You are on page 1of 6

R1 Configuration

R1# conf t
R1(config)# int f0/1
R1(config-if)# ip address 10.10.10.1 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)# int lo0
R1(config-if)#ip address 8.8.8.8 255.255.255.0
R1(config-if)# !route to linux via asa firewall
R1(config-if)#ip route 192.168.10.0 255.255.255.0 10.10.10.2
R1(config)#do show ip int brief
R1(config)#do write
R2 Configuration
R2#conf t
R2(config)#int range f1/0-2
R2(config-if-range)# no shut
R2(config-if)#do wr mem
R3 Configuration
R3#conf t
R3(config)#int range f1/1-3
R3(config-if)# no shut
R3(config-if)#do wr mem

! R2 and R3 are used as managed switches
R2(config-if-range)# do sh ip int brief

Asa 1 failover active
ASA#conf t
ASA(config)# int g0
ASA(config-if)#name if outside
ASA(config-if)#ip address 10.10.10.2 255.255.255.0
ASA(config-if)#no shut
ASA(config-if)# name if inside 192.168.10.254 255.255.255.0
ASA(config-if)#no shut
ASA(config-if)#int g2
ASA(config-if)#! Lan failover interface assignment
ASA(config-if)#int g2
ASA(config-if)#description Lan failover interface
ASA(config-if)#no shut
ASA(config)#! Failover config here
ASA(config)#failover lan unit primary
ASA(config)#failover lan interface folink g2
ASA(config)#failover link folkin g2
ASA(config)#failover interface
ASA(config)#failover interface ip folink 172.168.1.1 255.255.255.0 standby 172.16.1.0

ASA(config-if)#failover link state g3
ASA(config)#failover interface ip state 172.16.2.1 255.255.255.0 standby 172.16.2.0

ASA(config)#! Default route to R1
ASA(config)#route outside 0.0.0.0 0.0.0.0 10.10.10.1
ASA(config)#monitor-interface inside
ASA(config)#monitor-interface outside

ASA(config)#! Above to monitor both interface for failover
ASA(config)#hostname Active/Standby

! Open Asa 2 while Asa 1 still open








ASA 2 CONFIGURATION
ASA2#conf t
ASA2(config)#int g0
ASA2(config)#no shut
ASA2(config)#int g2
ASA2(config)#no shut
ASA2(config)#int g3
ASA2(config)#no shut
ASA2(config)#failover lan unity secondary
ASA2(config)#failover lan interface folink g2
ASA2(config)#failover link folink g2
ASA2(config)#failover interface ip folink 172.16.1.1 255.255.255.0 standby 172.16.1.0
ASA2(config)#failover link state g3
ASA2(config)#failover interface ip state 172.16.2.1 255.255.255.0 standby 172.16.2.0
Both asa and asa2 are done just left the last command failover on both ASA1 AND ASA2
ASA1#failover
ASA2#failover

ASA1#show failover state
ASA2#show failover
ASA2#show run failover

Failover is working we can see replication is going on front
IP address are identical on both ASA1 and ASA2 for failover interfaces



Let try to ping from Xp to gateway ASA active IP address
ASA# show int ip brief
! gigabitethernet 1 192.168.10.254/24
Xp1: 192.168.10.253 255.255.255.0 gw 192.168.10.254
Ping : 192.168.10.254
Now lets try to access to lo0 address on R1 from XP

R1# do show ip int bri
R1# Ping 8.8.8.8
! ACL is missing on ASA Firewall
ASA1(config)#access-list inside permit icmp any any echo
ASA2(config)#access-list outside-in permit icmp any any echo reply

We should not make the configuration on standby device
ASA1(config)#access-group inside-in int inside
ASA1(config)#access-group outside-in int outside

We can use a command to make sure which one is active and which one is standby
ASA1#prompt hostaname state
ASA1#w mem

Now lets try to reach to lo0 address on R1 from XP
! we can reach via R1




Now lets try if failover is working : we will shut one of the interface on R2 f1/0
ASA1#Int f1/0
ASA1#shut down
Xp PING
Now lets try to shutdown ASA
XP should be able to ping lo0 correctly after 3 or 4 timeout

ASA1#RELOAD
XP establish connection to R1 lo0

ASA2#show failover state
ASA2 became ACTIVE device

After ASA1 is rebooted, we will shutdown ASA2 to see if the failover working from ASA1
ASA1 is back, let’s see failover state on both ASA1 and ASA2
!ping is going without interruption
Now lets reboot ASA2
ASA2#reload
XP has time out the ASA turn to ACTIVE, and XP traffic path back to ASA1

CONCLUSION : FAILOVER IS WORKING