************************ ASA Firewalls ************************ ===================================================== 1. Security Context using Sub-Interfaces ===================================================== ------------------------------------------------------ 1. Create the VLANs required on the Switch ------------------------------------------------------ vlan 10,20,30,40,50,60,12 ------------------------------------------------------ 2. Assign Ports to VLANs [ONE VLAN AT A TIME] ------------------------------------------------------ -> L3 Diagram shows Physical Port - Corresponding Switchport is an Access Port -> L3 Diagram shows Sub-Interface Port - Corresponding Switchport is a Trunk Port ++++++++++++ VLAN 12 ++++++++++++ ----- SW1 ----- Interface range E 0/0-1 switchport trunk encapsulation dot1q switchport mode trunk ----- R1 ----- interface E 0/0 no shut duplex full ! interface E 0/0.1 encapsulation dot1q 12 ip address 192.1.12.1 255.255.255.0 no shut ----- R2 ----- interface E 0/0 no shut duplex full ! interface E 0/0.1 encapsulation dot1q 12 ip address 192.1.12.2 255.255.255.0 no shut ++++++++++++ VLAN 10 ++++++++++++ ----- SW1 ----- Interface E 1/2 switchport mode access switchport access vlan 10 ----- R1 ----- interface E 0/0.2 encapsulation dot1q 10 ip address 192.1.10.1 255.255.255.0 no shut ++++++++++++ VLAN 20 ++++++++++++ ----- SW1 ----- Interface E 2/1 switchport mode access switchport access vlan 20 ----- R2 ----- interface E 0/0.2 encapsulation dot1q 20 ip address 192.1.20.2 255.255.255.0 no shut ++++++++++++ VLAN 30 ++++++++++++ ----- SW1 ----- Interface E 0/2 switchport mode access switchport access vlan 30 ! Interface E 1/3 switchport trunk encapsulation dot1q switchport mode trunk ----- R3 ----- interface E 0/0 ip address 192.168.3.3 255.255.255.0 duplex full no shut ++++++++++++ VLAN 40 ++++++++++++ ----- SW1 ----- Interface E 0/3 switchport mode access switchport access vlan 40 ! Interface E 2/0 switchport trunk encapsulation dot1q switchport mode trunk ----- R4 ----- interface E 0/0 ip address 192.168.4.4 255.255.255.0 duplex full no shut ++++++++++++ VLAN 50 ++++++++++++ ----- SW1 ----- Interface E 1/0 switchport mode access switchport access vlan 50 ----- R5 ----- interface E 0/0 ip address 10.50.50.5 255.255.255.0 duplex full no shut ++++++++++++ VLAN 60 ++++++++++++ ----- SW1 ----- Interface E 1/1 switchport mode access switchport access vlan 60 ----- R6 ----- interface E 0/0 ip address 10.60.60.6 255.255.255.0 duplex full no shut ------------------------------------------------------ 3. Change the Mode to Multi-Context ------------------------------------------------------ mode multiple ---------------------------------------------------------- 4. Create the sub-interfaces and bring the interfaces up ---------------------------------------------------------- --------------- ASA-System --------------- Interface E0 no shut Interface E1 no shut Interface E1.1 vlan 30 Interface E1.2 vlan 50 Interface E2 no shut Interface E2.1 vlan 40 Interface E2.2 vlan 60 Interface E3 no shut ---------------------------------------------------------- 5. Create the Contexts with the appropriate interfaces ---------------------------------------------------------- --------------- ASA-System --------------- context SALES allocate-interface E0 OUT allocate-interface E1.1 DMZ allocate-interface E1.2 INS config-url flash:SALES.CFG ! context MARK allocate-interface E3 OUT allocate-interface E2.1 DMZ allocate-interface E2.2 INS config-url flash:MARK.CFG ---------------------------------------------------------- 6. Configure the SALES Context ---------------------------------------------------------- --------------- ASA-SALES --------------- changeto context SALES ! Interface OUT nameif Outside ip address 192.1.10.11 255.255.255.0 ! Interface INS nameif Inside ip address 10.50.50.11 255.255.255.0 ! Interface DMZ nameif DMZ security-level 50 ip address 192.168.3.11 255.255.255.0 ! route outside 0 0 192.1.10.1 ! object network POOL-A range 192.1.10.51 192.1.10.200 ! object network NET-10.50.50.0 subnet 10.50.50.0 255.255.255.0 nat (Inside,Outside) dynamic POOL-A ! object network R3 host 192.168.3.3 nat (DMZ,Outside) static 192.1.10.3 ! telnet 10.50.50.0 255.255.255.0 inside ! access-list OUTSIDE permit tcp any host 