CCIE Security Advanced Technologies Class v3.5 - ASA Active/Standby Failover Routed Firewall Configuration

Transcript

1	Introduction	0h 37m
2	CCIE Security Preparation Resources	0h 50m
3	ASA Overview	0h 37m
4	Basic ASA Initialization	1h 02m
5	ASA Routing	0h 37m
6	ASA Reliable Static Routing	0h 20m
7	ASA Access Control Lists (ACLs)	0h 41m
8	ASA Modular Policy Framework (MPF) Overview	0h 53m
9	ASA Modular Policy Framework (MPF) Configuration	0h 51m
10	ASA Advanced TCP Inspection with MPF	0h 40m
11	ASA Advanced Application Inspection with MPF	0h 36m
12	ASA Quality of Service (QoS)	0h 30m
13	ASA Network Address Translation (NAT) Part 1	0h 50m
14	ASA Network Address Translation (NAT) Part 2	0h 30m
15	ASA Transparent Firewall Overview	0h 25m
16	ASA Transparent Firewall Configuration	0h 43m
17	ASA ARP Inspection with Transparent Firewall	0h 21m
18	ASA Multiple Context Mode Overview	0h 42m
19	ASA Multiple Context Mode Configuration	0h 59m
20	ASA Redundant Interfaces	0h 22m
21	ASA Failover Overview	0h 19m
22	ASA Active/Standby Failover Routed Firewall Configuration	0h 29m
23	ASA Active/Standby Failover Transparent Firewall Configuration	0h 17m
24	ASA Active/Active Failover Routed Firewall Configuration	0h 37m
25	ASA Multiple Context Transparent Firewall Configuration	0h 29m
26	ASA Active/Active Failover Transparent Firewall Configuration	0h 29m
27	IOS Access Control Lists (ACLs)	0h 23m
28	IOS Time Based ACLs	0h 13m
29	IOS Lock & Key Security with Dynamic ACLs	0h 24m
30	IOS Reflexive ACLs	0h 44m
31	IOS TCP Intercept and Content Based Access Control (CBAC)	0h 39m
32	Zone Based Policy Firewall Overview	0h 26m
33	Zone Based Policy Firewall Configuration	0h 44m
34	ZBPF Self Zone & ZBPF Exceptions	0h 48m
35	Port to Application Mapping (PAM)	0h 32m
36	ZBPF Parameter Tuning	0h 32m
37	ZBPF Application Inspection	0h 27m
38	IOS Transparent Firewall	0h 28m
39	IPsec Overview	0h 37m
40	IOS IPsec LAN-to-LAN Configuration	0h 58m
41	IPsec Troubleshooting	0h 42m
42	GRE over IPsec, IPsec Profiles, & VTIs	0h 51m
43	ASA IPsec Overview	0h 24m
44	ASA IPsec LAN-to-LAN Configuration	0h 20m
45	Certificate Authority (CA) Overview	0h 16m
46	IOS & ASA LAN-to-LAN IPsec with Certificates	0h 57m
47	Easy VPN Overview	0h 12m
48	IOS Easy VPN Server	1h 10m
49	IOS Easy VPN Client	0h 30m
50	IOS Easy VPN with Dynamic VTIs, ISAKMP Profiles	0h 49m
51	ASA Easy VPN Server	0h 51m
52	ASA Easy VPN Server & IOS Easy VPN Client	0h 17m
53	ASA Clientless & AnyConnect SSL VPN	1h 04m
54	DMVPN	1h 05m
55	IPS Overview, Promiscuous Mode & SPAN	0h 43m
56	IPS Promiscuous Mode & RSPAN	0h 28m
57	IPS Blocking Devices & Custom Signatures	0h 50m
58	IPS Inline Mode, VLAN Pairing	0h 15m
59	IPS Virtual Sensors and Signature Engines	0h 16m
60	AAA Overview, Local AAA, & Role Based CLI	0h 51m
61	RADIUS, TACACS+, & Cisco Secure ACS Configuration	0h 51m
62	RADIUS & TACACS+ Exec Authorization & Accounting	0h 39m
63	TACACS+ Command Accounting	0h 30m
64	RADIUS & TACACS+ Enable Authentication	0h 14m
65	IOS Authentication Proxy	0h 33m
Total Duration		39h 19m

