Migrating from a single PIX 515e to 2 ASA5540s in active/active failover
I'm currently in the process of migrating from a single PIX515e to 2 x ASA5540s which need to be configured as active/active failover pair. The ASAs will each have a GigE connection to a 6506 switch (Distribution switches) with Sup720 in Native mode functioning as inside LAN routers, a connnection for LAN failover and a connection for Stateful failover. There will be 2 x 6506 (Sup720s in Native mode) switches functioning as Outside routers with T3 circuits from each router to different service providers. The inside routers are running OSPF for routing between vlans and are trunking between them (VTP client/server setup). A separate vlan has been created to function as the gateway (vlan to which the ASAs will connect). A default static route is created to send non local traffic to the ASAs. The ASAs will be running NAT (there will be some NAT 0 and static for a couple of WEB/Email servers etc in the DMZ). The ASAs will not be running any dynamic routing protocols. The outside routers will be peering with ISPs via eBGP and each other via iBGP. The outside routers will have trunking enabled between them. I have a couple of questions about the ASA configuration process. The Cisco documentation says to enable active/active failover multiple security contexts are required. Most of the documentation shows subinterfaces being configured on the ASAs however since the inside routers as well as outside routers will be doing their own routing is the subinterfaces necessary? Also based on the current NAT statements and ACLs configured on the PIX515e I would like to migrate them as-is so do I need to apply the same statements to each security context or just the system security context (assuming that the Cisco documentation is correct with the multiple security context requirement for active/active failover). Below is an example of a configuration file I created (variables in uppercase would need to be replaced by actual information) however I'm not sure where to add the NAT statements and ACLs and where to apply the ACLs. I presume each context would have the same ACLs and NAT statements however I'm not sure. Any input would be much appreciated. Just as a fyi I did not mention above the extra connections from the ASAs to each router. The ASAs will have links to Outside routers 1 and 2 and Inside routers 1 and 2. Will also need to add static routes.
config t ! mode multiple ! interface OUTSIDEINTERFACE no nameif description Link to Outer Router 1 interface OUTERROUTERINTERFACE no ip address x.x.x.x y.y.y.y standby x.x.x.x ! interface INSIDEINTERFACE no nameif description Link to Inner Router 1 interface INNERROUTERINTERFACE no ip address x.x.x.x y.y.y.y standby x.x.x.x ! interface OUTSIDE2INTERFACE no nameif description Link to Outer Router 2 interface OUTER2ROUTERINTERFACE no shutdown ! interface INSIDE2INTERFACE no nameif description Link to Inner Router 2 interface INNER2ROUTERINTERFACE no shutdown ! interface LANFAILOVERINTERFACE no nameif description LAN Failover Interface no ip address x.x.x.x y.y.y.y standby x.x.x.x ! interface STATEFAILOVERINTERFACE no nameif description STATE Failover Interface no ip address x.x.x.x y.y.y.y ! failover failover lan unit primary failover lan interface LANFailover LANFAILOVERINTERFACE failover lan enable failover key FAILOVERKEY failover link stateful STATEFAILOVERINTERFACE ! failover interface ip LANFailover LANFAILIPADDRESS LANFAILSUBMASK standby LANFAILIPSTAND failover interface ip STATEFAILOVERINTERFACE STATEFAILIPADDRESS STATEFAILSUBMASK standby STATEFAILIPSTAND ! failover link interface LANFAILOVERINTERFACE ! failover group 1 primary preempt 10 polltime interface msec 500 holdtime 5 failover replication http ! failover group 2 secondary preempt polltime interface msec 500 holdtime 5 failover replication http ! admin-context admin context admin config-url flash:/admin.cfg ! context context1 allocate-interface INSIDEINTERFACE inside_company1 allocate-interface OUTSIDEINTERFACE outside_company1 config-url flash:/company1.cfg join-failover-group 1 ! context context2 allocate-interface INSIDE2INTERFACE inside_company2 allocate-interface OUTSIDE2INTERFACE outside_company2 config-url flash:/company2.cfg join-failover-group 2 ! changeto context context1 ! hostname CompanyContext1 interface INSIDEINTERFACE nameif NAMEIFINSIDE security-level 100 ip address INSIDEIPADDRESS INSIDEIPMASK standby INSIDEIPSTAND monitor-interface OUTSIDEINTERFACE ! interface OUTSIDEINTERFACE nameif NAMEIFOUTSIDE security-level 0 ip address OUTSIDEIPADDRESS OUTSIDEIPMASK standby OUTSIDEIPSTAND monitor-interface INSIDEINTERFACE asr-group 1 ! changeto context context2 ! hostname CompanyContext2 interface INSIDE2INTERFACE nameif NAMEIF2INSIDE security-level 100 ip address INSIDE2IPADDRESS INSIDE2IPMASK standby INSIDE2IPSTAND monitor-interface OUTSIDE2INTERFACE ! interface OUTSIDE2INTERFACE nameif NAMEIF2OUTSIDE security-level 0 ip address OUTSIDE2IPADDRESS OUTSIDE2IPMASK standby OUTSIDE2IPSTAND monitor-interface INSIDE2INTERFACE asr-group 1 ! change system ! prompt hostname context ! end ! write mem !
Re: Migrating from a single PIX 515e to 2 ASA5540s in active/act
Let me try to answer the two questions. I'll add the scrapes so that its easy to identify which answer is what for question.
... The Cisco documentation says to enable active/active failover multiple security contexts are required. Most of the documentation shows subinterfaces being configured on the ASAs however since the inside routers as well as outside routers will be doing their own routing is the subinterfaces necessary?
The subinterfaces are necessary if the ASAs are connected via 802.1q trunk.They are used to reference the vlan. Here's a doc for more:
... Also based on the current NAT statements and ACLs configured on the PIX515e I would like to migrate them as-is so do I need to apply the same statements to each security context or just the system security context (assuming that the Cisco documentation is correct with the multiple security context requirement for active/active failover).
NAT and ACL configuration are "not" entered under the system context. They are configured under the context which is the virtual firewall itself.
1. Ensure both firewall have the same licenses including the active/active
2. Ensure both runs the same code version
3. Ensure both are configured as multi-context before enabling the failover. This command is not replicated to standby unit.
4. Here's a very good doc for setting up active/active firewall as reference:
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...