How To Setup High Availability On Cisco ASA

This article is purposed to explain on how to setup a High Availability between two Cisco ASA devices. It is highly recommended to implement two Cisco ASA in HA (High Availabilit). This means if the primary Cisco ASA fails, the secondary will become active automatically without any downtime.

Here is the example about how to configure it. Refer to the diagram for the detail:

According to the the above diagram, here are the detail:

  • Outside  – Assign your external ip-address to the  interface port 0 to each of the devices
  • Inside    –  Assign your internal ip-address to the interface port 1 to each of the devices.
  • Failover -  Assign an internal ip-address to the  interface port 3  to each of the devices that will be used between the primary and secondary devices during failover.

Notes: The interfaces assignments above are only a illustration and not a must. Adjust it according to your devices’ interfaces.

Now, add the following commands into your Cisco ASA like follow:

1. Setup failover interface on Primary ASA

enable
config t
failover lan unit primary
interface gigabitEthernet 0/3
no shutdown

2. Assign the failover IP  Address on Primary Cisco ASA

Type the following commands that will assign 10.10.10.1 to the 0/3 interface on the primary device. This device should also know what is the failover ip-address of the standby. In this example, it is 10.10.10.2.

Don’t forget to  specify a failover key.  Ensure  that both devices have the same key used when you are configuring failover on the secondary device. In this example, the failover key is “password”.

failover lan interface LANFAIL gigabitethernet 0/3
failover interfaces ip LANFAIL 10.10.10.1 255.255.255.0 standby 10.10.10.2
failover key password
failover link LANFAIL
exit
show failover

3. Assign the Outside IP Address on Primary Cisco ASA

config t
interface gigabitEthernet 0/0
nameif outside
ip address 200.200.200.1 255.255.255.0 standby 200.200.200.2
no shutdown
exit

4. Assign the Internal IP Address on Primary Cisco ASA

interface gigabitEthernet 0/1
nameif internal
security-level 100
ip address 192.168.0.1 255.255.255.0 standby 192.168.0.2
no shutdown
exit
show run

5. Verify the configuration on Primary Cisco ASA

Type the follow commands to verify the configuration you have done.

monitor external
monitor internal
exit
show failover
failover
exit
show failover interface
show failover

6. Setup failover interface on Secondary Primary ASA

config t
no failover
failover lan unit secondary
interface gigabitEthernet 0/3
no nameif
no shutdown
failover lan interface LANFAIL gigabitEthernet 0/3

 

7. Assign the failover ip-address on Secondary ASA using LANFAIL

failover interface ip LANFAIL 10.10.10.1 255.255.255.0 standby 10.10.10.2
failover key password
failover link LANFAIL
failover
exit
show run

 

8. Automatic Configuration Copy from Primary Cisco ASA to Secondary  Cisco ASA

All other configurations are automatically copied from the primary Cisco ASA device to the standby Cisco ASA device using the following commands:

config t
interface gigabitEthernet 0/3
no shutdown
exit
show failover

 

9. Additional Commands on Primary Cisco ASA

config
no monitor management

router external 0.0.0.0 0.0.0.0 200.200.200.x
exit

 

avatar
We are teams that have the same hobbies in Information Technologies and have experienced in many fields regarding Information Technologies .

Related Articles

Email
Print