Base Configs

Diagrams

Slides - Introduction

Slides - ASA

Slides - IOS Firewall

Slides - VPN

Slides - IPS

Slides - Identity Management

0:00:13	In our next section for the ASA we are going to look at an example of the active standby failover
0:00:19	when we are running in routed firewall mode
0:00:22	then we will look at a an example of active stand when we are running in transparent firewall mode
0:00:29	Now from the topology we have here
0:00:31	ASA2 is going to be the primary device that is forwarding for
0:00:35	the VLAN 125 segment on the inside
0:00:39	going towards the outside with VLAN 122
0:00:43	and the DMZ on VLAN 10
0:00:47	Now before we actually do any of the failover configuration
0:00:51	we need to first make sure that asa1 and asa2 have identical layer2 configurations
0:00:58	from the perspective of layer2 switching
0:01:00	and that we have reachability to each other
0:01:03	over the link that we are going to use for failover
0:01:07	or this case we are going to using dedicated interface ethernet 0/2
0:01:12	So when we look at the layer2 switches
0:01:15	again we would need to know, How these are physically connected
0:01:18	and if we look at the show interface status
0:01:22	and I would just include the one's that are
0:01:25	showing on the asa's
0:01:29	Now within the scope of the CCIE Security lab exam
0:01:33	this would not be a bad idea to do
0:01:35	on the layer2 switches
0:01:37	is to put some basic documentations with the description command
0:01:42	So you know what are the
0:01:44	the physical connectivities
0:01:45	and you are not going to have to keep flipping back to whatever the
0:01:51	whatever the wiring diagram that they are giving you
0:01:54	So what I need to do here is to make sure that for
0:01:58	both of the e0/0, outside interfaces
0:02:03	both of those need to be in VLAN 122
0:02:06	which is in this case is going to be
0:02:10	fast ethernet 12
0:02:13	and fast ethernet 14
0:02:25	So I simply say as a interface range, I want to make sure that both of these are access port, switch port mode access
0:02:31	So switch port access VLAN 122
0:02:35	and we are running spanning tree port fast
0:02:38	because I want to make sure that there is no problems with layer2 spanning tree convergence
0:02:44	when we are trying to failover from the active to the standby device
0:02:49	Now if we did have spanning tree involved, eventually the failover is going to work
0:02:53	it just means that the applications
0:02:56	are going to subject to the forwarding delay of spanning tree
0:03:00	So I suppose to being able to failover in a second or sub second manner
0:03:04	we may have to wait 30, 45 or more seconds
0:03:07	in order for the failover to actually occurred
0:03:10	and within this scope of high availability
0:03:12	the faster we can heal the network generally that going to be a better design
0:03:18	So we have the outside interfaces specify
0:03:21	then I need the inside interfaces which are both ethernet 0/1
0:03:27	I need to make sure that both of these are trunking
0:03:30	and that they are both encapsulating the same VLANs, which is VLAN 10
0:03:35	and VLAN 125
0:03:37	where in this particular case
0:03:40	in the topology, if we look at switch1
0:03:45	switch1 has both of these interfaces, e0/1 of asa1
0:03:50	and e0/1 of asa2
0:03:53	these are going to interfaces 13 and 15
0:03:56	so if we show run on both of these 13 and 15
0:04:01	I need to make sure that they have identical configs, which in this case they do not
0:04:06	However, we need to say on
0:04:08	Fast ethernet 13
0:04:10	I will remove
0:04:12	the allowed list that I was editing before
0:04:15	this was related to one of our
0:04:18	transparent firewall configs
0:04:23	and I will remove the
0:04:25	the access VLAN as well
0:04:27	So Ideally when I look at
0:04:30	the running config for 13
0:04:33	and running config for
0:04:35	13 and 15, I want to make sure that these are identical
0:04:39	Hey, which they are in this case
0:04:43	Then I need to see
0:04:45	can asa1 or 2 actually reach each other over the failover interface
0:04:50	So ethernet 0/2 for both of them
0:04:53	this should be in some sort of isolated VLAN
0:04:57	So that they can reach just each other over that
0:05:00	and there is not going to be any other traffic that could potentially impact that
0:05:04	where in this particular case, this link is on switch2
