CCIE Security lab: HQ ASAs - failover and stuff


Starting to make some headway now. In the previous post the LAN was set up within the HQ, and now we need to get the LAN talking to the WAN.

The HQ ASAs will be set up in a failover pair. We will also add a interface for vlan 1 to the switches, and set up a static route to the ASAs. Then we will set up NAT and see how far we can get in the topology.

Failover

First of all, let's set up LON-FW1:
hostname LON-FW1
int e0
ip add 163.4.4.254 255.255.255.0 standby 163.4.4.252
nameif outside
int e1
ip add 10.1.1.254 255.255.255.0 standby 10.1.1.252
nameif inside
int e3
ip add 10.1.55.1 255.255.255.0 standby 10.1.55.2
nameif fover
route outside 0 0 163.4.4.1
exit
failover link fover
failover interface ip fover 10.1.55.1 255.255.255.0 standby 10.1.55.2
failover lan unit pri
failover replication http
failover lan interface fover e3
failover key cisco
failover
We don't need to add much to LON-FW2, pretty much just the failover configuration. However... if you do add things, such as setting the hostname to LON-FW2, then it will be easier to see that failover is working correctly.
ciscoasa(config)# hostn LON-FW2
LON-FW2(config)# int e0
LON-FW2(config-if)# ip add 163.4.4.254 255.255.255.0 standby 163.4.4.252
LON-FW2(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.
LON-FW2(config-if)# 
LON-FW2(config-if)# int e1
LON-FW2(config-if)# ip add 10.1.1.254 255.255.255.0 standby 10.1.1.252
LON-FW2(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
LON-FW2(config-if)# 
LON-FW2(config-if)# 
LON-FW2(config-if)# int e3
LON-FW2(config-if)# no sh
LON-FW2(config-if)# nameif fover
INFO: Security level for "fover" set to 0 by default.
LON-FW2(config-if)# exi
LON-FW2(config)# failover link fover
INFO: Non-failover interface config is cleared on Ethernet3 and its sub-interfaces
LON-FW2(config)# failover interface ip fover 10.1.55.1 255.255.255.0 standby 1.1.55.2
LON-FW2(config)# failover lan unit sec
LON-FW2(config)# failover replication http
LON-FW2(config)# failover key cisco
LON-FW2(config)# failover
LON-FW2(config)# failover lan interface fover e3
LON-FW2(config)# ..

        Detected an Active mate
Beginning configuration replication from mate.
ERROR: Password recovery was not changed, unable to access 
the configuration register.
Crashinfo is NOT enabled on Full Distribution Environment
End configuration replication from mate.

LON-FW1(config)# end
LON-FW1# sh interface ip brief 
Interface                  IP-Address      OK? Method Status                Protocol
Ethernet0                  163.4.4.252     YES CONFIG up                    up  
Ethernet1                  10.1.1.252      YES CONFIG up                    up  
Ethernet2                  unassigned      YES unset  administratively down up  
Ethernet3                  10.1.55.2       YES unset  up                    up  
LON-FW1#

A bit of housekeeping

A couple of housekeeping bits now. We need to get some routing from the switches to the firewalls:
SW1(config)#int vlan 1
SW1(config-if)#ip add 10.1.1.3 255.255.255.0
SW1(config-if)#standby 1 ip 10.1.1.1 
SW1(config-if)#standby 1 pre delay min 60
SW1(config-if)#standby 1 pri 110
SW1(config-if)#
SW1(config-if)#ip route 0.0.0.0 0.0.0.0 10.1.1.254

SW2(config)#int vlan 1
SW2(config-if)#ip add 10.1.1.2 255.255.255.0
SW2(config-if)#standby 1 ip 10.1.1.1 
SW2(config-if)#standby 1 pre delay min 60
SW2(config-if)#standby 1 pri 90
SW2(config-if)#no sh
SW2(config-if)#ip route 0.0.0.0 0.0.0.0 10.1.1.254
SW2(config)#
SW2(config)#int ran gi 1/1 - 3
SW2(config-if-range)#swi mo acc
SW2(config-if-range)#swi acc vl 4
SW2(config-if-range)#no sh
SW2(config-if-range)#

