Some quick template-style notes on deploying clustered ASAs running multiple context mode with transparent contexts. There are some well-documented guides and a few blog posts out there already detailing clustering and transparent-mode firewalls. The purpose of this post is just to dive in to configuration. You may run into some caveats depending on which feature you want to run simultaneously, please refer to the ASA General Operations CLI guide for particulars before deploying clustering.
Topology
Diagram of physical topology, showing Cluster Control and Cluster Data Links. They’re going to the same pair of Nexus switches, but I split it out like this for clarity.
Enable Multiple Context Mode
Do this on both ASAs. Requires a reload.
mode multiple
Verify Cluster Licensing
Verify you have the clustering license enabled on both ASAs.
show activation-key
Configure Jumbo Frame Reservation
Do this on both ASAs if running in a Data Center requiring jumbo frames. Requires a reload.
jumbo-frame reservation
Configure Management Interfaces
ASA 1 – Configure Management IP and Pool (Used for cluster members)
changet c admin
ip local pool mgmt 10.180.0.28-10.180.0.34 mask 255.255.255.0
int management0/0
management-only
nameif mgmt
security-level 100
ip add 10.180.0.27 255.255.255.0 cluster-pool mgmt
route mgmt 0.0.0.0 0.0.0.0 10.180.0.1
ASA 2 – Remove IP on Management0/0 interface
changet c admin
int management0/0
no ip add
Enable Spanned interface mode
Both ASAs [system context]
cluster interface-mode spanned check-details
Cluster interface-mode has been changed to 'spanned' mode successfully. Please complete interface and routing configuration before enabling clustering.
Verify interface mode is spanned
show cluster interface-mode
cluster interface-mode spanned
Configure Cluster Data Link
Both ASAs [system context]
int po20
desc Data Link to Nexus
port-channel span-cluster vss-load-balance
INFO: lacp port-priority on member interfaces of channel-group Port-channel20 will be controlled by CLACP.
INFO: CLACP vss-load-balance is enabled. This assumes all cluster units have the same interfaces connected to two switches in the VSS or VPC pair and each unit has the same number of interfaces connected to both switches (vss-id 1 and 2).
int t0/8
desc Data - Nexus-1
channel-group 20 mode active vss-id 1
int te2/6
desc Data - Nexus-2
channel-group 20 mode active vss-id 2
Configure Cluster Control Link
Both ASAs [system context]
interface po21
desc Cluster Control Link
int te0/9, te2/7
channel-group 21 mode active
ASA-1 Configure cluster group
cluster group ASA-CLUSTER
key CCLKey!
local-unit ASA-1
cluster-interface Po21 ip 10.180.255.17 255.255.255.240
priority 1
# Replicate console messages from slaves to master
console-replicate
health-check holdtime 3
clacp system-mac auto system-priority 1
enable
ASA-2 Configure cluster group
cluster group ASA-CLUSTER
key CCLKey2015!
local-unit ASA-2
cluster-interface Po21 ip 10.180.255.18 255.255.255.240
priority 2
enable
Verify
show cluster info
show cluster info packet-dist
show cluster infor conn-dist
show cluster history
Execute commands cluster-wide
cluster exec show port-channel summ
This prompted after enabling the cluster:
INFO: Interface MTU should be increased to avoid fragmenting jumbo frames during transmit
mtu cluster 9100
sysopt connection tcpmss 9096
General configuration
Configure admin context and set hostname extension
prompt hostname context cluster-unit
admin-context admin
context admin
allocate-interface Management0/0-1
config-url disk0:/admin.cfg
Configure VLANs and Context Associations
We are going to configure just a single context with two VLANs. The ASAs will control the bridging of the VLANs through BVIs, and the default gateway SVIs will reside on the Nexus switches. Basic topology:
Configure “inside” L2 interfaces & VLANs
int po20.111
vlan 111
int po20.112
vlan 112
Configure “outside” L3 interfaces & VLANs
int po20.2111
vlan 2111
int po20.2112
vlan 2112
Create context “c1” and allocate the interfaces
context c1
allocate-interface Po20.111, Po20.2111
allocate-interface Po20.112, Po20.2112
config-url disk0:/c1.cfg
Configure context c1
changet c c1
terminal width 500
Set mode to transparent
firewall transparent
Configure Bridged interfaces
int bvi1
ip add 10.111.0.4 255.255.255.0 standby 10.111.0.5
int bvi2
ip add 10.112.0.4 255.255.255.0 standby 10.112.0.5
Configure “inside” L2 interfaces
int po20.111
nameif 111
bridge-group 1
security-level 100
int po20.112
nameif 112
bridge-group 2
security-level 100
Configure “outside” L3 interfaces
int po20.2111
nameif 2111
bridge-group 1
security-level 0
int po20.2112
nameif 2112
bridge-group 2
security-level 0
Configure MTU
mtu 111 9100
mtu 112 9100
mtu 2111 9100
mtu 2112 9100
sysopt connection tcpmss 0
Configure Routing (Logging, SNMP, etc)
route 2111 0.0.0.0 0.0.0.0 10.111.0.1 1
