Hi Rene,
if configuration on ASA1 is:
ASA1(config)# failover interface ip FAILOVER 192.168.12.1 255.255.255.0 standby 192.168.12.2
shouldn’t configuration on ASA2 be:
ASA2(config)# failover interface ip FAILOVER 192.168.12.2 255.255.255.0 standby 192.168.12.1 ?
Hello Aleksejs
When you configure the Active/Standby failover on ASA devices, you must choose one device top be the primary and one to be the standby. In this case Rene has chosen ASA1 as the primary and ASA2 as the standby. These configurations must be the same in both devices. That is, the IP address of the primary device must be the same (ASA1 with an IP address of 192.168.12.1) and that of the standby device must also be the same (ASA2 with an IP address of 192.168.12.2). This is why the command uses the same addresses as primary and standby.
I hope this has been helpful!
Laz
Hi Rene,
I read ASA topic already but i have confuse about something:
Hello Nguyen
The Cisco PIX was an older firewall and NAT appliance that Cisco had, but its end of sale was announced in 2008. The Cisco ASA which was introduced in 2005 replaced the PIX and is now the standard firewall appliance Cisco provides.
The term Next Generation Firewall is used for all firewalls including the ASA, as well as Sophos, Palo Alto, PFSense, and others, to describe today’s advanced firewall technology that combines traditional firewall functionality with advanced algorithms including deep packet inspection, and IPS. So all of these devices and products are capable of Next Generation Firewall capabilities. Now which one is best? How do they compare? It’s not for us to say here, but you can definitely find reviews and personal testimonies of people who have used them. Some are better for some purposes, and not for others, but it all comes down to personal experience.
As for the use of the CSC-SSM module or firepower, and best practices, if you would like a lesson written about these, then you can always go to the Member Ideas page and post your suggestions there:
I hope this has been helpful!
Laz
Thank Laz,
I just suggest !!! Now have matrix of NGF , hope will know clearly and choose the best solution for business.
Hi,
I need to ensure LAN users on 192.168.1.0/24 have ISP redundancy/load-balancing where internet connection is going through HA firewalls. The firewalls are connected to router CE1 and CE2, which are then connected to ISP PE1 router and ISP PE2 router respectively via BGP.
How can I ensure LAN users are able to access to the internet without redistributing 192.168.1.0/24 into BGP? Thanks in advanced!
Hello Kenneth
Typically, firewalls denote the edge of the enterprise network. As such, we usually have NAT running on them in order to allow internal devices to access external destinations. By adding NAT here, you can achieve what you want.
However, if we don’t use NAT, then you will somehow have to let the BGP AS 100 know how to get to the internal IP addresses of the subnet in question. There’s no way to avoid this.
In such scenarios, we usually have ISPs using public IP addresses, and the firewalls denoting the border between the public Internet and the private internal network. This is the most common situation, and is the method by which you can keep the internal addresses from being advertised.
I hope this has been helpful!
Laz
Hi Lazaros,
The idea is not to advertise or redistribute routes of specific internal LAN subnets (e.g. 192.168.1.0/24) to the ISPs. I figured out that the CE routers can advertised
I tried BGP Multipath load sharing, not sure why am I not seeing the alternate path ‘m’ when I run show ip bgp
CE_Router1 & CE Router2
(config)#router bgp 100
(config-router)#maximum-paths 2Hello Kenneth
Based on your configuration, you are trying to configure multiple paths via iBGP, since you are configuring it in the same AS as that which the CE routers are in. For this to function you are required to include the ibgp keyword in the command. Specifically:
(config-router)#maximum-paths ibgp 2
Take a look at this lesson that details BGP multipath load sharing:
I hope this has been helpful!
Laz
Hi Laz,
I am trying to allow iBGP multiple path towards the CE routers and ebgp towards its directly connected PE router.
