Starting to make some headway now. In the previous post the LAN was set up within the HQ, and now we need to get the LAN talking to the WAN.
The HQ ASAs will be set up in a failover pair. We will also add a interface for vlan 1 to the switches, and set up a static route to the ASAs. Then we will set up NAT and see how far we can get in the topology.
Failover
First of all, let's set up LON-FW1:hostname LON-FW1 int e0 ip add 163.4.4.254 255.255.255.0 standby 163.4.4.252 nameif outside int e1 ip add 10.1.1.254 255.255.255.0 standby 10.1.1.252 nameif inside int e3 ip add 10.1.55.1 255.255.255.0 standby 10.1.55.2 nameif fover route outside 0 0 163.4.4.1 exit failover link fover failover interface ip fover 10.1.55.1 255.255.255.0 standby 10.1.55.2 failover lan unit pri failover replication http failover lan interface fover e3 failover key cisco failoverWe don't need to add much to LON-FW2, pretty much just the failover configuration. However... if you do add things, such as setting the hostname to LON-FW2, then it will be easier to see that failover is working correctly.
ciscoasa(config)# hostn LON-FW2
LON-FW2(config)# int e0
LON-FW2(config-if)# ip add 163.4.4.254 255.255.255.0 standby 163.4.4.252
LON-FW2(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.
LON-FW2(config-if)#
LON-FW2(config-if)# int e1
LON-FW2(config-if)# ip add 10.1.1.254 255.255.255.0 standby 10.1.1.252
LON-FW2(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
LON-FW2(config-if)#
LON-FW2(config-if)#
LON-FW2(config-if)# int e3
LON-FW2(config-if)# no sh
LON-FW2(config-if)# nameif fover
INFO: Security level for "fover" set to 0 by default.
LON-FW2(config-if)# exi
LON-FW2(config)# failover link fover
INFO: Non-failover interface config is cleared on Ethernet3 and its sub-interfaces
LON-FW2(config)# failover interface ip fover 10.1.55.1 255.255.255.0 standby 1.1.55.2
LON-FW2(config)# failover lan unit sec
LON-FW2(config)# failover replication http
LON-FW2(config)# failover key cisco
LON-FW2(config)# failover
LON-FW2(config)# failover lan interface fover e3
LON-FW2(config)# ..
Detected an Active mate
Beginning configuration replication from mate.
ERROR: Password recovery was not changed, unable to access
the configuration register.
Crashinfo is NOT enabled on Full Distribution Environment
End configuration replication from mate.
LON-FW1(config)# end
LON-FW1# sh interface ip brief
Interface IP-Address OK? Method Status Protocol
Ethernet0 163.4.4.252 YES CONFIG up up
Ethernet1 10.1.1.252 YES CONFIG up up
Ethernet2 unassigned YES unset administratively down up
Ethernet3 10.1.55.2 YES unset up up
LON-FW1#
A bit of housekeeping
A couple of housekeeping bits now. We need to get some routing from the switches to the firewalls:SW1(config)#int vlan 1 SW1(config-if)#ip add 10.1.1.3 255.255.255.0 SW1(config-if)#standby 1 ip 10.1.1.1 SW1(config-if)#standby 1 pre delay min 60 SW1(config-if)#standby 1 pri 110 SW1(config-if)# SW1(config-if)#ip route 0.0.0.0 0.0.0.0 10.1.1.254 SW2(config)#int vlan 1 SW2(config-if)#ip add 10.1.1.2 255.255.255.0 SW2(config-if)#standby 1 ip 10.1.1.1 SW2(config-if)#standby 1 pre delay min 60 SW2(config-if)#standby 1 pri 90 SW2(config-if)#no sh SW2(config-if)#ip route 0.0.0.0 0.0.0.0 10.1.1.254 SW2(config)# SW2(config)#int ran gi 1/1 - 3 SW2(config-if-range)#swi mo acc SW2(config-if-range)#swi acc vl 4 SW2(config-if-range)#no sh SW2(config-if-range)# SW4(config)#int ra gi1/2 - 3 SW4(config-if-range)#swi mo acc SW4(config-if-range)#swi acc vl 4 SW4(config-if-range)#We also need to set up the switch above the firewalls, and add a little something for the ASAs to talk to:
Switch(config)#ho LON-SW LON-SW(config)#int ra gi 0/0 - 2 LON-SW(config-if-range)#no sh LON-SW(config-if-range)#swi mo acc LON-SW(config-if-range)#swi acc vl 1 LON-SW(config-if-range)# LON1(config)#int lo1 LON1(config-if)#ip vrf for 802101 % Interface Loopback1 IPv4 disabled and address(es) removed due to disabling VRF 802101 LON1(config-if)#ip add 31.32.33.34 255.255.255.255 LON1(config-if)# LON-FW1# ping outside 31.32.33.34 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 31.32.33.34, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms LON-FW1#I added this because the other devices are currently turned off, we don't really need them at the moment, but we do need to set up NAT on the firewalls, so that the LAN can talk to the WAN.
NAT
LON-FW1(config)# object-group network INSIDE-NAT-SUBNETS LON-FW1(config-network-object-group)# network-object 10.1.1.0 255.255.255.0 LON-FW1(config-network-object-group)# network-object 10.1.4.0 255.255.255.0 LON-FW1(config-network-object-group)# network-object 10.1.9.0 255.255.255.0 LON-FW1(config-network-object-group)# network-object 10.1.20.0 255.255.255.0 LON-FW1(config-network-object-group)# network-object 10.1.21.0 255.255.255.0 LON-FW1(config-network-object-group)# network-object 10.1.99.0 255.255.255.0 LON-FW1(config-network-object-group)# exi LON-FW1(config)# nat (inside,outside) after-auto source dynamic INSIDE-NAT-SUB$ LON-FW1(config)# route inside 10.1.0.0 255.255.0.0 10.1.1.1 LON-FW1(config)# LON-FW1(config)# access-list outside->in extended permit ip any any LON-FW1(config)# access-list outside->in extended permit icmp any any LON-FW1(config)# access-group outside->in in interface outside LON-FW1(config)# LON-FW1(config)# end LON-FW1# sh run | i nat LON-FW1#Note that I have not included the 10.1.55.0/24 network, really we don't even need this on the switches, and it's kinda messed with the whole IP addressing thing anyway. But there we go.
It is working:
ISE14/admin# ping 31.32.33.34 PING 31.32.33.34 (31.32.33.34) 56(84) bytes of data. 64 bytes from 31.32.33.34: icmp_seq=1 ttl=254 time=19.2 ms 64 bytes from 31.32.33.34: icmp_seq=2 ttl=254 time=20.4 ms 64 bytes from 31.32.33.34: icmp_seq=3 ttl=254 time=19.0 ms 64 bytes from 31.32.33.34: icmp_seq=4 ttl=254 time=14.4 ms --- 31.32.33.34 ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 3019ms rtt min/avg/max/mdev = 14.425/18.296/20.445/2.300 ms ISE14/admin#This is from a Windows host in VLAN 4:
The new switch has arrived, so I can start to play around with that. I'll need to set up UNL to use a separate NIC for this, and that will be in a later post. Till then, it's really starting to take shape!