Cisco ASA Firewall Active / Standby Failover

Hi Oskar,

Having a different images on the primary and secondary ASA is not a good idea. I would make sure you the same image on both.

Rene

Hi Rene,
I’m new to your service and Just want to say I like what I seen so far.

I have 2 questions regarding ASA placement and setups

Question 1 on the diagram on this page whats the subnet used for the 2 routers, I notice you have 3 subnets on the set up. 1 for inside and one for the outside, Plus the HA subnet to connect the 2 ASA’s. But just wondering whats the other one for the 2 routers? (assuming can be any but just want to make sure if its another subnet?).

Question 2

Do you have any Lessons Using 2 ASA’s and Also* 2 Routers for Redundancy on the outside?. is seems that for a complete full redundancy setup, a set up needs to have 2 L3 switches on the inside | 2 ASA’s | then 2 Routers on the outside also connecting to 2 different ISP’s. plus also the L2 switches connecting the ASA’s on both sides correct?

Assuming the latter would be more of a setup on a bigger Network?. just trying to find out regarding other scenarios and whats the most used scenarios in real networks since I will start working on the field soon. as you can tell I don’t have much practice on real life networks.

Thanks Rene

Art

Hi Rene,

Checking further on the diagram looks like I got the answer to my Question 1, The interface of router 2 has an ip of the 192.168.2.0/24 (.1) subnet and the inside R1 has an IP address of the subnet 192.168.1.0/24 (.2) subnet

Hi Art,

Glad to hear you like it!

On the inside I’m using 192.168.1.0/24, R1 is on 192.168.1.1. On the outside we have 192.168.2.0/24 with R2 using 192.168.2.2.

In labs/examples I try to stick to using the number of the router/switch as the IP address.

This example explains how failover works on the ASA but for full redundancy, you’ll need to add some extra components yes. The two switches are still single point of failures, so is R2 on the outside.

The switch on the outside could be replaced with two switches, perhaps in a stack:

You could then use two routers on the outside, connected to two different ISPs.

If you want to learn a bit more about different ASA designs, you might like Cisco’s Validated Designs. Here’s an example:

Rene

Hi Rene,

I had a quick question i haven’t started this lab yet however i can see ASA 2 its outside interface doesn’t have an ip, in a active/standby situation when the active fails does the outside ip on asa1 get replicated to asa 2 outside ip, for e.g asa1 e01 .254 ip will get replicated to asa 2s e01 interface?

Sorry just abit confusing for a first timer doing this lab.

Thanks.

Hello Sina

When configuring the ASAs in active/standby mode, ASA1 is configured fully with IP addresses on all interfaces. When ASA 2 is configured, you only configure the commands that allow it to function as the standby device. This means that no outside or inside interfaces are configured and no IP addresses are configured on these interfaces.

In the configuration of the ASA1 however, you can see the following commands implemented on interface Ethernet 0/1:

ASA1(config)# interface Ethernet 0/1
ASA1(config-if)# nameif OUTSIDE
ASA1(config-if)# ip address 192.168.2.254 255.255.255.0 standby 192.168.2.253

The command standby 192.168.2.253 in essence configures the IP address of the standby device.

So, if a failover does occur where ASA1 is no longer functioning, ASA2 will assume the active role. This means that ASA2 will adopt the IP addresses and MAC addresses of the interfaces of the failed unit will begin to pass traffic. If ASA1 comes back online, ASA2 will remain active and ASA1 will assume the standby IP addresses. In essence, they swap IP and MAC addresses whenever there is a failover.

Because network devices see no change in the MAC to IP address pairing, no ARP entries change or time out anywhere on the network, and hosts know nothing of the failover.

In the verification section, some output of the show failover command on ASA1 shows the following:

     Last Failover at: 12:23:34 UTC Dec 19 2014
	This host: Primary - Active 
		Active time: 1664 (sec)
		slot 0: ASA5510 hw/sw rev (2.0/9.1(5)) status (Up Sys)
		  Interface INSIDE (192.168.1.254): Normal (Monitored)
		  Interface OUTSIDE (192.168.2.254): Normal (Monitored)
		slot 1: empty
	Other host: Secondary - Standby Ready 
		Active time: 31 (sec)
		slot 0: ASA5510 hw/sw rev (1.1/9.1(5)) status (Up Sys)
		  Interface INSIDE (192.168.1.253): Normal (Monitored)
		  Interface OUTSIDE (192.168.2.253): Normal (Monitored)
		slot 1: empty

If ASA1 fails and comes back up, ASA 2 will take the active role and ASA 1 will take the standby role and the output would be reversed like so:

     Last Failover at: 12:23:34 UTC Dec 19 2014
	This host: Secondary - Standby Ready 
		Active time: 31 (sec)
		slot 0: ASA5510 hw/sw rev (1.1/9.1(5)) status (Up Sys)
		  Interface INSIDE (192.168.1.253): Normal (Monitored)
		  Interface OUTSIDE (192.168.2.253): Normal (Monitored)
		slot 1: empty
	Other host: Primary - Active 
		Active time: 1664 (sec)
		slot 0: ASA5510 hw/sw rev (2.0/9.1(5)) status (Up Sys)
		  Interface INSIDE (192.168.1.254): Normal (Monitored)
		  Interface OUTSIDE (192.168.2.254): Normal (Monitored)
		slot 1: empty

The IP addresses would be swapped.

