Skip to main content
您好,欢迎光临IDC汇,需要什么服务器直接咨询客服,方便快捷。客服QQ 点击这里给我发消息
首页 > 服务器安全 »正文

asa 5500 HA 说明

服务器安全 webadmin 2020-06-27 08:49:20 查看评论 加入收藏

  1.  ASA5510 + Security Plus License ! ASA系列对高可用性的支持情况
答:
ASA5505 基本许可不支持HA,通过Security Plus license.可以支持stateless Active/Standby and redundant ISP
ASA5510 基本许可不支持HA,通过Security Plus license 可以支持 A/A 和A/S 的FO
ASA5520 以上系列,基本许可就支持A/A 和A/S的 FO。

2.ASA5510到底有几个端口可用?速率是多少?
答:
Cisco ASA 5510 7.2.2 以前的版本Base License可用3个FE,Plus License可用5个FE。
Cisco ASA 5510 7.2.2 及以后的版本可用5个FE,无论是Base还是Plus。
Cisco ASA 5510 7.2.3 及以后的版本Base可用5个FE,Plus会升级两个FE端口为GE端口(2GE+3FE)。


3.关于PIX 的HA的授权问题.
答:如果要实现A/A 必须一个防火墙使用UR授权,另一个防火墙使用Failover-Active/Active (FO-A/A)授权,或两台设备都是UR license
如果要实现A/S 必须一个防火墙使用UR授权,另一个防火墙使用Failover (FO) 或者Failover-Active/Active (FO-A/A)
如果只有一个防火墙,购买FO或者FO-A/A授权是不能够使用的,必须与具有UR授权的防火墙一起使用。


4.请问FWSM在multi context 模式下支持路由模式和透明模式共存吗? 
答:FWSM在3.1版本后multi context 模式下支持路由模式和透明模式混用.


5.ISR路由器的IPS功能只能由IOS软件来实现吗?

答:可以选择IPS模块。型号为AIM-IPS-K9,使用平台为ISR 1841、2800、3800系列路由器。


6.在SUP720引擎上面,如何使用电口,就是说那条命令可以让我从SFP口切换到电口?
答: 具体命令请参见接口配置模式下的media-type {rj45 | sfp}.
是的,Catalyst 6500 可以支持AC和DC混合电源接入。


7.Cisco Catalyst 6500 系列产品的Supervisor Engine 32 PISA引擎是否支持MPLS流量? 
答:是的,可以支持。

8.Supervisor Engine 32 PISA系列引擎产品如果使用NBAR特性,它的PDLM文件哪里可以下载呢?
答:您可以通过下面的链接下载:www.cisco.com/cgi-bin/tablebuild.pl/pdlm

9.Cisco Pix升级至8.0版本是否可以支持SSL ×××?

答:Cisco Pix可以升级至最新的8.0版本软件,但Pix不能支持SSL ×××。

10. 为什么ASA DataSheet上 没有 Xlate参数?
>> xlates=max conns , 为什么等于? 架构原因:)

11. ASA双链路如何配置?
>> http://www.cisco.com/warp/customer/110/pix-dual-isp.html
http://www.cisco.com/en/US/products/hw/***devc/ps2030/products_configuration_example09186a00806e880b.shtml
http://www.cisco.com/en/US/products/hw/***devc/ps2030/products_configuration_example09186a00806e880b.shtml
http://kbase:8000/paws/servlet/ViewFile/70559/pix-dual-isp.xml?convertPaths=1
http://www.cisco.com/en/US/customer/products/hw/***devc/ps2030/products_configuration_example09186a00806e880b.shtml
http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_7_2/conf_gd/general/ip.htm#wp1047900

12. 请列出ASA5550支持的抗***Feature,比如抗SYN Flood, Smurf, ipspoof等
>>against denial of service (DoS) attacks, such as SYN floods, Internet Control Message Protocol (ICMP) floods, teardrops, port scans, pings of death, and many other common attacks


13. ASA5510-SEC-PL的作用?答: ASA 5510 Security Plus License w/ HA, GE, more VLANs + conns
Cisco ASA 5510 Security Plus license (provides Active/Active 
and Active/Standby high availability, increased session and 
VLAN capacities, and additional Ethernet interfaces) 
这个许可提升了ASA5510的性能

一: 130,000 个会话数,默认是50,000 
二:包含了2个 contexts
三:5个以太口 2个GE + 3FE
四:100个VLAN,默认是50个
五:××× clustering and load balancing
六:高可用性,支持A/A A/S

14. 防火墙做 A / A时,ARP time out 值确省是14400,最小值是多少?
In answer to your question:
- Cisco recommends keeping the default ARP timeout to 14400 second ( 4
hours). At a minimum, is should be greater than the CAM timeout for your
switches which is 300 seconds (5 minutes).
- The ARP timeout can be seen in the output of a show interface <interface>
- The ARP timeout can be changed using the "arp timeout <seconds>" in the
interface configuration mode.

