11 January 2013

Cisco ASA 5505 Failover active / passive configuration example



ASA01 (active) configuration:

ASA Version 7.2(2)
!
hostname asa01vrt
domain-name stknetwork.local
enable password XXXXXXXXX encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.33.10.31 255.255.255.0 standby 10.33.10.30
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 10.33.20.31 255.255.255.0 standby 10.33.20.30
!
interface Vlan999
 description LAN Failover Interface
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
 switchport access vlan 2
!
interface Ethernet0/2
 switchport access vlan 2
!
interface Ethernet0/3
 switchport access vlan 999
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd XXXXXXXXXXXXX encrypted
boot system disk0:/asa722-k8.bin
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
 name-server 10.33.0.50
 name-server 10.33.0.51
 domain-name mangart.local
same-security-traffic permit intra-interface
object-group network lan
 network-object 10.33.0.0 255.255.255.0
 network-object 10.33.10.0 255.255.255.0
object-group network lan-clients
 network-object 10.33.0.0 255.255.255.0
access-list inside_access_in extended permit icmp 10.33.0.0 255.255.0.0 any
access-list inside_access_in extended permit ip 10.33.0.0 255.255.0.0 any
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any
access-list mss_allow_list extended permit tcp any any
!
tcp-map tcp-mss-map
  exceed-mss allow
!
pager lines 24
logging enable
logging timestamp
logging buffer-size 512000
logging asdm-buffer-size 512
logging console notifications
logging monitor informational
logging buffered debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
failover
failover lan unit primary
failover lan interface failoverlink Vlan999
failover key encryption
failover interface ip failoverlink 10.33.19.31 255.255.255.0 standby 10.33.19.32
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route inside 10.33.0.0 255.255.0.0 10.33.10.254 1
route outside 0.0.0.0 0.0.0.0 10.33.20.1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
username administrator password XXXXXXXXXXXX encrypted privilege 15
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authorization command LOCAL
http 10.33.0.0 255.255.0.0 inside
sysopt connection tcpmss 1400
telnet 10.33.0.0 255.255.0.0 inside
telnet timeout 60
ssh 10.33.0.0 255.255.0.0 inside
ssh timeout 59
console timeout 0
management-access inside
dhcpd auto_config outside
!

!
class-map mss-map
 match access-list mss_allow_list
!
!
policy-map outside-policy
 class mss-map
  set connection advanced-options tcp-mss-map
policy-map mss-map
 class mss-map
  set connection advanced-options tcp-mss-map
!
service-policy mss-map interface outside
ntp server 10.33.10.1 source inside prefer
smtp-server 10.33.0.51
prompt hostname context
Cryptochecksum:49f7a876436dee23136652b283692b03
: end






ASA02 (passive) configuration:



ASA Version 7.2(2)
!
hostname asa01vrt
domain-name stknetwork.local
enable password XXXXXXXXX encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.33.10.31 255.255.255.0 standby 10.33.10.30
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 10.33.20.31 255.255.255.0 standby 10.33.20.30
!
interface Vlan999
 description LAN Failover Interface
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
 switchport access vlan 2
!
interface Ethernet0/2
 switchport access vlan 2
!
interface Ethernet0/3
 switchport access vlan 999
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd XXXXXXXXXXXXX encrypted
boot system disk0:/asa722-k8.bin
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
 name-server 10.33.0.50
 name-server 10.33.0.51
 domain-name mangart.local
same-security-traffic permit intra-interface
object-group network lan
 network-object 10.33.0.0 255.255.255.0
 network-object 10.33.10.0 255.255.255.0
object-group network lan-clients
 network-object 10.33.0.0 255.255.255.0
access-list inside_access_in extended permit icmp 10.33.0.0 255.255.0.0 any
access-list inside_access_in extended permit ip 10.33.0.0 255.255.0.0 any
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any
access-list mss_allow_list extended permit tcp any any
!
tcp-map tcp-mss-map
  exceed-mss allow
!
pager lines 24
logging enable
logging timestamp
logging buffer-size 512000
logging asdm-buffer-size 512
logging console notifications
logging monitor informational
logging buffered debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
failover
failover lan unit secondary
failover lan interface failoverlink Vlan999
failover key encryption
failover interface ip failoverlink 10.33.19.31 255.255.255.0 standby 10.33.19.32
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route inside 10.33.0.0 255.255.0.0 10.33.10.254 1
route outside 0.0.0.0 0.0.0.0 10.33.20.1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
username administrator password XXXXXXXXXXXX encrypted privilege 15
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authorization command LOCAL
http 10.33.0.0 255.255.0.0 inside
sysopt connection tcpmss 1400
telnet 10.33.0.0 255.255.0.0 inside
telnet timeout 60
ssh 10.33.0.0 255.255.0.0 inside
ssh timeout 59
console timeout 0
management-access inside
dhcpd auto_config outside
!

!
class-map mss-map
 match access-list mss_allow_list
!
!
policy-map outside-policy
 class mss-map
  set connection advanced-options tcp-mss-map
policy-map mss-map
 class mss-map
  set connection advanced-options tcp-mss-map
!
service-policy mss-map interface outside
ntp server 10.33.10.1 source inside prefer
smtp-server 10.33.0.51
prompt hostname context
Cryptochecksum:49f7a876436dee23136652b283692b03
: end

No comments:

Post a Comment