0:05:09	and its port 13 and 15 here so on
0:05:17	interface range fast ethernet 13 and 15
0:05:21	lets say switch port mode access
0:05:24	switch port access vlan
0:05:28	I will say any other vlan thats on use, say 999
0:05:33	and spanning tree port fast
0:05:38	So now when I show run interface fast ethernet
0:05:43	fast ethernet 13 and 15
0:05:46	I want to make sure that these are the same
0:05:51	So again if we look at our show interface status
0:05:55	essentially all of these links should be identical
0:05:58	Now we can see there from the output on switch2
0:06:03	that one of
0:06:06	these links is disabled, so I want to make sure that this is not the case
0:06:10	which is fast ethernet 14, so no shut down
0:06:19	so this should all be the same, now for switch1
0:06:22	I just need to make sure that e0/1 is the same
0:06:25	the other interfaces will come back and use these when we are doing the other types of failover
0:06:30	So I know that the basic layer2 network is working
0:06:34	next thing is I want to make sure
0:06:37	that asa2's configuration is saved
0:06:41	So that if the blank configuration does failover
0:06:45	worst case scenario, I can just reload and its going to go back to my working config
0:06:50	so lets look at the
0:06:52	the statistics, right now asa1
0:06:57	should essentially have a
0:06:59	blank configuration if we look at the show mode
0:07:02	and the show firewall
0:07:05	this is running in
0:07:07	single context mode in routed firewall
0:07:10	Now I want nothing in its configuration, this is going to be the standby device
0:07:15	So one way, I could do that, is to say that clear configure all
0:07:20	Now again with this command, you do need to be careful
0:07:23	because it is not asking for confirmation its just going to delete everything
0:07:27	Now I will save my config
0:07:32	for asa2
0:07:35	if we look at the show ip
0:07:37	and the show route
0:07:39	it should be in its current functional state, where routing is working on the outside, the inside
0:07:44	and then the actual transmit through the device is fine
0:07:47	So if we were to go to somewhere on the inside like the router5
0:07:52	lets see can we just telnet router2
0:07:55	and can we reach the acs server
0:07:58	So from router5
0:08:01	can I telnet to router2
0:08:05	which I can, So that connectivity is working
0:08:09	and the acs server is running its webservice
0:08:13	So I should be able to hit that on port 80, which I can
0:08:18	So now I know the asa2 is the active device
0:08:21	basic transport is working
0:08:24	Now you can go in to configure the primary
0:08:29	device, primary failovers asa2
0:08:31	the secondary configuration is going to go on asa1
0:08:35	then is the very last step, I going to issue the failover command on the active device
0:08:41	then a failover command on the standby device
0:08:45	Now this is definitely one of those configurations
0:08:49	that you need to know off the top of your head
0:08:51	as long as you know where it is located in the documentations
0:08:55	so try it out a couple of times to look at the order that they are listing the commands
0:09:00	you could pretty much go to the
0:09:03	getting started, then to configuring failover
0:09:07	in this case I am doing active standby, so configuration for active standby
0:09:22	and we can see that they basically the numbered list
0:09:26	So if you were to just copy all of these commands into notepad
0:09:31	and you could see that there is a little bit difference if you are using the older PIX platforms
0:09:36	in this case, what I want, lan based active standby failover
0:09:41	it says we need to configure the addresses
0:09:44	we need to
0:09:46	turn failover on, this would only be for the PIX's
0:09:49	specify them as the primary unit
0:09:52	then it says
0:09:55	configure the failover interface and then give it the address that you are assigning to it
0:10:02	Hey, then it says, optional, this would be our stateful configurations
0:10:07	so really the configure is not too complex
0:10:10	you just need to make sure not to leave out any of the individual steps
0:10:13	and then end in a case where you heard the configuration
0:10:18	So I am, asa2, I want to make sure to save my config first
0:10:24	Okay, first I need to specify the active and the standby addresses
0:10:30	So if we look at the show run
