Feb 05

Cisco ASA hostname trick to quickly identify if the unit is Active or Standby

After years of working with the Cisco ASA platform I always learn something new while working with TAC or somebody else. I recently learned about the following command.


“prompt hostname state priority”

This command changes the hostname to include Primary or Secondary and Active or Standby. Instead of issuing the “show failover” command to figure out what unit you are on, this command will show you in the hostname.

Below is an example.

ASAFirewall(config)# prompt hostname state priority
ASAFirewall/act/sec(config)#

In the example above,
The hostname is “ASAFirewall”
This unit is “Active”
This unit is configured as the “Secondary” unit.

If you have any Tips & Tricks like this, please share them by using the reply field below. No account is needed.

Apr 01

Redundant connection with a single Cisco ASA firewall

When setting up Cisco ASA firewalls, I prefer to install them in pairs. A High Availability (HA) pair works very well to keep the environment available when one unit fails.

It’s not very often, but sometimes it makes sense to have a single firewall without a standby unit. When deploying this firewall, the choice needed to be made to dual home it to a pair of switches, or connect it to a single switch. The decision was made to connect it to the HA pair of switches. The switches can do a LACP connection across the two switches. (vPC, or MCT)

To do this, two ports on the ASA need to be joined with in an Etherchannel. This configuration is the same as configuring an etherchannel on a Cisco switch.

Steps
1. Port-channel interface, must have a unique number.
2. Apply the channel-group to each interface, all interfaces must have the same configuration on them.

Below is an example of the configuration

interface Port-channel1
description Access Switch Link
nameif outside
security-level 0
ip address 10.10.0.1 255.255.255.248


interface GigabitEthernet0/0
channel-group 1 mode on
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/1
channel-group 1 mode on
no nameif
no security-level
no ip address

So, why do this?

1. The new environment needed to be secured with a firewall
2. Access to this environment was not business critical and only needed during business hours. (Single unit was chosen)
3. Why dual home it? Because it was available and easy to setup. As a Network Engineer, redundancy is always preferred even when the business says it’s not needed.

How has your experience been with Etherchannels running on Cisco ASA firewalls?
If you have an example of why to only have a single firewall, please share it!!

No account needed to comment!!! Find the “reply” button below and leave your comment!!
3