The following diagram explains on a high-level the ip-address that are assigned to the primary and secondary cisco ASA devices in this example.
asa 5500 HA 说明
In the above diagram:

  • ext0 – Assign your external ip-address to this interface. ext0 indicates that this is connected to the port 0 on the device.
  • int1 – Assign your internal ip-address to this interface. int1 indicates that this is connected to the port 1 on the device.
  • fail3 – Assign an internal ip-address to this interface that will be used between the primary and secondary devices during failover. fail3 indicates that this is connected to the port 3 on the device.

On the Cisco ASA 5520 model, it has 4 ports on the back, marked as 0, 1, 2 and 3. In our example, we’ll be using port 0, 1, and 3 as explained above.

Other than the 4 network ports, you’ll also see slots marked as mgmt, usb, usb, console, aux, flash card.

 

While the example mentioned here was done on Cisco ASA 5520 model, the same configurations will work on other Cisco ASA 5500 series. i.e Cisco ASA 5510, Cisco ASA 5505 etc.,

1. Setup failover interface on Primary ASA

Connect your laptop serial port to the primary ASA device using the console cable that came with the device.

Use PuTTY -> Select “Serial” -> Make sure serial line is set to “Com1″ -> and speed is set to “9600″

Execute the following commands to mark the port 0/3 as failover lan unit primary.

enableconfig tfailover lan unit primaryinterface gigabitEthernet 0/3no shutdown

2. Assign the failover ip-address on Primary ASA using LANFAIL

Execute the following commands which will assign “10.10.1.1″ (the one marked as fail0 in the diagram above) to the 0/3 interface on the primary device. This device should also know what is the failover ip-address of the standby. In this example, it is 10.10.1.2

You should also specify a failover key. Make sure the same key is used when you are configuring failover on the secondary device. In this example, the failover key is “secretkey”

failover lan interface LANFAIL gigabitethernet 0/3failover interfaces ip LANFAIL 10.10.1.1 255.255.255.0 standby 10.10.1.2failover key secretkeyfailover link LANFAILexitshow failover

3. Assign the External ip-address on Primary ASA

Execute the following commands which will assign “174.121.83.47″ (the one marked as ext0 in the diagram above) to the 0/0 interface on the primary device. This device should also know what is the external ip-address of the standby ASA device. In this example, it is 174.121.83.48

show runconfig tinterface gigabitEthernet 0/0nameif externalip address 174.121.83.47 255.255.255.0 standby 174.121.83.48no shutdownexit

4. Assign the Internal ip-address on Primary ASA

Execute the following commands which will assign “192.168.1.47″ (the one marked as int0 in the diagram above) to the 0/1 interface on the primary device. This device should also know what is the internal ip-address of the standby ASA device. In this example, it is 192.168.1.48

interface gigabitEthernet 0/1nameif internalsecurity-level 100ip address 192.168.1.47 255.255.255.0 standby 192.168.1.48no shutdownexitshow run

5. Verify the configuration on Primary ASA

Execute the following commands to verify the failover configuration that has been setup so far on the Cisco ASA primary device.

monitor externalmonitor internalexitshow failoverfailoverexitshow failover interfaceshow failover

6. Setup failover interface on Secondary ASA

Connect your laptop serial port to the secondary ASA device using the console cable that came with the device.

Use putty -> Select “Serial” -> Make sure serial line is set to “Com1″ -> and speed is set to “9600″

Execute the following commands to mark the port 0/3 as failover lan unit secondary

enconfig tno failoverfailover lan unit secondaryinterface gigabitEthernet 0/3no nameifno shutdownfailover lan interface LANFAIL gigabitEthernet 0/3

7. Assign the failover ip-address on Secondary ASA using LANFAIL

Execute the following commands which specifies the primary LANFAIL ip-address is 10.10.1.1 and standby is 10.10.1.2

You should also specify a failover key. Make sure the same key that you used while configuring primary ASA is used here also. In this example, the failover key is “secretkey”

failover interface ip LANFAIL 10.10.1.1 255.255.255.0 standby 10.10.1.2failover key secretkeyfailover link LANFAILfailoverexitshow run

8. Automatic Configuration Copy from Primary to Secondary ASA

On you configure the LANFAIL as shown above, all other configurations are automatically copied from the primary Cisco ASA device to the standby cisco ASA device.

show failoverconfig tinterface gigabitEthernet 0/3no shutdownexitshow failover

9. Setup Additional Configuration on ASA Primary

Setup additional configurations on the Cisco ASA primary device as shown below. This includes, hostname setup, domain name setup, route setup, allow http and ssh on internal ip-address for the cisco ASA primary.

configno monitor managementhostname FW-PRIMARYdomain name thegeekstuff.comrouter external 0.0.0.0 0.0.0.0 174.121.83.0exitconfig thttp 192.168.0.0 255.255.0.0 internalssh 192.168.0.0 255.255.0.0 internal

Note: All the above configuration will be copied over automatically to the Cisco ASA standby device, as the failover is already configured. The only thing you need to setup on Cisco ASA standby is the hostname as “FW-STANDBY” as shown below.

config thostname FW-STANDBY

Finally, view the current running configuration, and write it to the memory as shown below.

show runwrite mem

广告06

微信