SW4(config)#int ra gi1/2 - 3
SW4(config-if-range)#swi mo acc
SW4(config-if-range)#swi acc vl 4
SW4(config-if-range)# 
We also need to set up the switch above the firewalls, and add a little something for the ASAs to talk to:
Switch(config)#ho LON-SW
LON-SW(config)#int ra gi 0/0 - 2
LON-SW(config-if-range)#no sh
LON-SW(config-if-range)#swi mo acc
LON-SW(config-if-range)#swi acc vl 1
LON-SW(config-if-range)#

LON1(config)#int lo1
LON1(config-if)#ip vrf for 802101
% Interface Loopback1 IPv4 disabled and address(es) removed due to disabling VRF 802101
LON1(config-if)#ip add 31.32.33.34 255.255.255.255
LON1(config-if)#

LON-FW1# ping outside 31.32.33.34
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 31.32.33.34, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
LON-FW1# 
I added this because the other devices are currently turned off, we don't really need them at the moment, but we do need to set up NAT on the firewalls, so that the LAN can talk to the WAN.

NAT

LON-FW1(config)# object-group network INSIDE-NAT-SUBNETS
LON-FW1(config-network-object-group)# network-object 10.1.1.0 255.255.255.0
LON-FW1(config-network-object-group)# network-object 10.1.4.0 255.255.255.0
LON-FW1(config-network-object-group)# network-object 10.1.9.0 255.255.255.0
LON-FW1(config-network-object-group)# network-object 10.1.20.0 255.255.255.0
LON-FW1(config-network-object-group)# network-object 10.1.21.0 255.255.255.0
LON-FW1(config-network-object-group)# network-object 10.1.99.0 255.255.255.0
LON-FW1(config-network-object-group)# exi
LON-FW1(config)# nat (inside,outside) after-auto source dynamic INSIDE-NAT-SUB$
LON-FW1(config)# route inside 10.1.0.0 255.255.0.0 10.1.1.1
LON-FW1(config)# 
LON-FW1(config)# access-list outside->in extended permit ip any any 
LON-FW1(config)# access-list outside->in extended permit icmp any any 
LON-FW1(config)# access-group outside->in in interface outside 
LON-FW1(config)# 
LON-FW1(config)# end
LON-FW1# sh run | i nat
LON-FW1# 
Note that I have not included the 10.1.55.0/24 network, really we don't even need this on the switches, and it's kinda messed with the whole IP addressing thing anyway. But there we go.

It is working:
ISE14/admin# ping 31.32.33.34
PING 31.32.33.34 (31.32.33.34) 56(84) bytes of data.
64 bytes from 31.32.33.34: icmp_seq=1 ttl=254 time=19.2 ms
64 bytes from 31.32.33.34: icmp_seq=2 ttl=254 time=20.4 ms
64 bytes from 31.32.33.34: icmp_seq=3 ttl=254 time=19.0 ms
64 bytes from 31.32.33.34: icmp_seq=4 ttl=254 time=14.4 ms

--- 31.32.33.34 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3019ms
rtt min/avg/max/mdev = 14.425/18.296/20.445/2.300 ms

ISE14/admin#
This is from a Windows host in VLAN 4:
So the Firewalls as set up in Active/Standby HA, we have NAT working and our inside hosts can talk to devices beyond the firewalls.

The new switch has arrived, so I can start to play around with that. I'll need to set up UNL to use a separate NIC for this, and that will be in a later post. Till then, it's really starting to take shape!

CCIE #49337, author of CCNA and Beyond, BGP for Cisco Networks, MPLS for Cisco Networks, VPNs and NAT for Cisco Networks.

Related Posts

Previous
Next Post »