0:10:32	include interface or ip address
0:10:38	the primary address is the .12 here
0:10:42	I am going the say secondary address is .11 for asa1
0:10:47	So essentially have the same config here
0:10:50	just I need to say for the standby address
0:10:54	this will 200.0.122.11
0:10:59	So if I look at the same show command
0:11:02	show run include interface or ip address
0:11:05	I can basically just take these on notepad
0:11:08	and then make the minor changes that I need
0:11:10	So I need the
0:11:14	standby address here as 10.0.0.11
0:11:19	standby
0:11:21	address here is 1.0.125.11
0:11:26	now additionally the reason I am doing this in notepad
0:11:30	is a lot of the configurations that is going to be used on active device
0:11:34	is going to be the same on the standby device
0:11:40	So now I know what are the addresses are supposed to be
0:11:43	next thing I am going to specify that this is the primary unit
0:11:47	So for lan based failover
0:11:52	I am the
0:11:55	unit is primary
0:11:59	this specific interface, the failover lan interface I am using
0:12:04	it says what is the interface name
0:12:10	and you may want to reference the documentation for this because
0:12:14	you need to give it a name, basically a nameif
0:12:17	and then also reference the hardware name, but the
0:12:23	the context sensitive help here
0:12:25	is little ambiguous as to which is which
0:12:28	So what this is looking for here is
0:12:32	failover lan interface, I will say, this is capital FAILOVER
0:12:36	the physical interface is e0/2
0:12:42	So this first option I was looking for, basically the nameif
0:12:47	yes on either interface configured, now I am going to give an IP
0:12:50	So failover interface IP
0:12:55	and the name of this interface, I call this failover
0:12:59	So whats the primary address
0:13:01	So essentially I need to assign
0:13:03	some sort of address on this link
0:13:08	lets say here we are going to use
0:13:10	10.0.1.0/24
0:13:18	Hey, asa1 is going to be .11
0:13:20	asa2 is going to be .12
0:13:25	So 10.0.1.12/24
0:13:34	and the standby address is 10.0.1.11
0:13:42	Hey, this is pretty much going to be the extent here other than actually enabling the feature
0:13:47	So now lets say show run include interface
0:13:53	interface or ip address or failover
0:14:02	So this configuration here is essentially what I am going to replicate on the other device
0:14:07	hey, the thing that is changing though
0:14:10	is that I need
0:14:14	the other unit to be the secondary
0:14:22	So this is my secondary config, the primary config
0:14:26	only command is different is failover lan unit primary
0:14:34	Now if we were to also do stateful failover
0:14:38	this is the failover link
0:14:40	I will say that this is the
0:14:44	stateful link as e0/
0:14:49	2, this interface is already used as a
0:14:53	failover interface, lets see if we can reference with the same
0:14:57	failover, yes I need
0:15:03	So now we are doing active standby and
0:15:06	stateful failure at the same time
0:15:09	Hey, last step we are going to try to replicate the config
0:15:13	So the failover command itself is going to turn it on
0:15:18	then on asa1 if we say failover
0:15:21	ideally what we should see
0:15:24	is that asa2 starts looking
0:15:27	for the standby device
0:15:30	it finds the other device and then the configuration is going to replicate down
0:15:39	to verify this we are going to look at the show failover
0:15:48	So right now its trying to detect what is the other host
0:15:53	Now actually one thing I didn't checked here
0:15:56	was the status of asa1's link
0:16:02	show run interface
0:16:06	and these are shut down
0:16:09	So when you boot up, by default normally those are shut down
0:16:11	Now before I bring this up, what I want to do is now disable failover
0:16:18	on both of these, no failover
0:16:21	and its not going to delete my other configurations
0:16:24	its just temporarily going to turn the feature off
0:16:28	and now on asa1 lets say e0/0 no shut down
0:16:32	e0/1
0:16:38	e0/2 etc, so whatever physical links that I need to use
0:16:47	hey, now lets say failover on the primary
0:16:52	and then again failover on the secondary
0:17:04	we could see on asa2, now its saying its sending the configuration
0:17:09	to the mate, where the mate is the secondary device
0:17:14	asa1 should say that its receiving it
0:17:19	So lets check now on asa1 it should have the full configuration
