Failover on Cisco ASA

Configuring high availability requires two identical ASAs connected to each other through a dedicated failover link and, optionally, a Stateful Failover link. The health of the active interfaces and units is monitored to determine if specific failover conditions are met. If those conditions are met, failover occurs.

The ASA supports two failover configurations, Active/Active failover and Active/Standby failover. Each failover configuration has its own method for determining and performing failover.

With Active/Active failover, both units can pass network traffic. This also lets you configure traffic sharing on your network. Active/Active failover is available only on units running in multiple context mode.

With Active/Standby failover, only one unit passes traffic while the other unit waits in a standby state. Active/Standby failover is available on units running in either single or multiple context mode.

Both failover configurations support stateful or stateless (regular) failover.

Hardware Requirements

The two units in a failover configuration must be the same model, have the same number and types of interfaces, and the same SSMs installed (if any).

If you are using units with different Flash memory sizes in your failover configuration, make sure the unit with the smaller Flash memory has enough space to accommodate the software image files and the configuration files. If it does not, configuration synchronization from the unit with the larger Flash memory to the unit with the smaller Flash memory will fail.

Although it is not required, it is recommended that both units have the same amount of RAM memory installed.

Software Requirements

The two units in a failover configuration must be in the same operating modes (routed or transparent, single or multiple context). They must have the same major (first number) and minor (second number) software version. However, you can use different versions of the software during an upgrade process; for example, you can upgrade one unit from Version 7.0(1) to Version 7.0(2) and have failover remain active.

The two units in a failover pair constantly communicate over a failover link to determine the operating status of each unit. The following information is communicated over the failover link:

•The unit state (active or standby)

•Hello messages (keep-alives)

•Network link status

•MAC address exchange

•Configuration replication and synchronization

All information sent over the failover and Stateful Failover links is sent in clear text unless you secure the communication with a failover key. If the ASA is used to terminate VPN tunnels, this information includes any usernames, passwords and preshared keys used for establishing the tunnels. Transmitting this sensitive data in clear text could pose a

Site-to-Site IPSEC VPN Between Two Cisco ASA – one with Dynamic IP

isco ASA 5500 Series appliances deliver IPsec and SSL VPN, firewall, and several other networking services on a single platform. Cisco ASA 5520, a member of the Cisco ASA 5500 Series, is shown in Figure 1 below.

Figure 1 Cisco Adaptive Security Appliance (ASA)

In this article, we will focus on site-to-site IPsec implementation between two Cisco ASA 5520 appliances, as shown in Figure 2. The outside interface of ASA1 is assigned a dynamic IP addressby the service provider over DHCP, while the outside interface of ASA2 is configured with astatic IP address. Basic IP address configuration and connectivity exists and we will build IPsec configuration on top of this. Although this tutorial was tested on ASA5520, the configuration commands are exactly the same for the other ASA models with no difference.

Figure 2  Cisco ASA-ASA IPsec Implementation

IP Security (IPsec) can use Internet Key Exchange (IKE) for key management and tunnel negotiation. IKE involves a combination of ISAKMP/Phase 1 and IPsec/Phase 2 attributes that are negotiated between peers. If any one of the attributes is misconfigured, the IPsec tunnel fails to establish. Therefore, it is mandatory to make sure that all these parameters are identical on the two appliances we are using as IPsec peers.

We will start with a preconfiguration checklist to make our life easier. This checklist would serve as a reference for configuration and troubleshooting.

Table 1   Configuration Checklist: ISAKMP/Phase-1 Attributes

Attribute	Value
Encryption	AES 128-bit
Hashing	SHA-1
Authentication method	Preshared keys
DH group	Group 2 1024-bit field
Lifetime	86,400 seconds

After discussing Phase 1 attributes, it is important to highlight Phase 2 attributes of the IPsec VPN connection, that are used to encrypt and decrypt the actual data traffic.

Table 2   Configuration Checklist: IPsec/Phase-2 Attributes

Attribute	Value
Encryption	AES 128-bit
Hashing	SHA-1
Lifetime	28,800 seconds4,608,000 kB
Mode	Tunnel
PFS group	None

Now that we have determined what Phase 1 and Phase 2 attributes to use, we’re ready to configure the site-to-site IPsec tunnel between ASA1 and ASA2.

