Starting to make some headway now. In the previous post the LAN was set up within the HQ, and now we need to get the LAN talking to the WAN.
The HQ ASAs will be set up in a failover pair. We will also add a interface for vlan 1 to the switches, and set up a static route to the ASAs. Then we will set up NAT and see how far we can get in the topology.
Failover
First of all, let's set up LON-FW1:hostname LON-FW1 int e0 ip add 163.4.4.254 255.255.255.0 standby 163.4.4.252 nameif outside int e1 ip add 10.1.1.254 255.255.255.0 standby 10.1.1.252 nameif inside int e3 ip add 10.1.55.1 255.255.255.0 standby 10.1.55.2 nameif fover route outside 0 0 163.4.4.1 exit failover link fover failover interface ip fover 10.1.55.1 255.255.255.0 standby 10.1.55.2 failover lan unit pri failover replication http failover lan interface fover e3 failover key cisco failoverWe don't need to add much to LON-FW2, pretty much just the failover configuration. However... if you do add things, such as setting the hostname to LON-FW2, then it will be easier to see that failover is working correctly.
ciscoasa(config)# hostn LON-FW2 LON-FW2(config)# int e0 LON-FW2(config-if)# ip add 163.4.4.254 255.255.255.0 standby 163.4.4.252 LON-FW2(config-if)# nameif outside INFO: Security level for "outside" set to 0 by default. LON-FW2(config-if)# LON-FW2(config-if)# int e1 LON-FW2(config-if)# ip add 10.1.1.254 255.255.255.0 standby 10.1.1.252 LON-FW2(config-if)# nameif inside INFO: Security level for "inside" set to 100 by default. LON-FW2(config-if)# LON-FW2(config-if)# LON-FW2(config-if)# int e3 LON-FW2(config-if)# no sh LON-FW2(config-if)# nameif fover INFO: Security level for "fover" set to 0 by default. LON-FW2(config-if)# exi LON-FW2(config)# failover link fover INFO: Non-failover interface config is cleared on Ethernet3 and its sub-interfaces LON-FW2(config)# failover interface ip fover 10.1.55.1 255.255.255.0 standby 1.1.55.2 LON-FW2(config)# failover lan unit sec LON-FW2(config)# failover replication http LON-FW2(config)# failover key cisco LON-FW2(config)# failover LON-FW2(config)# failover lan interface fover e3 LON-FW2(config)# .. Detected an Active mate Beginning configuration replication from mate. ERROR: Password recovery was not changed, unable to access the configuration register. Crashinfo is NOT enabled on Full Distribution Environment End configuration replication from mate. LON-FW1(config)# end LON-FW1# sh interface ip brief Interface IP-Address OK? Method Status Protocol Ethernet0 163.4.4.252 YES CONFIG up up Ethernet1 10.1.1.252 YES CONFIG up up Ethernet2 unassigned YES unset administratively down up Ethernet3 10.1.55.2 YES unset up up LON-FW1#
A bit of housekeeping
A couple of housekeeping bits now. We need to get some routing from the switches to the firewalls:SW1(config)#int vlan 1 SW1(config-if)#ip add 10.1.1.3 255.255.255.0 SW1(config-if)#standby 1 ip 10.1.1.1 SW1(config-if)#standby 1 pre delay min 60 SW1(config-if)#standby 1 pri 110 SW1(config-if)# SW1(config-if)#ip route 0.0.0.0 0.0.0.0 10.1.1.254 SW2(config)#int vlan 1 SW2(config-if)#ip add 10.1.1.2 255.255.255.0 SW2(config-if)#standby 1 ip 10.1.1.1 SW2(config-if)#standby 1 pre delay min 60 SW2(config-if)#standby 1 pri 90 SW2(config-if)#no sh SW2(config-if)#ip route 0.0.0.0 0.0.0.0 10.1.1.254 SW2(config)# SW2(config)#int ran gi 1/1 - 3 SW2(config-if-range)#swi mo acc SW2(config-if-range)#swi acc vl 4 SW2(config-if-range)#no sh SW2(config-if-range)# SW4(config)#int ra gi1/2 - 3 SW4(config-if-range)#swi mo acc SW4(config-if-range)#swi acc vl 4 SW4(config-if-range)#We also need to set up the switch above the firewalls, and add a little something for the ASAs to talk to:
Switch(config)#ho LON-SW LON-SW(config)#int ra gi 0/0 - 2 LON-SW(config-if-range)#no sh LON-SW(config-if-range)#swi mo acc LON-SW(config-if-range)#swi acc vl 1 LON-SW(config-if-range)# LON1(config)#int lo1 LON1(config-if)#ip vrf for 802101 % Interface Loopback1 IPv4 disabled and address(es) removed due to disabling VRF 802101 LON1(config-if)#ip add 31.32.33.34 255.255.255.255 LON1(config-if)# LON-FW1# ping outside 31.32.33.34 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 31.32.33.34, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms LON-FW1#I added this because the other devices are currently turned off, we don't really need them at the moment, but we do need to set up NAT on the firewalls, so that the LAN can talk to the WAN.
NAT
LON-FW1(config)# object-group network INSIDE-NAT-SUBNETS LON-FW1(config-network-object-group)# network-object 10.1.1.0 255.255.255.0 LON-FW1(config-network-object-group)# network-object 10.1.4.0 255.255.255.0 LON-FW1(config-network-object-group)# network-object 10.1.9.0 255.255.255.0 LON-FW1(config-network-object-group)# network-object 10.1.20.0 255.255.255.0 LON-FW1(config-network-object-group)# network-object 10.1.21.0 255.255.255.0 LON-FW1(config-network-object-group)# network-object 10.1.99.0 255.255.255.0 LON-FW1(config-network-object-group)# exi LON-FW1(config)# nat (inside,outside) after-auto source dynamic INSIDE-NAT-SUB$ LON-FW1(config)# route inside 10.1.0.0 255.255.0.0 10.1.1.1 LON-FW1(config)# LON-FW1(config)# access-list outside->in extended permit ip any any LON-FW1(config)# access-list outside->in extended permit icmp any any LON-FW1(config)# access-group outside->in in interface outside LON-FW1(config)# LON-FW1(config)# end LON-FW1# sh run | i nat LON-FW1#Note that I have not included the 10.1.55.0/24 network, really we don't even need this on the switches, and it's kinda messed with the whole IP addressing thing anyway. But there we go.
It is working:
ISE14/admin# ping 31.32.33.34 PING 31.32.33.34 (31.32.33.34) 56(84) bytes of data. 64 bytes from 31.32.33.34: icmp_seq=1 ttl=254 time=19.2 ms 64 bytes from 31.32.33.34: icmp_seq=2 ttl=254 time=20.4 ms 64 bytes from 31.32.33.34: icmp_seq=3 ttl=254 time=19.0 ms 64 bytes from 31.32.33.34: icmp_seq=4 ttl=254 time=14.4 ms --- 31.32.33.34 ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 3019ms rtt min/avg/max/mdev = 14.425/18.296/20.445/2.300 ms ISE14/admin#This is from a Windows host in VLAN 4:
So the Firewalls as set up in Active/Standby HA, we have NAT working and our inside hosts can talk to devices beyond the firewalls.
The new switch has arrived, so I can start to play around with that. I'll need to set up UNL to use a separate NIC for this, and that will be in a later post. Till then, it's really starting to take shape!