Cisco ASA 5510 (2x) Active / Standy failover

Few weeks ago Installed 2 Cisco ASA 5510 devices. For a ISP & Active/Standby failover. In an earlier post I wrote about the ISP failover. now i’m going to write about the Active/Standby failover.

For the Active/Standby failover you need 2 Cisco ASA’s in my example I use 2 times a Cisco ASA 5510.

What do you have to do. First of all you need to configure your cisco asa as normal as you usually do. But you need to make some exceptions on the interfaces. In this case I  wanted a solution that i could make a failover on internal & external interfaces.

You start at the interfaces.

Outside interface
Ciscoasa(config)#interface Ethernet 0/0
Ciscoasa(config)#description inferface to <access device> internet-connection
Ciscoasa(config)#nameif outside
Ciscoasa(config)#security-level 0
Ciscoasa(config)#ip address < ip add.><Subnetmask> standby <follow ip add>

Inside interface
Ciscoasa(config)#interface Ethernet 0/1
Ciscoasa(config)#description inferface to local area network (LAN)
Ciscoasa(config)#nameif inside
Ciscoasa(config)#security-level 100
Ciscoasa(config)#ip address < ip add.><Subnetmask> standby <follow LAN ip add>

You have to clear first the Management interface. You can do this via:

Ciscoasa(config)# clear configure interface m0/0
Ciscoasa(config)#int Man 0/0
Ciscoasa(config)#no shut

Now you will need to configure the Failover You start first with

failover lan interface failover Management0/0
failover interface ip failover 172.16.254.254 255.255.255.0 standby 172.16.254.253
failover key myf@1l0v3rk3y
failover lan unit primary
Failover

Now you have to start the failover:

failover link failover Management0/0

Save your configuration. ( write mem )

Next you have to configure you secondary Cisco ASA for the failover. ( standy device )

Enter enable mode

ciscoasa>

ciscoasa> en

Password:

ciscoasa#

Open the failover link and issue a “no shut” command.

ciscoasa#

ciscoasa# conf t

ciscoasa(config)# interface m0/0

ciscoasa(config-if)# no shut

ciscoasa(config-if)# exit

ciscoasa(config)#

Turn on LAN interface for failover.

ciscoasa(config)#

ciscoasa(config)# failover lan interface failover m0/0

INFO: Non-failover interface config is cleared on Management0/0 and its sub-interfaces

ciscoasa(config)#

Give it an IP address (YES: that’s the same as the primary firewall there WON’T be a conflict).

ciscoasa(config)#

ciscoasa(config)# failover interface ip failover 172.16.254.254 255.255.255.0 standby 172.16.254.250

ciscoasa(config)#

Give it the same key you used above (In step 6).

ciscoasa(config)#

ciscoasa(config)# failover lan key myf@1l0v3rk3y

ciscoasa(config)#

Set it as the secondary (standby firewall).

ciscoasa(config)#

ciscoasa(config)# failover lan unit secondary

ciscoasa(config)#

Turn on failover.

ciscoasa(config)#

ciscoasa(config)# failover

ciscoasa(config)#

You should see……

Detected an Active mate
Beginning configuration replication from mate.

SBS 2008 Temporary move wsus contant to netwerk location

During an issue I found in a SBS 2008 running server where the free disk space was to short.  To resolve this issue before we could expand the disk drives, had i to find a solution. This solution is available with the local windows server 2008 SBS.

What do you need to have to do this.
1. A network location with enough free space for example a NAS solution.
2. You have to know where the local wsus content is situatated on the small business server

First you start the command prompt ( CMD )
go to C:\Program Files\Update Services\Tools>

If you are in the current folder C:\Program Files\Update Services\Tools>

Type wsusutil.exe movecontent \\<networklocation>\wsusshare\<foldername> \\<netwerklocation>\wsusshare\<foldername><lognam>.log -skipcopy

After you entered this command you have to wait and shouldn’t interrupt the command.

You will get a message:
Content location is being moved. Please do not stop this program.
Content move has successfully finished.

