Cisco Firewall ha Instance

Lab Environment:2 ASA5508 firewall, set up ha to make one as the main firewall active, and another as a standby as a standby firewall. The firewall has 3 ports,

GI 1/1 port for outside exit GI1/2 port for inside import GI 1/3 port for two firewall interconnect interface

Experimental Purpose: so that the two firewalls are prepared for each other, usually only one work, and another as hot-standby online. After the main firewall failure, the standby firewall directly switch to the main firewall to continue to provide services.

Experimental network topology diagram:

The experimental operation also support other can do hot spare device configuration, do hot spare two devices must be the same version of the same model, the following to see if you can do hot standby configuration:

asa5508-active# Show Version

First configure the first firewall, and the primary firewall active device:

asa5508-active# Configure Ter

Asa5508-active (config) #interface gi 1/1

Asa5508-active (config-if) #nameif outside

Asa5508-active (config-if) #security-level 0

Asa5508-active (config-if) # IP address 172.16.1.11 255.255.255.0 standby 172.16.1.12 //standby for standby firewall device interface 1 IP addresses

Asa5508-active (config-if) #exit

Asa5508-active (config) #interface gi 1/2

Asa5508-active (config-if) #nameif inside

Asa5508-active (config-if) #security-level 100

Asa5508-active (config-if) #ip address 192.168.91.11 255.255.255.128 standby 192.168.91.12//standby for standby firewall device interface 2 IP addresses

Asa5508-active (config-if) #exit

Asa5508-active (config) #failover LAN Unit primary //Specify the role of the device as the primary firewall

Asa5508-active (config) #failover LAN interface failover GI1/3 //Specify port 3rd as the primary standby device Interconnect interface (if there are multiple ports connected between the primary and standby devices, you need to specify),

There is only one connecting interface between the primary and standby devices in this experiment, so we only need to specify an interface.

Asa5508-active (config) #failover link fover gi1/3 //Specify the state information synchronization interface (i.e., the configuration information synchronization interface between the primary and standby), this experiment because there is only one interface connected between the primary and standby

Therefore, this experiment can not be specified.

Asa5508-active (config) #failover interface ip failover 172.17.1.1 255.255.255.0 standby 172.17.1.2 // The IP address is set on the port connected to interface 3 and can be

Arbitrarily set to your own defined IP

Asa5508-active (config) #failover LAN key Cisco //config failover authentication port key, Cisco can be customized, that is, to set the primary and standby device interface between 3 communication key for Cisco.

Asa5508-active (config) #failover //Master firewall all configuration is set OK, enter the command, that is, enable hot standby mode, note that this command must first enter on the primary device, otherwise if the first

After the backup device is entered, if the interconnect is connected, it will cause the configuration of the standby device to be overwritten with the master device.

asa5508-active# Show Inter //Enter show Inter to display the interface 3-bit failover interface at this time.

Next configure the Standby device standby device:

asa5508-standby (config) #interface gi 1/3

Asa5508-standby (config-if) #no shutdown

Asa5508-standby (config-if) #exit

Asa5508-standby (config) #failover LAN Unit secondary //Set the device as a standby state

asa5508-standby (config) #failover LAN interface failover GI1/3 //Specify port 3rd to be the primary standby device Interconnect interface (if there are multiple ports connected between the primary and standby devices, specify),

There is only one connecting interface between the primary and standby devices in this experiment, so we only need to specify an interface.

Asa5508-standby (config) #failover link fover gi1/3 //Specify the state information synchronization interface (i.e., the configuration information synchronization interface between the primary and standby), this experiment because there is only one interface connected between the primary and standby

Therefore, this experiment can not be specified.

Asa5508-standby (config) #failover interface ip failover 172.17.1.1 255.255.255.0 Standby 172.17.1.2 //The IP ground Interface is set on the port that interfaces 3 is connected to, you can

Arbitrarily set to your own defined IP

Asa5508-active (config) #failover LAN key Cisco //config failover authentication port key, Cisco can be customized, that is, to set the primary and standby device interface between 3 communication key for Cisco.

asa5508-active (config) #failover //To enable hot standby mode, note that this command must first be entered on the primary device, otherwise if after the backup device input, if the interconnection line is connected,

Causes the configuration of the backup device to be overwritten by the master device.

after the two devices have synchronized the information, the configuration can only be performed on the active primary device, and the standby device hostname will drink the same as the primary device. You can view it through show failover, or use the command:

Asa5508-active (config) #prompt hostname priority State displays the status of the device

Asa5508-active/pri/act(config) # //Red font indicates that the device's primary device status is Activer active, that is, the primary device that is currently working.

sign in to alternate device view

Asa5508-standby (config) #prompt hostname priority State displays the status of the device

Asa5508-standby/sec/stby(config) # //Red font indicates that the device is a standby device with a status of Stby standby, that is, the primary device that is currently working

Additional configuration information:

For example, log on to the main device and enter the following command:

asa5508-active/pri/act(config) #no failover active //manually switch the primary device to standby (by default, if there is a problem with the main device, it will automatically switch to the standby device working state)

Asa5508-standby/sec/stby(config) #failover active //manual standby device switch to Active state

Cisco Firewall ha Instance