Both commands below don’t seems work
CE Router1 & CE Router2
(config-router)#maximum-paths ibgp 2
(config-router)#maximum-paths 2
Hello Kenneth
Understood. There are many things that can be causing this. I will give you a couple of scenarios below to help you in the troubleshooting process:
When BGP multi-pathing is enabled, BGP load-balances user traffic within a single autonomous system (AS). The criteria are that all attributes must match (weight, AS path, etc). However when a device is multi-homed to multiple autonomous systems, BGP cannot load balance traffic between them by default. In order to enable load-balancing of traffic among the multi-homed autonomous systems, the
bgp bestpath as-path multipath-relaxcommand needs to be enabled. The criteria required for this is that the AS-path length should be equal.
This is taken from the following link:
https://www.cisco.com/c/en/us/td/docs/routers/asr9000/software/asr9k_r5-2/routing/command/reference/b_routing_cr52xasr9k/b_routing_cr52xasr9k_chapter_01.html#wp1982813266
I hope this helps you in your troubleshooting efforts.
Laz
Can we have an existing ASA 5525 (or any ASA Firewall) with a running configuration on it, and then introduce the failover configuration at a later stage along-with the standby unit ? This is off-course assuming that the second firewall is of the same model and IOS version etc.
I am looking to cluster a standalone firewall by introducing a second unit and am not sure if the above approach is feasible on an already configured and existing ASA ?
Hello Nishesh
Yes this is a feasible scenario. As long as the prerequisites are met for the second ASA (as stated in the following lesson) then you can implement this.
You just have to keep in mind that it’s not always easy to adjust an existing config of a running device to conform to an Active/Standby situation. It’s not impossible, but it may be tricky. You may have a lot of config parameters that have been added over time that may get in the way of the final state that you desire between the two devices. Depending on how you approach it, you may want to take some time to design the configs of both the Active and Standby devices from before and do a trial run during a maintenance window and see how things go. Sometimes it’s easier to begin configuration from scratch in such cases, but you’ll have to decided what works best for you.
I hope this has been helpful!
Laz
Is the ASA doesn’t support Active/Active ?
Hello Pichai
Actually, the ASA can be configured in an Active/Active failover arrangement. There is not yet a lesson for this, but it may be added in the future. More information about it can be found at the following Cisco documentation:
I hope this has been helpful!
Laz
Hi all,
we have a pair of 2130s in ASA mode (Active/Standby). Does anyone know how to enable FIPS in order on the 2130s? Do I need to enable FIPS on each individual firepower and reboot it under FXOS mode?
Thank you.
Lee
Hello Lee,
The same FIPS mode is a requirement for failover so I think you’ll need to enable FIPS on each individual firepower and reboot them.
Rene
Hi Rene,
After enabled FIPS on the ASA firewall the IPSec tunnel (ikev1) is broken. Could you please give me some advice? I read some cisco doc and it’s stating that i need to change it ikev2 which can increase the group greater than 5.
Also, i have another question for you please. How do I configure redistribute BGP into EIGRP with multiple specific ip addresses from customers on the Internet that we want to connect to?
Thanks,
Lee
Hello Lee
Yes, this behaviour is expected. It is true that enabling FIPS mode on the ASA, it requires DH keys of 2048 bits or larger, which is something that IKEv1 does not support. For this reason, IKEv2 must be used with a DH key size of at least 2048 bits. Note that this is done based on FIPS certification compliance 140-2 of the ASA as part of the update in ASA 9.4(1) and later. More on this can be found at the following link:
In order to redistribute routes from BGP to EIGRP, you must use the redistribute command either under the router bgp configuration mode or under the address family mode. More on mutual redistribution between BGP and EIGRP can be found here:
Now if you want to redistribute only particular prefixes rather than all available BGP routes, then you can use the redistribute command with the appropriate route map that will filter out the particular prefixes you want. You can find more information about how to do this in the Cisco command reference for this command:
I hope this has been helpful!
Laz
Hello Laz,
Thank you for your email. I don’t know how to change/modify DH key size of at least 2048 bits on the ASA firewall, please advise. however, I did create an ikev2 policy below with DH group 14 and i tested it but phase 1 is not up… of course the remote side has changed the same too.
crypto ikev2 policy 10
encryption aes-256
integrity sha256 sha
group 14
prf sha
lifetime seconds 86400
crypto ikev2 enable Internet