When this is finished you can synchronize a new synchronization but you will notice that wsus doesn’t respond sometimes. but you have to wait till the synchronization is finished.

Cisco ASA 5510 ISP Failover

How to create a ISP Failover on a cisco asa 5510. What do you need to create this solution…

1. You need 2 Internet Providers.
2. You need for both ISP an internet device ( in bridged modus )
3. You need one Cisco asa 5510 with a security bundle

Prior to start with you configuration. Keep in mind you can use this in combination with a Statefull fallback solution of 2 Cisco ASA 5510′s.

interface Ethernet 0/2
description internet connection ISP 1
nameif outside
secutiry-level 0
ip address < external ip address> <subnetmask>

Above is the first configuration of the first ISP

interface Ethernet 0/3
description internet connection ISP 2
nameif outside2
security-level 0
ip address <external ip address> <subnetmask>

Configure a local area network address ( LAN )

interface Ethernet 0/0
description Local Area Network ( LAN )
nameif inside
security-level 100
ip address < internal ip address> <subnetmask>

Configure a global NAT/PAT

global (outside) 1 interface
global (outside2) 1 interface
nat (inside ) 1 0.0.0.0 0.0.0.0

Configure a static route

route outside 0.0.0.0 0.0.0.0 <gateway ISP 1> 1 track 1
route outside2 0.0.0.0 0.0.0.0 <gateway ISP 2> 254

You have to configure now a SLA ( automatic tracking to an external ip address or website )

sla monitor 123
type echo protocol ipIcmpEcho 1.1.1.1 interface outside
num-packets 3
frequency 10

You have to start this monitor through the command.

sla monitor schedule 123 life forever start-time now

After you configured and started the monitor tracker. You will need to point this monitor tracker to a static route which you configured earlier.

track 1 rtr 123 reachability

Cisco IOS router + Cisco Catalyst automatic configuration Backup

Today I was figuring out how to get an automatic backup of the configuration of a cisco router device. After some searching I found a Cisco Document. ( click here )

In this document was written how to create an automatic backup. What do you need to create this backup.

1. A computer or server with an FTP or TFTP server installed on it.
2. a static ip address for this device.
3. A cisco router of catalyst switch.

how to configure.

Go to the configuration terminal mode.
Type ” KRON POLICY-LIST” give this map a name like ” BACKUP“
Type cli “output command like below in the picture“

After you made the “Policy-List”  you have to create an occurrence schedule
Tis list you can create with the command “KRON OCCURRENCE “backup-schedule-name” at <time> <date> one time or recuring“  like in the picture above.

After this you have to point to the backup policy-list otherwise your kron backup schedule doesn’t work.

This is tested and worked. ( only one disadvantage is that it overwrites to old file and don’t create a new file with time and date. )

Switch configuration for Trunk to ESX

I noticed from an installation which i made for trunking between a HP Procurve switch and some ESX servers. So after some weeks with issues I found a solution to get rid of Dropped TX packets.

The following you will need to configure on your Switch. ( i used a HP Procurve switch 4208GL )

interface D5
name “TRUNK-to-ESX”
flow-control
exit
interface D6
name “TRUNK-to-ESX”
flow-control
exit
interface D7
name “TRUNK-to-ESX”
flow-control
exit
interface D8
name “TRUNK-to-ESX”
flow-control

As you see I used flow-control You need to configure this option first in the global configuration mode.
You need to create a trunk

trunk D5-D8 Trk2 Trunk

A VLAN configuration need to be changed.

vlan 1
name “DEFAULT_VLAN”
untagged < un tagged interfaces > ,Trk2
ip address  < ip address >
no untagged < no untagged interfaces >
exit

The trunk(s) needs to be added to the default VLAN
Further you have to configure Spanning-Tree on the switch for the Trk2 ( in this case )

spanning-tree Trk2 priority 4

After this change you will see no packets are dropped any more on this trunk.
In an other article i will describe the settings for the ESX server