0:17:25	Hey there is a question here the replicated configs are not saved in startup of the standby unless you manually enforce
0:17:32	the, the write standby, correct
0:17:35	So once this is actually done
0:17:38	if I look at the show run
0:17:40	on asa1, we could see all this information
0:17:45	has been learned from the other device
0:17:48	hey, all the routing protocols, all of the inspection
0:17:51	if we look at the show startup config
0:17:56	none of this is actually saved yet
0:17:59	So what I would want to now do from the active device
0:18:04	is say
0:18:06	save my configs, so write my config
0:18:12	and also
0:18:14	write standby, so this is now replicating the new config on to them
0:18:25	now on asa1 if we look at the show startup config
0:18:30	now we can see that the changes are saved
0:18:36	So now lets see, is the stateful failover actually going to work
0:18:39	the way that we can test this
0:18:41	would be to send traffic
0:18:44	from the inside out
0:18:46	so we will go to router5 and telnet out
0:18:51	and also from the inside lets do some icmp pings
0:18:55	So we can see exactly, how long its taking for the failover to occur
0:19:02	then we will shut down one of the physical links that is connecting to asa2
0:19:06	and see what asa1 is going to do
0:19:10	Now we can verify the timers if we look at the show failover
0:19:14	where it says that the unipole frequency is one second
0:19:19	and the whole time is 15 seconds
0:19:22	the interface poll frequency is 5 seconds and the whole time is 25
0:19:28	and the interface policy is 1, so it means that if any of the links goes down
0:19:33	I should give up the active status
0:19:39	and actually from the other one , the asa2
0:19:41	we shall failover
0:19:44	if any of my links goes down, or it says, this host is the primary one or the active one
0:19:49	if any of my links goes down, I should immediately
0:19:52	now start failover
0:19:55	Now these are the interfaces, notice here is says, outside is ping is normal
0:20:00	DMZ and inside are normal but these ones are not being monitored
0:20:04	So if I wanted to also do the icmp pings on those
0:20:08	I would need to change the monitor interface policy
0:20:13	So if I say monitor interface DMZ
0:20:17	monitor inerface inside
0:20:22	and outside
0:20:26	if we now look at the show failover again
0:20:31	Now we are initializing the process we should eventually see that these are going to be
0:20:35	in the, the normal state
0:20:41	So assuming that I want to track all of the links
0:20:44	then I would need to enable this
0:20:58	additionally if we look at the
0:21:00	the show connections or the show
0:21:05	the show translations
0:21:07	lets say for example we go to router5
0:21:11	and from router5 I am going to telnet out to router3
0:21:19	I am going generate a bunch of traffic, we will say tech support
0:21:23	and from router6
0:21:27	from router6, I am going to do pings, out to the rest of the network, lets say ping router2
0:21:38	and temporarily lets just allow this back in
0:21:42	on the outside interface, so on asa2
0:21:47	thats show run access-list
0:21:51	I want access-list outside in
0:21:56	permit icmp any any
0:22:00	an access-group
0:22:03	outside in, in interface outside
0:22:18	So now router6 should be able to ping out which it can
0:22:21	but what I want to do here is send a bunch of traffic
0:22:25	and I am going to say the timeout is 1 second
0:22:28	So this means that for every dot that I see
0:22:31	its going to be 1 second of convergence time
0:22:35	and the physical interface that I am going to check
0:22:38	I am going to shut down on the layer2 switch port
0:22:42	now what is connected to asa2 here
0:22:45	which is physically on switch2's port
0:22:48	fast ethernet 0/12
0:22:53	Now lastly before I do this, lets look at asa1
0:22:57	look at the show connections
0:23:02	and if we do the same thing on asa1
0:23:06	show connections
0:23:09	we could see that they agree on what the state table is
0:23:14	So both of them have that connection
0:23:19	that is from router5 telnetting to 3
0:23:28	so now lets fail the actual link, if we look at
0:23:31	switch2's interface
0:23:35	fast ethernet
0:23:38	14 here
0:23:41	its not fast ethernet 12, its 14
0:23:45	if we shut this down
0:23:47	I want to see on router6
0:23:50	how long is it actually going to take them to convert