I hope this has been helpul for you!

Laz

Hi,

In this topology do we need a failover ip addres for outside interface ?

ASA1(config)# interface Ethernet 0/1
ASA1(config-if)# nameif OUTSIDE
ASA1(config-if)# ip address 192.168.2.254 255.255.255.0 standby 192.168.2.253

Is the below ok ?

ASA1(config)# interface Ethernet 0/1
ASA1(config-if)# nameif OUTSIDE
ASA1(config-if)# ip address 192.168.2.254 255.255.255.0 

Thanks

Hi Sims,

Here’s a link to a similar answer to the same question:

https://forum.networklessons.com/t/cisco-asa-firewall-active-standby-failover/177/3?u=renemolenaar

Rene

19 posts were merged into an existing topic: Cisco ASA Firewall Active / Standby Failover

Hello Rene,
Thanks for your article,
How I can reload both firewalls (Active & Standby) from the CLI, I know how to do it through reload system in ASDM.
Thanks in advance.

Hi Wisam,

You can do failover reload-standby to reload the standby ASA, then a regular reload to reload the active one.

Rene

I’m having an issue with my asa fail over. The router had the route route (route outside 0.0.0.0 0.0.0.0 x.x.x.x 1 when i removed it and added route outside 0.0.0.0 0.0.0.0 x.x.x.x 1 track 1 the connection fails. I’m not sure what I’m doing wrong. Can i get some assistance please.

Hello Ebenezer

The only difference in the two cases is the track 1 keywords at the end. What do you have configured as your tracking parameters for track 1? Take a look at those parameters and see if they are the issue.

Let us know your results!

I hope this has been helpful.

Laz

Hi Rene,

if configuration on ASA1 is:

ASA1(config)# failover interface ip FAILOVER 192.168.12.1 255.255.255.0 standby 192.168.12.2

shouldn’t configuration on ASA2 be:

ASA2(config)# failover interface ip FAILOVER 192.168.12.2 255.255.255.0 standby 192.168.12.1 ?

Hello Aleksejs

When you configure the Active/Standby failover on ASA devices, you must choose one device top be the primary and one to be the standby. In this case Rene has chosen ASA1 as the primary and ASA2 as the standby. These configurations must be the same in both devices. That is, the IP address of the primary device must be the same (ASA1 with an IP address of 192.168.12.1) and that of the standby device must also be the same (ASA2 with an IP address of 192.168.12.2). This is why the command uses the same addresses as primary and standby.

I hope this has been helpful!

Laz

Hi Rene,
I read ASA topic already but i have confuse about something:

  • Which benefit when using between PIX and ASA
  • Which is diferrent or enhement or improment when using ASA with New Generation Firewall ( etc Sophos XG , Palo Alto …)
  • And If ASA combined with CSC-SSM or Firepower is best practise ? Could you take a look and tek a tourial about ASA with extended modules that ?
    Thanks

Hello Nguyen

The Cisco PIX was an older firewall and NAT appliance that Cisco had, but its end of sale was announced in 2008. The Cisco ASA which was introduced in 2005 replaced the PIX and is now the standard firewall appliance Cisco provides.

The term Next Generation Firewall is used for all firewalls including the ASA, as well as Sophos, Palo Alto, PFSense, and others, to describe today’s advanced firewall technology that combines traditional firewall functionality with advanced algorithms including deep packet inspection, and IPS. So all of these devices and products are capable of Next Generation Firewall capabilities. Now which one is best? How do they compare? It’s not for us to say here, but you can definitely find reviews and personal testimonies of people who have used them. Some are better for some purposes, and not for others, but it all comes down to personal experience.

As for the use of the CSC-SSM module or firepower, and best practices, if you would like a lesson written about these, then you can always go to the Member Ideas page and post your suggestions there:

I hope this has been helpful!

Laz

Thank Laz,

I just suggest !!! Now have matrix of NGF , hope will know clearly and choose the best solution for business.

1 Like

Hi,

I need to ensure LAN users on 192.168.1.0/24 have ISP redundancy/load-balancing where internet connection is going through HA firewalls. The firewalls are connected to router CE1 and CE2, which are then connected to ISP PE1 router and ISP PE2 router respectively via BGP.

How can I ensure LAN users are able to access to the internet without redistributing 192.168.1.0/24 into BGP? Thanks in advanced!
image

Hello Kenneth

Typically, firewalls denote the edge of the enterprise network. As such, we usually have NAT running on them in order to allow internal devices to access external destinations. By adding NAT here, you can achieve what you want.

However, if we don’t use NAT, then you will somehow have to let the BGP AS 100 know how to get to the internal IP addresses of the subnet in question. There’s no way to avoid this.

In such scenarios, we usually have ISPs using public IP addresses, and the firewalls denoting the border between the public Internet and the private internal network. This is the most common situation, and is the method by which you can keep the internal addresses from being advertised.

I hope this has been helpful!

Laz