ASAv(config)#interface GigabitEthernet0/0
ASAv(config-if)#nameif PUBLIC
ASAv(config-if)#security-level 0 ::::::::::::::: Default is 0
ASAv(config-if)#interface gi0/1
ASAv(config-if)# security-level 100 this is in side network we need to turn on 100
ASAv(config-if)#failover unit lan primary ===== Configure the unit as primary
ASAv(config-if)#failover interface FAILOVER gi0/6 ==== Nanme that interface gi0/6 Failover
INFO: Non-failover interface config is cleared on GigabitEthernet0/6 and its sub-interfaces
ASAv(config-if)#failover interface ip FAILOVER 192.168.254.1 255.255.255.0 standby
192.168.253.2
ASAv(config-if)# inter gi0/6
ASAv(config-if)# no shutdown
_______________________________________________________________________
ASAv(config-if)# failover link STATE gi0/5
INFO: Non-failover interface config is cleared on GigabitEthernet0/5 and its sub-interfaces
ASAv(config-if)# failover interface ip STATE 192.168.253.1 255.255.255.0 standby 192.168.253.2
ASAv(config-if)# inter gi0/5
ASAv(config-if)# no shut
ASAv(config-if)# int gi0/0
ASAv(config-if)# ip address 192.168.99.6 255.255.255.0 standby 192.168.99.7
ASAv(config-if)# no shutdown
ASAv(config-if)# int g0/1
ASAv(config-if)# int g0/1
ASAv(config-if)# ip address 192.168.238.6 255.255.255.0 standby 192.168.238.7
ASAv(config-if)# no shutdown
ASAv(config-if)# failover VERY INPORTTAN COMMAND
ASAv(config-if)# failover VERY INPORTTAN COMMAND
Tool to check
Show Failover
Show failover interface
ASAv# sh failover
Failover On
Failover unit Primary
Failover LAN Interface: FAILOVER GigabitEthernet0/6 (up)
Reconnect timeout 0:00:00
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 61 maximum
MAC Address Move Notification Interval not set
Version: Ours 9.5(1)201, Mate Unknown
Last Failover at: 13:46:26 UTC Oct 17 2015
This host: Primary - Active
Active time: 111 (sec)
slot 0: empty
Interface OUTSIDE (192.168.99.6): Unknown (Waiting)
Interface INSIDE (192.168.238.6): Unknown (Waiting)
Other host: Secondary - Failed
Active time: 0 (sec)
Interface OUTSIDE (192.168.99.7): Unknown (Waiting)
Interface INSIDE (192.168.238.7): Unknown (Waiting)
Stateful Failover Logical Update Statistics
Link : STATE GigabitEthernet0/5 (up)
-------------------------------------------------------------------------------------------
ASAv# show failover interface
interface FAILOVER GigabitEthernet0/6
System IP Address: 192.168.254.1 255.255.255.0
My IP Address : 192.168.254.1
Other IP Address : 192.168.254.2
interface STATE GigabitEthernet0/5
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
ciscoasa(config)# failover LAN interface FAILOVER gi0/6
INFO: Non-failover interface config is cleared on GigabitEthernet0/6 and its sub-interfaces
ciscoasa(config)# failover interface ip FAILOVER 192.168.254.1 255.255.255.0 standby
192.168.254.2
ciscoasa(config)# int gi0/6
ciscoasa(config-if)# no shut
ciscoasa(config-if)# failover link STATE gi0/5
INFO: Non-failover interface config is cleared on GigabitEthernet0/5 and its sub-interfaces
ciscoasa(config)# failover interface IP STATE 192.168.253.1 255.255.255.0 standby
192.168.253.2
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# int gi0/0
ciscoasa(config-if)# show failover interface
interface FAILOVER GigabitEthernet0/6
System IP Address: 192.168.254.1 255.255.255.0
My IP Address : 192.168.254.2
Other IP Address : 192.168.254.1
interface STATE GigabitEthernet0/5
System IP Address: 192.168.253.1 255.255.255.0
My IP Address : 192.168.253.2
Other IP Address : 192.168.253.1
Noticee that ASAv_2 is using the secondary IP addresses, which is the default unless
failover lan unit primary is configured. Also, note that
we do not need to configure anything on interface Gi0/0, Gi0/1 last command it failover and they will Detect each other ..
ciscoasa(config-if)# failover VERY INPORTTAN COMMAND
Remember the IP address is the IP on interface ASAv1
configure name on Gi0/0 and Gi0/1 on ASAv2 we can give any name, I away used only
inside, outside, public or private
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
ASV_1:
ASAv# sh int ip brief
GigabitEthernet0/0 192.168.99.6 YES manual up up
GigabitEthernet0/1 192.168.238.6 YES manual up up
GigabitEthernet0/2 unassigned YES unset administratively down up
GigabitEthernet0/3 unassigned YES unset administratively down up
GigabitEthernet0/4 unassigned YES unset administratively down up
GigabitEthernet0/5 192.168.253.1 YES unset up up
GigabitEthernet0/6 192.168.254.1 YES unset up up
Management0/0 unassigned YES unset administratively down up
ASAv_2:
ASAv# sh int ip brief
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 192.168.99.7 YES manual up up
GigabitEthernet0/1 192.168.238.7 YES manual up up
GigabitEthernet0/2 unassigned YES unset administratively down up
GigabitEthernet0/3 unassigned YES unset administratively down up
GigabitEthernet0/4 unassigned YES unset administratively down up
GigabitEthernet0/5 192.168.253.2 YES unset up up
GigabitEthernet0/6 192.168.254.2 YES unset up up
Management0/0 unassigned YES unset administratively down up
The INSIDE (Gi0/1) interface of the ASA has a security level of 100, and the OUTSIDE
interface has a security level of 0. The ASA doesn’t block traffic by default if it exits via
an interface with lower security than the interface where it entered, e.g. INSIDE->
OUTSIDE, and it does block traffic by default in the other direction, e.g. OUTSIDE ->
INSIDE.
To allow traffic through the ASA via Gi0/0, we will need to “punch a hole” in the firewall
by configuring an access-list to specify the allowable traffic and apply it to Gi0/0.
No comments:
Post a Comment