Hey Folks,

After a while having fun passing CCIE SECURITY a break and here i come with a new concept which might be a good case to discuss and implement, we have many scenarios already setup for Active/Standby or Active/Active for Cisco ASA Firewall, but what if we want to have both scenarios in same setup..

Here in this lab i am planning to implement and test the scenario where we have both Active/Active for our Access Layer and Active/Standby solution for our Core layer, should will or will not be designed in real environment but to sum up all the concept of ASA Virtualization and redundancy we will have below lab build on virtual labs:

Our lab will look like below:

In the above lab, i use Simple Windows XP to test the overall setup, which has 2xNIC cards connected in two VLANs in Access Layer Switches which are VLAN-10 and VLAN-20.

Vlan 10 is having IP from the range of 192.168.12.x/24 and Vlan 20 is having IP from the range of 192.168.13.x/24.  Both switches are connected through Trunk links.

The lab background is Customers are connected through VLAN10 and VLAN20 to have internet from ISP, our Customer A will be marked in ASA FW as context C1 and Customer B which is VLAN 20 will be marked as context C2. Interface which are connected between Access Switches are both part of VLAN10 and VLAN 20. and having default routes toward Access Layer Firewalls.

I will not go through the switch configurations which are really basics but direct jump to the Firewall Sections:

Our Access Layer Firewalls are configured for ACTIVE/ACTIVE scenario and having static route for VLAN10 and VLAN20 toward it’s ACCESS layer switches and default route to outside. Below is the context configuration on Access-A1:

We create 2x Context as required and put interfaces part of each Context, we will talk about the Failover commands later and above we have used same interface for our OUTSIDE communication which is Ethernet2, in the case of Interface Sharing we will not have required result because our ARP request always fail for having single MAC address for dual IP addresses, in case of MAC interface sharing we need to use below commands: (Command + It’s OUTPUT).

mac-address auto command will change default mac address of the interface which is shared between contexts and once that command is used you can see that same interface have different mac addresses for difference context. There is nothing special configuration for the interface except having ip addresses as below:

Now our configuration for the ASA 1 for Access Layer has been completed, below is how i configured Failover between 2 devices. which are connected through Ethernet4:

Above we create two Failover Groups which are 1 and 2, and put those under different contexts. Access- A1 is primary for Group1, C1 context and Access- A2 is Active for inside network of context C2, once we have this on Access-A1 we need to do the same on Access-A2 to enable Firewall Failover work. Make sure you enable all interfaces so our Failover works: below is the output of Failover:

above is the output on Access-A1 device which shows that all interfaces are being monitored and our Group 1 is Active on Current router and group 1 is standby on other end, below is the result of other end firewall (Access-A2):

above output shows that Access-A2 is standby for both groups which are ground 1 and group 2:

Moving forward on Core layer firewalls which acts as gateway, it will provide internet connectivity to the end users, it is connected to the outside through the interfaces which has default route to outside. For inside it has static routes for 192.168.0.0/16 range. and we also have NATTING enabled for VLAN10 and VLAN20, below is full config set for Core-A1:

Above it shows that we have 2 Object groups created for INSIDE-10 which is for VLAN10 and INSIDE-20 which is for VLAN-20, i have NATTED both VLAN10 to 192.168.21.10 and VLAN20 to 192.168.21.20 which are part of Object network OUTSIDE-10 and OUTSIDE-20. After that i have NAT statement which NAT those statically to OBJECT group of OUTSIDE.

Failover configuration is same as we have for our Access Layer Devices, once that all setup we then need to test the setup from PC end.

INFO: if your route for VLAN 20 didn’t worked, you need to add route on Core ASA-1 for VLAN 10 pointing ASA-1 and VLAN20 pointing ASA-2.

PS: On our Internet router, we have 3 Loopbacks which are configured for 1.1.1.1 / 2.2.2.2 & 3.3.3.3 IP addresses and in middle i have also allowed/inspect ICMP packets on all devices for test purpose.

Verification:

From PC we will initiate test ping to all loopback of INTERNET as first to test availability through VLAN 10:

Our ICMP works perfectly fine, let’s see NAT output on ASA Firewalls:

Ok perfect our NAT is also working, let’s test through VLAN20:

Voila our network setup is done, and end to end test has also completed, hope that helps and if any issue ping me directly..

Cheers,