8/11/2019 Asa Firewall Configuration

1/6

R1 Configuration

R1# conf t

R1(config)# int f0/1

R1(config-if)# ip address 10.10.10.1 255.255.255.0

R1(config-if)#no shutdown

R1(config-if)# int lo0

R1(config-if)#ip address 8.8.8.8 255.255.255.0

R1(config-if)# !route to linux via asa firewall

R1(config-if)#ip route 192.168.10.0 255.255.255.0 10.10.10.2

R1(config)#do show ip int brief

R1(config)#do write

8/11/2019 Asa Firewall Configuration

2/6

R2 Configuration

R2#conf t

R2(config)#int range f1/0-2

R2(config-if-range)# no shut

R2(config-if)#do wr mem

R3 Configuration

R3#conf t

R3(config)#int range f1/1-3

R3(config-if)# no shut

R3(config-if)#do wr mem

! R2 and R3 are used as managed switches

R2(config-if-range)# do sh ip int brief

Asa 1 failover active

ASA#conf t

ASA(config)# int g0

ASA(config-if)#name if outside

ASA(config-if)#ip address 10.10.10.2 255.255.255.0

ASA(config-if)#no shut

ASA(config-if)# name if inside 192.168.10.254 255.255.255.0

ASA(config-if)#no shut

ASA(config-if)#int g2

ASA(config-if)#! Lan failover interface assignment

ASA(config-if)#int g2

ASA(config-if)#description Lan failover interface

ASA(config-if)#no shut

8/11/2019 Asa Firewall Configuration

3/6

ASA(config)#! Failover config here

ASA(config)#failover lan unit primary

ASA(config)#failover lan interface folink g2

ASA(config)#failover link folkin g2

ASA(config)#failover interface

ASA(config)#failover interface ip folink 172.168.1.1 255.255.255.0 standby 172.16.1.0

ASA(config-if)#failover link state g3

ASA(config)#failover interface ip state 172.16.2.1 255.255.255.0 standby 172.16.2.0

ASA(config)#! Default route to R1

ASA(config)#route outside 0.0.0.0 0.0.0.0 10.10.10.1

ASA(config)#monitor-interface inside

ASA(config)#monitor-interface outside

ASA(config)#! Above to monitor both interface for failover

ASA(config)#hostname Active/Standby

! Open Asa 2 while Asa 1 still open

8/11/2019 Asa Firewall Configuration

4/6

ASA 2 CONFIGURATION

ASA2#conf t

ASA2(config)#int g0

ASA2(config)#no shut

ASA2(config)#int g2

ASA2(config)#no shut

ASA2(config)#int g3

ASA2(config)#no shut

ASA2(config)#failover lan unity secondary

ASA2(config)#failover lan interface folink g2

ASA2(config)#failover link folink g2

ASA2(config)#failover interface ip folink 172.16.1.1 255.255.255.0 standby 172.16.1.0

ASA2(config)#failover link state g3

ASA2(config)#failover interface ip state 172.16.2.1 255.255.255.0 standby 172.16.2.0

Both asa and asa2 are done just left the last command failover on both ASA1 AND ASA2

ASA1#failover

ASA2#failover

ASA1#show failover state

ASA2#show failover

ASA2#show run failover

Failover is working we can see replication is going on front

IP address are identical on both ASA1 and ASA2 for failover interfaces

8/11/2019 Asa Firewall Configuration

5/6

Let try to ping from Xp to gateway ASA active IP address

ASA# show int ip brief

! gigabitethernet 1 192.168.10.254/24

Xp1: 192.168.10.253 255.255.255.0 gw 192.168.10.254

Ping : 192.168.10.254

Now lets try to access to lo0 address on R1 from XP

R1# do show ip int bri

R1# Ping 8.8.8.8

! ACL is missing on ASA Firewall

ASA1(config)#access-list inside permit icmp any any echo

ASA2(config)#access-list outside-in permit icmp any any echo reply

We should not make the configuration on standby device

ASA1(config)#access-group inside-in int inside

ASA1(config)#access-group outside-in int outside

We can use a command to make sure which one is active and which one is standby

ASA1#prompt hostaname state

ASA1#w mem

Now lets try to reach to lo0 address on R1 from XP

! we can reach via R1

8/11/2019 Asa Firewall Configuration

6/6