Contents

ASA 이중화 Active&Active

   Mar 13, 2023     3 min read

ASA 이중화 기본 구성

Untitled

Step 01.

ASA 1, 2)

mode multiple
show mode
show context

interface e1
no shutdown

interface e2
no shutdown

interface e0
no shutdown



ASA 1)

interface e0.10
vlan 10

interface e0.20
vlan 20



S4)

interface g0/2
switchport mode access
switchport access vlan 10

interface g0/3
switchport mode access
switchport access vlan 20

interface range g0/0 - 1
switchport trunk encapsulation dot1q
switchport mode trunk



Step 02. Security-Context

Untitled (1)

ASA 1)

context C1-ASA
allocate-interface e1
allocate-interface e0.10
config-url C1-ASA.cfg

context C2-ASA
allocate-interface e1
allocate-interface e0.20
config-url C2-ASA.cfg

mac-address auto

show context

changeto context C1-ASA

interface e1
ip address 1.1.12.1 255.255.255.0 standby 1.1.12.2
nameif outside
security-level 0

interface e0.10
ip address 192.168.10.254 255.255.255.0 standby 192.168.10.253
nameif inside
security-level 100

route outside 0 0 1.1.12.3

object network inside_net
subnet 192.168.10.0 255.255.255.0
nat (inside,outside) dynamic interface

changeto context C2-ASA

interface e1
ip address 1.1.12.22 255.255.255.0 standby 1.1.12.11
nameif outside
security-level 0

interface e0.20
ip address 192.168.20.254 255.255.255.0 standby 192.168.20.253
nameif inside
security-level 100

route outside 0 0 1.1.12.3

object network inside_net
subnet 192.168.20.0 255.255.255.0
nat (inside,outside) dynamic interface



Step 03. 이중화

Untitled (2)

방법

ASA 1)

changeto system

failover lan unit primary
failover lan interface FL e2
failover interface ip FL 10.1.1.1 255.255.255.252 standby 10.1.1.2
failover link FL e2
failover key cisco321

failover group 1
primary
preempt

failover group 2
secondary
preempt

context C1-ASA
join-failover-group 1

context C2-ASA
join-failover-group 2

failover



ASA 2)

failover lan interface FL e2
failover interface ip FL 10.1.1.1 255.255.255.252 standby 10.1.1.2
failover key cisco321

failover



결과

Untitled (3)

ASA 2)

Untitled (4)

Step 04. 이중화

  • ASA는 기본적으로 Failover에서 sub-interface를 감시할 수 없다. 때문에 반드시 관리자가 명령어를 사용하여 sub-interface도 감시하도록 해야 한다.

방법

ASA 1)

changeto context C1-ASA
monitor-interface inside



ASA 2)

changeto context C2-ASA
monitor-interface inside



결과

ASA 1)

Untitled (5)

Untitled (6)

둘 다 Monitored로 잘 뜬다.

Step 05.

Untitled (7)

방법

ASA 1)

changeto context C1-ASA
policy-map global_policy
class inspteciton_default
inspect icmp



ASA 2)

changeto context C2-ASA
policy-map global_policy
class inspection_default
inspect icmp



결과

Untitled (8)

Untitled (9)

Step 06. 역할 뺏기

  • Group이 2개 이상일 때는 failover active 명령어를 사용할 때 Active 권한을 가져올 Group을 입력해야 한다.

방법

ASA 2)

failover active group 1



결과

ASA 1)

Untitled (10)

Untitled (11)

역할이 잘 바꼈다.