Recently took delivery of 2 x Cisco 5515 ASA’s for one of my clients. Simple configuration guide for setting these up in an Active/Passive design.

Brief Overview:

Port0 = LAN
Port1-3 = NOT USED
Port 4 – Failover Link
Port 5 – WAN

Assumptions:
Hardware on both ASA firewalls are identical
The same software versions are installed on both firewalls.
PRIMARY firewall is setup (not massively important as I did this project from scratch)

IP Address:
LAN
Main – 10.20.0.254
Standby – 10.20.0.250

WAN
Main – 77.22.22.6
Standby – 77.22.22.5

Cable directly connected on G0/4 on both ASA’s

LAN cable goes into our core switches and the WAN link is a dual link supplied by our supplier at the Datacentre.

Take backup of the Main firewall running config if you do not already. (copy run flash)

Primary Firewall

CiscoASA(config)# clear configure interface G0/4
CiscoASA(config)# int g0/4
CiscoASA(config-if)# no shut

CiscoASA(config)# interface g0/5
CiscoASA(config-if)# speed 100
CiscoASA(config-if)# duplex full
CiscoASA(config-if)# nameif Outside
CiscoASA(config-if)# security-level 0
CiscoASA(config-if)# ip address 77.22.22.6 255.255.255.0 standby 77.22.22.5
CiscoASA(config-if)# interface g0/0
CiscoASA(config-if)# speed 100
CiscoASA(config-if)# duplex full
CiscoASA(config-if)# speed 100
CiscoASA(config-if)# duplex full
CiscoASA(config-if)# nameif Inside
CiscoASA(config-if)# security-level 100
CiscoASA(config-if)# ip address 10.20.0.254 255.255.255.0 standby 10.20.0.250

CiscoASA(config)# failover lan interface LANFAIL GigabitEthernet0/4
CiscoASA(config)# failover interface ip LANFAIL 192.168.6.250 255.255.255.0 standby 192.168.6.252

CiscoASA(config)# failover key 222333444

SETS FIREWALL AS PRIMARY
CiscoASA(config)# failover lan unit primary

TURN ON FAILOVER
CiscoASA(config)# failover

ENABLE STATEFUL FAILOVER
CiscoASA(config)# failover link failover GigabitEthernet0/4
SAVE CONFIG
CiscoASA(config)# wr

Secondary Firewall

Ensure Cabling correct on primary and secondary firewall

CiscoASA(config)# clear configure interface G0/4
CiscoASA(config)# int g0/4
CiscoASA(config-if)# no shut

ENABLE STATEFUL FAILOVER
CiscoASA(config)# failover lan interface LANFAIL GigabitEthernet0/4

CiscoASA(config)# failover interface ip LANFAIL 192.168.6.250 255.255.255.0 standby 192.168.6.252

CiscoASA(config)# failover key 222333444

SETS FIREWALL AS SECONDARY
CiscoASA(config)# failover lan unit secondary

TURN ON FAILOVER
CiscoASA(config)# failover

You should see this on the console:

Detected an Active mate
Beginning configuration replication from mate.

CiscoASA# show failover

CiscoASA5515# show failover
Failover On
Failover unit Primary
Failover LAN Interface: LANFAIL GigabitEthernet0/4 (up)
Unit Poll frequency 1 seconds, holdtime 3 seconds
Interface Poll frequency 3 seconds, holdtime 15 seconds
Interface Policy 1
Monitored Interfaces 2 of 114 maximum
MAC Address Move Notification Interval not set
Version: Ours 9.2(2)4, Mate 9.2(2)4
Last Failover at: 05:54:13 GMT Sep 2 2014
FINE TUNE

The failover timers can be played with as they are a bit too safe so here is my recommendation:

CiscoASA(config)# failover poll 1 hol 3
CiscoASA(config)# failover poll interface 3
CiscoASA(config)# int g0/4
CiscoASA(config-if)# failover poll interface 3

Leave a Reply

Your email address will not be published. Required fields are marked *