192.168.3.3 eq 23 access-list OUTSIDE permit icmp any host 192.168.3.3 ! access-group OUTSIDE in interface Outside ---------------------------------------------------------- 7. Configure the MARK Context ---------------------------------------------------------- --------------- ASA-MARK --------------- changeto context MARK ! Interface OUT nameif Outside ip address 192.1.20.21 255.255.255.0 ! Interface INS nameif Inside ip address 10.60.60.21 255.255.255.0 ! Interface DMZ nameif DMZ security-level 50 ip address 192.168.4.21 255.255.255.0 ! route outside 0 0 192.1.20.2 ! object network POOL-A range 192.1.20.51 192.1.20.200 ! object network NET-10.60.60.0 subnet 10.60.60.0 255.255.255.0 nat (Inside,Outside) dynamic POOL-A ! object network R4 host 192.168.4.4 nat (DMZ,Outside) static 192.1.20.4 ! telnet 10.60.60.0 255.255.255.0 inside ! access-list OUTSIDE permit tcp any host 192.168.4.4 eq 23 access-list OUTSIDE permit icmp any host 192.168.4.4 ! access-group OUTSIDE in interface Outside ===================================================== 2. Failover - Active/Standby - Stateless ===================================================== ---------------------------------------------------------- 1. Configure the ASA's with the Initial Failover Configs ---------------------------------------------------------- ------ ASA1 ------ Interface Gig0/2 no shut ! failover lan interface FAILINT Gig0/2 failover interface ip FAILINT 10.10.10.1 255.255.255.0 standby 10.10.10.2 failover lan unit primary failover key cisco123 failover ------ ASA2 ------ Interface Gig0/2 no shut ! failover lan interface FAILINT Gig0/2 failover interface ip FAILINT 10.10.10.1 255.255.255.0 standby 10.10.10.2 failover lan unit secondary failover key cisco123 failover ---------------------------------------------------------- 2. Configure the ASA on the Active Box (ASA1) ---------------------------------------------------------- -------------- ASA1 - Active -------------- Interface Gig0/0 nameif Outside ip address 192.1.10.11 255.255.255.0 standby 192.1.10.12 no shut ! Interface Gig0/1 nameif Inside ip address 10.11.11.11 255.255.255.0 standby 10.11.11.12 no shut ! route outside 0 0 192.1.10.3 ! object network POOL-A range 192.1.10.51 192.1.10.200 ! object network INS subnet 10.11.11.0 255.255.255.0 nat (Inside, Outside) dynamic POOL-A ===================================================== 3. Failover - Active/Standby - Statefull ===================================================== ------------------------------------------------------------ 1. Configuring Stateful Replication using a dedicated link ------------------------------------------------------------ ------ ASA1 ------ Interface Gig0/3 no shut ! failover link SFL Gig0/3 failover interface ip SFL 10.20.20.1 255.255.255.0 standby 10.20.20.2 -------------------------------------------------------------------------------------- 2. Configuring the Failover LAN interface to carry state information (conn table) -------------------------------------------------------------------------------------- ------ ASA1 ------ Interface Gig0/3 shut ! no failover link SFL Gig0/3 no failover interface ip SFL 10.20.20.1 255.255.255.0 standby 10.20.20.2 ! failover link FAILINT Gig0/2 ===================================================== 4. Failover - Active/Active ===================================================== ----------------------------------------- 1. Change the mode to Multi-Context ----------------------------------------- ------ ASA1 ------ mode multiple ------ ASA2 ------ mode multiple ----------------------------------------- 2. Bring the physical interface up ----------------------------------------- ------ ASA1 ------ Interface E0 no shut ! Interface E1 no shut ! Interface E2 no shut ! Interface E3 no shut ----------------------------------------- 3. Create the Contexts ----------------------------------------- ------ ASA1 ------ context SALES allocate-interface E0 allocate-interface E1 config-url flash:SALES.CFG ! context MARK allocate-interface E0 allocate-interface E2 config-url flash:MARK.CFG ! mac-address auto ----------------------------------------- 4. Configure the SALES Context ----------------------------------------- ------ ASA1 ------ changeto context SALES ! Interface E0 nameif Outside ip address 192.1.100.11 