Let’s start with configuring ASA1:

! ISAKMP Phase 1

crypto ikev1 policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
!
crypto ikev1 enable outside
tunnel-group 173.199.183.2 type ipsec-l2l
tunnel-group 173.199.183.2 ipsec-attributes
ikev1 pre-shared-key Cisc0

! IPsec Phase 2

access-list RED permit ip 192.168.1.0 255.255.255.0 10.0.0.0 255.255.255.0
crypto ipsec ikev1 transform-set ESP-AES128-SHA esp-aes esp-sha-hmac
crypto map VPN-MAP 10 match address RED
crypto map VPN-MAP 10 set peer 173.199.183.2
crypto map VPN-MAP 10 set ikev1 transform-set ESP-AES128-SHA
crypto map VPN-MAP interface outside

Here goes the configuration for ASA2:

! Create ISAKMP policy

crypto ikev1 policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 enable outside

! Define the pre-shared key within the dynamic map tunnel group

tunnel-group DefaultL2LGroup ipsec-attributes
ikev1 pre-shared-key Cisc0
!
crypto ipsec ikev1 transform-set ESP-AES128-SHA esp-aes esp-sha-hmac

access-list BLUE permit ip 10.0.0.0 255.255.255.0 192.168.1.0 255.255.255.0

! Create a dynamic-map

crypto dynamic-map DYN-MAP 20 match address BLUE (OPTIONAL)
crypto dynamic-map DYN-MAP 20 set ikev1 transform-set ESP-AES128-SHA

! Assign the dynamic-map to crypto map

crypto map VPN-MAP 10 ipsec-isakmp dynamic DYN-MAP
crypto map VPN-MAP interface outside

The above commands conclude the IPSEC VPN configuration. However, if we have NAT in our network (which is true most of the times), we still have some way to go. We must configure NAT exemption for VPN traffic. That is, traffic that will pass through the VPN tunnel (i.e traffic between the LAN networks 192.168.1.0/24 10.0.0.0/24) must be excluded from NAT operation.

Configure NAT Exemption on ASA1

ASA1(config)# object network obj-local 
ASA1(config-network-object)# subnet 192.168.1.0 255.255.255.0 
ASA1(config-network-object)# exit

ASA1(config)# object network obj-remote 
ASA1(config-network-object)# subnet 10.0.0.0 255.255.255.0
ASA1(config-network-object)# exit

ASA1(config)# object network internal-lan 
ASA1(config-network-object)# subnet 192.168.1.0 255.255.255.0 
ASA1(config-network-object)# exit

! Exclude traffic from LAN1 to LAN2 from NAT operation

ASA1(config)# nat (inside,outside) source static obj-local obj-local destination static obj-remote obj-remote

! Configure Port Address Translation (PAT) using the outside ASA interface. This will perform dynamic NAT on internal LAN hosts so that they can access the Internet.

ASA1(config)# object network internal-lan 
ASA1(config-network-object)# nat (inside,outside) dynamic interface

Configure NAT Exemption on ASA2

ASA2(config)# object network obj-local 
ASA2(config-network-object)# subnet 10.0.0.0 255.255.255.0 
ASA2(config-network-object)# exit

ASA2(config)# object network obj-remote 
ASA2(config-network-object)# subnet 192.168.1.0 255.255.255.0
ASA2(config-network-object)# exit

ASA2(config)# object network internal-lan 
ASA2(config-network-object)# subnet 10.0.0.0 255.255.255.0 
ASA2(config-network-object)# exit

! Exclude traffic from LAN2 to LAN1 from NAT operation

ASA2(config)# nat (inside,outside) source static obj-local obj-local destination static obj-remote obj-remote

! Configure Port Address Translation (PAT) using the outside ASA interface. This will perform dynamic NAT on internal LAN hosts so that they can access the Internet.

ASA2(config)# object network internal-lan 
ASA2(config-network-object)# nat (inside,outside) dynamic interface

At this point our IPsec configuration is complete. We can generate some traffic from a host in subnet 192.168.1.0/24 connected to ASA1 to a host in subnet 10.0.0.0/24 connected to ASA2. An easy way to generate such traffic is the good old ping utility. If ping is successful between the two subnets, an IPsec tunnel is also likely to have established successfully. The same can be verified using command show crypto ipsec stats:

ASA1# show crypto ipsec stats

IPsec Global Statistics
———————–
Active tunnels: 1
Previous tunnels: 1
Inbound
Bytes: 400
Decompressed bytes: 400
Packets: 4
Dropped packets: 0
Replay failures: 0
Authentications: 4
Authentication failures: 0
Decryptions: 4
Decryption failures: 0
Decapsulated fragments needing reassembly: 0

Outbound
Bytes: 400
Uncompressed bytes: 400
Packets: 4
Dropped packets: 0
Authentications: 4
Authentication failures: 0
Encryptions: 4
Encryption failures: 0
Fragmentation successes: 0
Pre-fragmentation successses: 0
Post-fragmentation successes: 0
Fragmentation failures: 0
Pre-fragmentation failures: 0
Post-fragmentation failures: 0
Fragments created: 0
PMTUs sent: 0
PMTUs rcvd: 0
Protocol failures: 0
Missing SA failures: 0
System capacity failures: 0

You can get your hands dirty with several other show crypto commands available to verify configuration and view statistics. For example, show crypto isakmp sa detail command can be used to verify ISAKMP/Phase 1 attributes, while show crypto ipsec sa command can be used to verify IPsec/Phase 2 attributes. We have shown here the output for show crypto isakmp sa detailcommand:

