Recently took delivery of 2 x Cisco 5515 ASA’s for one of my clients.
Simple configuration guide
for setting these up in an Active/Passive design. Brief Overview: Port0 = LAN Port1-3 = NOT USED Port 4 – Failover Link Port 5 – WAN Assumptions: Hardware on both ASA firewalls are identical The same software versions are installed on both firewalls. PRIMARY firewall is setup (not massively important as I did this project from scratch) IP Address: LAN Main – 10.20.0.254 Standby – 10.20.0.250 WAN Main – 77.22.22.6 Standby – 77.22.22.5 Cable directly connected on G0/4 on both ASA’s LAN cable goes into our core switches and the WAN link is a dual link supplied by our supplier at the Datacentre. Take backup of the Main firewall running config if you do not already. (copy run flash) Primary Firewall CiscoASA(config)# clear configure interface G0/4 CiscoASA(config)# int g0/4 CiscoASA(config-if)# no shut CiscoASA(config)# interface g0/5 CiscoASA(config-if)# speed 100 CiscoASA(config-if)# duplex full CiscoASA(config-if)# nameif Outside CiscoASA(config-if)# security-level 0 CiscoASA(config-if)# ip address 77.22.22.6 255.255.255.0 standby 77.22.22.5 CiscoASA(config-if)# interface g0/0 CiscoASA(config-if)# speed 100 CiscoASA(config-if)# duplex full CiscoASA(config-if)# speed 100 CiscoASA(config-if)# duplex full CiscoASA(config-if)# nameif Inside CiscoASA(config-if)# security-level 100 CiscoASA(config-if)# ip address 10.20.0.254 255.255.255.0 standby 10.20.0.250 CiscoASA(config)# failover lan interface LANFAIL GigabitEthernet0/4 CiscoASA(config)# failover interface ip LANFAIL 192.168.6.250 255.255.255.0 standby 192.168.6.252 CiscoASA(config)# failover key 222333444 SETS FIREWALL AS PRIMARY CiscoASA(config)# failover lan unit primary TURN ON FAILOVER CiscoASA(config)# failover ENABLE STATEFUL FAILOVER CiscoASA(config)# failover link failover GigabitEthernet0/4 SAVE CONFIG CiscoASA(config)# wr Secondary Firewall Ensure Cabling correct on primary and secondary firewall CiscoASA(config)# clear configure interface G0/4 CiscoASA(config)# int g0/4 CiscoASA(config-if)# no shut ENABLE STATEFUL FAILOVER CiscoASA(config)# failover lan interface LANFAIL GigabitEthernet0/4 CiscoASA(config)# failover interface ip LANFAIL 192.168.6.250 255.255.255.0 standby 192.168.6.252 CiscoASA(config)# failover key 222333444 SETS FIREWALL AS SECONDARY CiscoASA(config)# failover lan unit secondary TURN ON FAILOVER CiscoASA(config)# failover You should see this on the console: Detected an Active mate Beginning configuration replication from mate. CiscoASA# show failover CiscoASA5515# show failover Failover On Failover unit Primary Failover LAN Interface: LANFAIL GigabitEthernet0/4 (up) Unit Poll frequency 1 seconds, holdtime 3 seconds Interface Poll frequency 3 seconds, holdtime 15 seconds Interface Policy 1 Monitored Interfaces 2 of 114 maximum MAC Address Move Notification Interval not set Version: Ours 9.2(2)4, Mate 9.2(2)4 Last Failover at: 05:54:13 GMT Sep 2 2014 FINE TUNE The failover timers can be played with as they are a bit too safe so here is my recommendation: CiscoASA(config)# failover poll 1 hol 3 CiscoASA(config)# failover poll interface 3 CiscoASA(config)# int g0/4 CiscoASA(config-if)# failover poll interface 3