255.255.255.0 ! Interface E1 nameif Inside ip address 10.40.40.11 255.255.255.0 ! route outside 0 0 192.1.100.3 ! object network POOL-A range 192.1.100.51 192.1.100.100 object network NET-10.40.40.0 subnet 10.40.40.0 255.255.255.0 nat (inside,outside) dynamic POOL-A ----------------------------------------- 5. Configure the MARK Context ----------------------------------------- ------ ASA1 ------ changeto context MARK ! Interface E0 nameif Outside ip address 192.1.100.21 255.255.255.0 ! Interface E2 nameif Inside ip address 10.50.50.21 255.255.255.0 ! route outside 0 0 192.1.100.3 ! object network POOL-A range 192.1.100.101 192.1.100.200 object network NET-10.50.50.0 subnet 10.50.50.0 255.255.255.0 nat (inside,outside) dynamic POOL-A ------------------------------------------- 6. Configure Failover on the 1st Box only ------------------------------------------- ------ ASA1 ------ Interface E3 no shut ! Failover lan interface FAILINT E3 Failover interface ip FAILINT 10.10.10.1 255.255.255.0 standby 10.10.10.2 Failover link FAILINT E3 Failover lan unit primary Failover key cisco123 ! failover group 1 primary preempt ! failover group 2 secondary preempt ! context SALES join-failover-group 1 ! context MARK join-failover-group 2 ! Failover ----------------------------------------------------------- 7. Configure the 2nd box with the basic failover commands ----------------------------------------------------------- ------ ASA2 ------ Interface E3 no shut ! Failover lan interface FAILINT E3 Failover interface ip FAILINT 10.10.10.1 255.255.255.0 standby 10.10.10.2 Failover lan unit secondary Failover key cisco123 Failover ----------------------------------------------------------- 8. Configure Standby Addresses on the appropriate boxes ----------------------------------------------------------- ------ ASA1 ------ changeto context SALES ! interface Ethernet0 ip address 192.1.100.11 255.255.255.0 standby 192.1.100.12 ! interface Ethernet1 ip address 10.40.40.11 255.255.255.0 standby 10.40.40.12 ------ ASA2 ------ changeto context MARK ! interface Ethernet0 ip address 192.1.100.21 255.255.255.0 standby 192.1.100.22 ! interface Ethernet2 ip address 10.50.50.21 255.255.255.0 standby 10.50.50.22 ===================================================== 5. Clustering ===================================================== -------------------------------------------------------- 1. Configure the Initial Cluster Commands -------------------------------------------------------- ------ ASA1 ------ cluster interface-mode spanned ! Interface E0 no shut ! cluster group ABC local-unit ASA-1 cluster-interface E0 ip 10.10.10.1 255.255.255.0 key cisco123 priority 5 enable ------ ASA2 ------ cluster interface-mode spanned ! Interface E0 no shut ! cluster group ABC local-unit ASA-2 cluster-interface E0 ip 10.10.10.2 255.255.255.0 key cisco123 priority 10 enable -------------------------------------------------------- 2. Configure the Switches for Port-Channels -------------------------------------------------------- ------------ SW-Inside ------------ vlan 10 ! Interface range e0/0-1 channel-group 10 mode active no shut ! Interface Port-channel 10 switchport mode access switchport access vlan 10 ! Interface E 0/2 switchport mode access switchport access vlan 10 ------------ SW-Outside ------------ vlan 20 ! Interface range e0/0-1 channel-group 20 mode active no shut ! Interface Port-channel 20 switchport mode access switchport access vlan 20 ! Interface E 0/2 switchport mode access switchport access vlan 20 -------------------------------------------------------- 3. Configure the Port-Channel on the ASA -------------------------------------------------------- ------------ ASA-Master ------------ Interface E2 channel-group 10 mode active no shut ! Interface Port-channel 10 port-channel span-cluster nameif Inside ip address 10.11.11.11 255.255.255.0 security-level 100 mac-address aaaa.bbbb.1111 no shut ! Interface E1 channel-group 20 mode active no shut ! Interface Port-channel 20 port-channel span-cluster nameif Outside ip address 192.1.20.11 255.255.255.0 security-level 0 mac-address aaaa.bbbb.2222 no shut ! object network POOL-A range 192.1.20.51 192.1.20.100 object network NET-10.11.11.0 subnet 10.11.11.0 255.255.255.0 nat (inside,outside) dynamic POOL-A