cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1619
Views
0
Helpful
12
Replies

ASA - Active/Active in Transparent Mode

keith.osullivan
Level 1
Level 1

Hi,

I am trying to configure a pair of new ASA'a for transparency and redundancy, they will protect some existing servers who's ip's cannot be changed.

I have enabled the multiple context's but cannot manage the ASA's by IP.

Below is the config.

ASA Version 7.0(7) <system>

!

firewall transparent

hostname ASA

enable password **** encrypted

!

interface GigabitEthernet0/0

!

interface GigabitEthernet0/0.1

vlan 601

!

interface GigabitEthernet0/0.2

vlan 602

!

interface GigabitEthernet0/1

!

interface GigabitEthernet0/1.1

vlan 603

!

interface GigabitEthernet0/1.2

vlan 604

!

interface GigabitEthernet0/2

shutdown

!

interface GigabitEthernet0/3

!

interface GigabitEthernet0/3.1

description LAN Failover Interface

vlan 101

!

interface GigabitEthernet0/3.2

description STATE Failover Interface

vlan 201

!

interface Management0/0

!

ftp mode passive

pager lines 24

failover

failover lan unit secondary

failover lan interface LANFailover GigabitEthernet0/3.1

failover link Stateful GigabitEthernet0/3.2

failover interface ip LANFailover ###internal ip#### standby ###internal ip####

failover interface ip Stateful ###internal ip#### standby ###internal ip####

failover group 1

failover group 2

secondary

no asdm history enable

arp timeout 14400

console timeout 0

admin-context admin

context admin

allocate-interface Management0/0

config-url disk0:/admin.cfg

join-failover-group 1

!

context context1

allocate-interface GigabitEthernet0/0.1

allocate-interface GigabitEthernet0/1.1

config-url disk0:/context1

join-failover-group 1

!

context context2

allocate-interface GigabitEthernet0/0.2

allocate-interface GigabitEthernet0/1.2

config-url disk0:/context2

join-failover-group 2

!

Cryptochecksum:xxx

: end

ASA# changeto context context1

ASA/context1# sh run

: Saved

:

ASA Version 7.0(7) <context>

!

firewall transparent

hostname context1

enable password **** encrypted

names

dns-guard

!

interface GigabitEthernet0/0.1

nameif outside

security-level 0

!

interface GigabitEthernet0/1.1

nameif inside

security-level 100

!

passwd xxx

pager lines 24

mtu outside 1500

mtu inside 1500

ip address ###internal ip#### standby ###internal ip####

************

output omitted

************

: end

ASA/context1# changeto context context2

ASA/context2# sh run

: Saved

:

ASA Version 7.0(7) <context>

!

firewall transparent

hostname context2

enable password **** encrypted

names

dns-guard

!

interface GigabitEthernet0/0.2

nameif outside

security-level 0

!

interface GigabitEthernet0/1.2

nameif inside

security-level 100

!

passwd xxx

pager lines 24

mtu outside 1500

mtu inside 1500

ip address ###internal ip#### standby ###internal ip####

************

output omitted

************

: end

ASA/context2#

12 Replies 12

alanajjar
Level 1
Level 1

Hi,

You can configure an IP address for the Management 0/0 management-only interface. This IP address can be on a separate subnet from the main management IP address. after that you can manage the ASA through IP.

for example :

interface Management0/0

nameif management

ip address 10.10.10.10 255.255.255.0

security-level 50

no shut

also you need to specify the addresses that can manage the ASA and the interface which they are connected to :

http ip_addresse mask interface

example :

http 10.2.2.2 255.255.255.255 inside

other solution , you can add the mangement interface to the admin context, then use the previous commands in the admin context.

with regards

Hi,

Thanks for the response Alan, entering the security level fixed the problem.

I still cannot get traffic to go through the firewall, i am not sure if i have to keep the vlan's on the interfaces and then assign them to the contexts. As whenever i try adding access rules it says there are no interfaces available.

Many thanks for your help.

Keith

Hi,

You need to enable ALL the sub-interfaces in the system configuration and ALL contexts, as you know by using the command

no shut

you need to do it for all subinterfaces. note that the access lists are defined in the contexts not on the system configuration.

Hope this will help.

regards

Hi,

I cannot add an interface to multiple contexts (ie sharing cannot be done in transparent mode) and it will only allow me to add 2 data interfaces per a context.

Kind regards

Keith

Hi,

Why you want to use shared interface? you didnt mention any thing about that.

In trasparent mode, you can have only two interface per context. also you define the ip address in context mode, not interface mode, and you need to applu an access list to let traffic pass through each context, because by default all traffic are blocked in transparent mode.

can you specify exactly what you want to do?

with regards

Hi Alanajjar,

I really appreaciate your input in to this.

The aim is to firewall of some servers internally and their ip's cannot be changed easily (due to coding of some applications).

Internal IP (eg 192.168.0.50/24) <----> Transparent Firewalls <------> Internal IP (eg 192.168.0.50/24).

I can allocate interfaces (inside and outsite) to context's, but as its transparent i dont really want to use muliple vlans which seems to be the only way to allocate the interfaces. The above works with Active / Standby (no vlan's etc), but A/A does not seem possible without vlans. I only thought about the shared interface as it would mean no vlans.

Kind regards in advance

Keith

Hi,

With transparent firewall you have to allocate vlans to interfaces, other wise the firewall will not pass any traffic.

I have some questions to clarify the picture :

are all servers in the same subnet or differnt subnets?

do you have layer 3 switch?

is there a problem if you use vlans?

if you can post your network diagram,this will give good picture about your situation.

I hope that I can help you in this.

with regards

Hi,

All the servers are on the same subnet, so the goal is just to move the required servers from one side of the firewall to the other.

We do have a layer 3 switch and use vlans so that should not be a problem. I am just thinking if we use vlans on the firewall ports, how will traffic pass through or swap between vlans to balance the traffic.

I attach a simple network diagram, so hopefully you can see what i am trying to do.

Regards

Hi Keith,

Your situation is easy, for your case you need only one context, in that context define an ip address in the same subnet, i.e 192.168.1.x/24. the ASA will switch traffic through the context based on the source address in your case, so the traffic from specific source, will pass through a specific context, which is in the same subnet, the ASA will use the valns on the context to switch traffic between the inbound interface (or sub-interface) and the outbound interface, and the return traffic will be pass through the same context, it will not go through another context, this will be control be the ASA.

Hope this will clarify the situation.

With regards

Thanks for your help Analnjjar. I just tried setting this up and one firewall works, but the failover does not and i believe traffic is only passing through the primary firewall. With a single context it will be active / nothing am i right in thinking.

From what i can gather you assign interfaces (vlans) to contexts, and each firewall runs a different context ie different vlans. I seem to be running in trouble where I want all interfaces to run the same vlan (default) and pass traffic so it is fully transparent and balanced. With a single context you cannot have each firewall running a context so it is Active / Nothing. As i cannot assign an interface to multiple contexts in transparent mode i am stuck.

Hope that makes sense.

Hi,

I think in your situation you dont need to use active/active failover, why you dont use transparent active/standby stateful failover? you need active/active failover when you have multiple subnets, and you want to use failover for those subnets, but here you have only one subnet, am I right?

regarding vlans, the servers are dont care about vlans, only network devices like routers, firewalls or switches. the switching between differnt vlans will be handeled by layer 3 switch in your case, so for this its not an issue. only minor changes in the switch will solve that.

I hope that I understood the situation correctly.

with regards

Hi Alanjar,

Thank you very much for your help. I have gone tith the active / standby approach as you suggested.

Kind regards

Keith

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: