
domain-name inside.local
enable password 9jNfZuG3TC5tCVH0 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
description Interface_2_Internet
nameif outside
security-level 0
ip address 192.0.0.254 255.255.255.0 standby 192.0.0.253
interface Ethernet0/1
description Interface_2_InsideLAN
nameif inside
security-level 100
ip address 10.0.0.254 255.255.255.0 standby 10.0.0.253
interface Ethernet0/2
description Interface_2_DMZ
nameif dmz
security-level 50
ip address 192.168.1.254 255.255.255.0 standby 192.168.1.253
interface Ethernet0/3
description STATE Failover Interface
interface Management0/0
description LAN Failover Interface
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name inside.local
object network InsideLAN
subnet 10.0.0.0 255.0.0.0
description Inside-10-Network
object network Outside_PAT_Address
host 192.0.0.252
description Address_2_PAT_InsideLAN
object network Email_NAT_IP_Address
host 192.0.0.250
description NAT-Address-4-EmailServer
object network Email_server
host 10.0.2.100
description Inside_email_server

November, 2010 ASA Licensing and High Availability Lab Procedures


111

object network DMZ_server


host 192.168.1.10
description DMZ_Web_Server
object network Web_NAT_IP_Address
host 192.0.0.251
description NAT-Address-4-WebServer
object network VPN-IP-Pool
subnet 10.1.1.0 255.255.255.192
object network DMZnetwork
subnet 192.168.1.0 255.255.255.0
description DMZ network
access-list outside_access_in remark ACE to allow SMTP traffic to the email server
access-list outside_access_in extended permit tcp any object Email_server eq smtp
access-list outside_access_in remark ACE to allow HTTP traffic to the web server
access-list outside_access_in extended permit tcp any object DMZ_server eq www
access-list outside_access_in extended permit tcp any object DMZ_server eq ftp
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip local pool inside-ipsec-vpn-pool 10.1.1.1-10.1.1.50 mask 255.255.255.0
failover
failover lan unit secondary
failover lan interface failover Management0/0
failover replication http
failover link state Ethernet0/3
failover interface ip failover 192.168.60.1 255.255.255.252 standby 192.168.60.2
failover interface ip state 192.168.60.5 255.255.255.252 standby 192.168.60.6
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo-reply outside
icmp deny any outside
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
nat (inside,outside) source static InsideLAN InsideLAN destination static VPN-IP-Pool VPN-IP-Pool
nat (dmz,outside) source static DMZnetwork DMZnetwork destination static VPN-IP-Pool VPN-IP-Pool
object network Email_server
nat (inside,outside) static Email_NAT_IP_Address
object network DMZ_server
nat (dmz,outside) static Web_NAT_IP_Address
nat (inside,outside) after-auto source dynamic InsideLAN Outside_PAT_Address
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 192.0.0.1 1
route inside 10.0.0.0 255.0.0.0 10.0.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server AD-server protocol ldap
aaa-server AD-server (inside) host 10.0.2.10
ldap-base-dn dc=inside,dc=local

November, 2010 ASA Licensing and High Availability Lab Procedures


112

ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn cn=administrator,cn=users,dc=inside,dc=local
server-type microsoft
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 10.0.0.0 255.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
service resetoutside
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA
ESP-AES-128-MD5
ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-
3DES-MD5 ESP-DES-S
HA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 10.0.0.0 255.0.0.0 inside
telnet timeout 5
ssh 10.0.0.0 255.0.0.0 inside
ssh timeout 5
console timeout 0
tls-proxy maximum-session 125
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol

November, 2010 ASA Licensing and High Availability Lab Procedures


113

threat-detection statistics access-list


no threat-detection statistics tcp-intercept
group-policy inside-ipsec-tunnelgroup internal
group-policy inside-ipsec-tunnelgroup attributes
wins-server value 10.0.2.10
dns-server value 10.0.2.10
vpn-tunnel-protocol IPSec
default-domain value inside.local
username administrator password e1z89R3cZe9Kt6Ib encrypted privilege 15
username janedoe password 6r/4Scprwy80gY.x encrypted privilege 0
username janedoe attributes
vpn-group-policy inside-ipsec-tunnelgroup
tunnel-group inside-ipsec-tunnelgroup type remote-access
tunnel-group inside-ipsec-tunnelgroup general-attributes
address-pool inside-ipsec-vpn-pool
authentication-server-group AD-server
default-group-policy inside-ipsec-tunnelgroup
tunnel-group inside-ipsec-tunnelgroup ipsec-attributes
pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
service-policy global_policy global
prompt hostname context
service call-home
call-home
contact-email-addr johndoe@inside.local
contact-name JohnDoe
contract-id 123456789
customer-id 145689
phone-number 1-234-567-8901
sender from johndoe@inside.local
sender reply-to secops@inside.local
site-id 1
street-address 123 ABC street, Nowherville, ZX

November, 2010 ASA Licensing and High Availability Lab Procedures


114

mail-server 10.0.2.100 priority 1


profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
profile Inside
destination address email johndoe@inside.local
destination transport-method email
subscribe-to-alert-group configuration export full
Cryptochecksum:8e5f36d3b1c824e98f514e91f25e9e40

November, 2010 ASA Licensing and High Availability Lab Procedures

You might also like