This article explains how to set up ACTIVE / STANDBY between 2 Cisco ASA devices. This way, if the primary ASA fails, the secondary becomes active automatically without any downtime.
The diagram above explains the ip address assigned to the primary and secondary cisco ASA devices in this example.
Do the basic configuration for the primary ASA unit
Outside – Assign your external ip-address to the interface GigabitEthernet0/0 on primary ASA.
Inside – Assign your internal ip-address to the interface GigabitEthernet0/2 on primary ASA.
interface GigabitEthernet0/0 nameif outside ip address 10.11.32.83 255.255.255.0 no shutdown exit interface GigabitEthernet0/2 nameif inside ip address 192.168.1.1 255.255.255.0 no shutdown exit nat (inside,outside) after-auto source dynamic any interface router outside 0.0.0.0 0.0.0.0 10.11.32.140
Configure nat, route, dhcp server
Execute the following commands to mark the port GigabitEthernet0/1 as failover lan unit primary.
dhcpd address 192.168.1.2-192.168.1.254 inside dhcpd dns 8.8.8.8 8.8.4.4 dhcpd enable inside policy-map global_policy class inspection_default inspect icmp exit exit wr
Assign "10.10.1.1" to the GigabitEthernet0/1 interface
You should also specify a failover key. Make sure the same key is used when you are configuring failover on the secondary device. In this example, the failover key is "secret".
Next, execute the following commands which will assign "10.10.1.1" to the GigabitEthernet0/1 interface on the primary device. This device should also know what is the failover ip-address of the standby, in this example, it is 10.10.1.2.
failover lan unit primary failover lan interface folink GigabitEthernet0/1 failover key secret failover link folink failover interface ip folink 10.10.1.1 255.255.255.0 standby 10.10.1.2 no shutdown wr write
Setup failover interface on Secondary ASA
Execute the following commands to mark the GigabitEthernet0/1 interface as failover lan unit secondary. You should also specify a failover key. Make sure the same key that you used while configuring primary ASA is used here also. In this example, the failover key is "secret".
Execute the following commands which specifies the primary folink ip-address is 10.10.1.1 and standby is 10.10.1.2. On you configure the folink as shown above, all other configurations are automatically copied from the primary Cisco ASA device to the standby cisco ASA device.
no failover failover lan unit secondary failover lan interface folink GigabitEthernet0/1 failover key secret failover link folink failover interface ip folink 10.10.1.1 255.255.255.0 standby 10.10.1.2 interface GigabitEthernet0/1 no shutdown exit failover .
Now if the primary so fails the secondary becomes active automatically without any downtime.
Facebook: https://www.facebook.com/routerbest
Twitter: https://twitter.com/routerbestcom
Tags: Cisco Asa
