In the second installment of her series on setting up a Cisco ASA firewall, Lauren Malhoit runs through setting up management access and then setting up a cluster with two ASAs.
In part one of my ASA firewall series I went through the initial updating and preparing inside interfaces and routes. I don't know about you, but I'm pretty lazy, so my first priority is to allow access to network devices from anywhere on the network. I'll do a quick run-through on setting up management access and then go through setting up a cluster with two ASAs.
First things first...let's get the management access going. Click on the Configuration button in the top-left corner of the ASDM and click on the Device Management button in the lower-left corner. Expand Management Access in the Device Management tree. The management interface will probably already be in there as that's what you've been using to access the ASDM while directly connected via a network cable. Now that we have inside interfaces and routes configured, though, we can open this up to the network. Please make sure you're only opening it to networks that our absolutely necessary. For my example, I'll be using the IT subnet we configured last time in the 192.168.12.0 network.
1. Click Add
2. Click ASDM/HTTPS to allow access to the ASDM GUI.
*Note: you can also use Telnet or SSH if you prefer command line. I highly suggest you don't use Telnet, since it communicates using plaintext, which means someone snooping on your network could intercept the communication and be able to plainly see usernames, passwords, and configuration settings.
3. In the IP address field type 192.168.12.0 to allow access to that network.
4. In the Mask field type 255.255.255.0.
*You can narrow this down even more if you use static IP addresses. For example, if your computer has a static IP of 192.168.12.5, use that as your IP address and use 255.255.255.255 as your Mask.Figure A shows the resulting dialog box.
5. Click OK and Apply at the bottom of the page. You can also click save to ensure your firewall saves this configuration and applies it next time you do a system reload.
You should now be able to head back to your desk and access the ASDM (or command line) from your computer on the 192.168.12.0 network. My next concern is setting up the the Active/Standby cluster so I don't have one point of failure.
To set up the cluster, make sure you have all appropriate network cables plugged in to the proper VLANs on your switch. In my setup, I have both management interfaces connected to a management VLAN on the layer 3 switch, a network cable going directly from one device to the other, and my inside and outside interfaces connected to the appropriate VLANs on the layer 3 switch. The follow these steps:
1. On the Active device click on the Configuration button and then the Device Management button.
2. Now expand High Availability and click on Failover
3. On the Setup tab put a check mark next to Enable Failover and Use 32 hexadecimal character key (otherwise communication between the two devices will be done in plaintext)
4. Enter a shared key of your choosing
5. Under LAN failover, select the interface that you're using for failover (the interface that directly connected to the other ASA)
6. Choose a Logical Name (ex: failover)
7. Choose the IP of the Active device, which can be arbitrary. If you're using 192.168.x.x in your normal network configuration, maybe choose a 10.x.x.x IP address.
8. Choose the IP of the Standby device. For example if you used 10.10.10.2 for your Active IP, use 10.10.10.3.
9. Pick your subnet mask (which would be 255.255.255.0 in my example, meaning the first 3 octets need to match).
10. Choose the primary role for this Active device.Figure B shows the resulting dialog box.
11. Click Apply and it should automatically set up the failover configuration on both devices.If you look at the front of the ASAs the LEDs will indicate if failover has been setup. The LED under "Active" will be green on the Active device (which is the preferred primary right now) and amber/orange under "Active" on the Standby. You can test if failover is set up correctly by pulling the network cable on the Active device from the Inside interface. Now if you look at the front, the Active LED should now be green on what was the Standby device. You should also still be able to connect to the ASDM from the network, though you may need to refresh it or sign back in if you already had it up. You will also see this reflected in the Device Dashboard under Failover Status on the ASDM. See Figure C.
After Parts 1 and 2 we can now access the device over the network and no longer need to worry about a single point of failure. In the next installments of these series I will go through setting up the outside interface and configuring the ASAs to work with Active Directory.