ASA1# show crypto isakmp sa detail

Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 173.199.183.2

Type    : L2L             Role    : initiator
Rekey   : no              State   : MM_ACTIVE
Encrypt : aes             Hash    : SHA
Auth    : preshared       Lifetime: 86400
Lifetime Remaining: 85998

Site-to-Site IPSEC VPN Between Cisco ASA and pfSense

IPSEC is a standardized protocol (IETF standard) which means that it is supported by many different vendors. Therefore if you want to create a VPN between different vendor devices, then IPSEC VPN is the way to go.
In this article we will see a site-to-site VPN using the IPSEC protocol between a Cisco ASA and a pfSense firewall. PfSense is an open source distribution of FreeBSD customized for use as a firewall and router. You can install pfSense on a PC with two (or more) NICs, essentially turning it into a flexible security appliance. You can obtain your copy of pfSense from the Downloads section of www.pfsense.org. At the time of this writing, the latest available release is 2.0.2 and the same has been used in this tutorial.
In this article, we will focus on site-to-site IPsec implementation between a Cisco ASA and a pfSense firewall, as shown in Figure 1 below.

Figure 1  Cisco ASA to pfSense IPsec Implementation (Click for Larger Picture)

We will start with a preconfiguration checklist that will serve as a reference for configuration of IPSEC on both devices. ISAKMP/Phase 1 attributes are used to authenticate and create a secure tunnel over which IPsec/Phase 2 parameters are negotiated.

Table 1   Preconfiguration Checklist: ISAKMP/Phase-1 Attributes

Attribute	Value
Encryption	AES 128-bit
Hashing	SHA-1
Authentication method	Preshared keys
DH group	Group 2 1024-bit field
Lifetime	86,400 seconds

We will use main mode rather than aggressive mode for negotiation. IPsec Phase 2 attributes are used to encrypt and decrypt the actual data traffic.

  Table 2   Preconfiguration Checklist: IPsec/Phase-2 Attributes

Attribute	Value
Encryption	AES 128-bit
Hashing	SHA-1
Lifetime	28,800 seconds4,608,000 kB
Mode	Tunnel
PFS group	None

Now that we have determined what Phase 1 and Phase 2 attributes to use, we’re ready to configure IPsec. We assume that all IP addresses are already configured and basic connectivity exists between Cisco ASA and pfSense firewall.
ASA Configuration
Let’s start with configuring the ASA (Using ASA 8.4(2) in this example):
! IPsec ISAKMP Phase 1

crypto ikev1 policy 1
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
exit
!
crypto ikev1 enable outside
tunnel-group 173.199.183.2 type ipsec-l2l
tunnel-group 173.199.183.2 ipsec-attributes
ikev1 pre-shared-key Cisc0

! IPsec Phase 2

crypto ipsec ikev1 transform-set pfSense-AES128SHA esp-aes esp-sha-hmac
!
access-list outside_cryptomap_10 remark ACL to encrypt traffic from ASA to pfSense
access-list outside_cryptomap_10 extended permit ip 192.168.1.0 255.255.255.0 10.0.0.0 255.255.255.0
!
crypto map outside_map 10 match address outside_cryptomap_10
crypto map outside_map 10 set peer 173.199.183.2
crypto map outside_map 10 set ikev1 transform-set pfSense-AES128SHA
crypto map outside_map interface outside

PfSense Configuration
We open the URL http://173.199.183.2 in a Web browser to access the pfSense firewall and enter the default username/password of admin/pfsense. You may have noticed that 173.199.183.2 is the WAN IP address of the pfSense firewall that indicates we are accessing it from the Internet.

After successfully logging in you reach the Status page which reports the summary state of your pfSense firewall. Go to VPN > IPsec using the menu and click add phase1 entry on the Tunnels tab. Configure ISAKMP/Phase 1 parameters as given in Table 1 and shown in the following screenshot.

Click the Save button to save the configuration and go back to the Tunnels tab. Click add phase 2 entry to configure IPsec/Phase 2 parameters as given in Table 2 and shown in the following screenshot.

Click the Save button to save changes and go back to the Tunnels tab where you can view a summary of your Phase 1 and Phase 2 configuration. Check the Enable IPsec checkbox and press the Save button. In the end, press the Apply changes button to finalize your configuration, as shown in the following screenshot.

 

Our IPsec configuration is now complete on both devices. We can generate some traffic from a host in subnet 192.168.1.0/24 connected to Cisco ASA to a host in subnet 10.0.0.2/24 connected to pfSense, using the ping utility. If ping is successful between the two subnets, an IPsec tunnel is likely to have established successfully. The same can be verified using command show crypto ipsec stats on Cisco ASA.
In order to check IPsec tunnel status on the pfSense firewall, go to Status > IPsec. If you see a tiny green icon in the Status column, IPsec tunnel is successfully established as shown in the following screenshot.