0:23:55	Now I would see we could get the conversions to be faster, if we were to change the timers
0:24:00	but this is just going to be with the default options
0:24:14	So lets look at asa1 and 2 lets look at the
0:24:17	the show failover, we can see, it says, it switched to standby
0:24:22	show failover
0:24:24	this link is down, so my status is failed
0:24:27	the other host should be the active one
0:24:30	now from
0:24:31	router5 it looks likes the, the telnet session is hung, actually now, now it kept going
0:24:37	and now router6 is, the pings are working
0:24:40	So lets copy this up and see if we can figure out how long it took
0:24:48	we are here, this text editor has a
0:24:51	a count on the number of characters, so we have 1
0:24:55	2,3,4,5,6,7,8,9,10
0:25:00	So looks like it took just over a minute
0:25:04	with the default timer, so about 63 seconds it will take
0:25:07	So if we wanted this to occur faster
0:25:09	I can say we could change what the polling timers are
0:25:13	because when we look at the link level stuff
0:25:16	it says the
0:25:18	the poll time is 5 seconds, the whole time is 25
0:25:22	than its actually going to take some time to
0:25:27	the switch from active to standby and then for the underlying layer2 network to change
0:25:35	So if you look at the configuration guide, talk about how can you actually speed up the convergence
0:25:42	which is with the
0:25:43	the health monitoring and then the particular timers
0:25:48	we could tell atleast at this point
0:25:51	the configuration is working
0:25:53	So on asa1 when we look at the show failover
0:25:58	since this host is secondary, so we are not the primary
0:26:02	but we are the active device
0:26:06	Now if this link were to return
0:26:08	if we bring this back up
0:26:12	asa2 is eventually going to detect us
0:26:15	when we look at the show
0:26:17	failover
0:26:25	we could see the link status says its normal but its waiting
0:26:29	to make sure its actually going to stay up, we should see that
0:26:33	eventually this is going to say normal
0:26:43	So now we could see, this device, its still the primary
0:26:48	but the secondary device is the one thats actually forwarding
0:26:52	So it means that there is no preemption
0:26:55	for the failover process
0:26:57	Now we could change this, I could say, failover active
0:27:03	which is going to switch me here back to the active device
0:27:06	asa1 is going to change to the standby
0:27:09	and ideally
0:27:12	since we are running in
0:27:15	stateful failover mode
0:27:17	this is actually one of the additional problems here as well
0:27:22	that eigrp on the outside
0:27:24	there is certain protocols that cannot maintain the stateful
0:27:30	because it doesn't support whats known as the graceful restart
0:27:35	which is the non stop forwarding and non stop routing feature for the igps
0:27:40	so not only when I change from the active to standby
0:27:44	is it going to be an issue of the layer2 conversion
0:27:46	there is also my layer3 routing protocols that I need to take into account
0:27:52	So if I were doing just static routing then
0:27:57	then would be faster
0:27:59	so like I say, with their high availability design guide
0:28:02	it talks about some of those additional issues
0:28:05	So it not necessarily just the timers for the asa
0:28:09	because when we look at the failover, its whole time is 25 seconds
0:28:13	see you figure out may riskiest scenarios can be around 30
0:28:17	but in reality it ended up to be more than double that, so its over a minute
0:28:21	because there is other issues in the network
0:28:24	that are relating to, the amount of time that its going take the network to reconverge

Now Viewing

CCIE Security Advanced Technologies Class v3.5
Title:	CCIE Security Advanced Technologies Class v3.5
Duration:	39h 19m
The CCIE Security Advanced Technologies Class is the first step in understanding CCIE level technologies and is a companion to the Advanced Technologies Lab Workbook. Each technology you need to know for the CCIE Security lab will be described in detail using an instructor led hands on demonstration. The class consists of over 40 hours of in depth explanations and examples.
Get instant access to our entire library!
	Sign Up
Download this Course
$299.00	Add to Cart

ASA Active/Standby Failover Routed Firewall C...

Create Bookmark