ASA Clustering Multiple Context Transparent Mode

Some quick template-style notes on deploying clustered ASAs running multiple context mode with transparent contexts. There are some well-documented guides and a few blog posts out there already detailing clustering and transparent-mode firewalls. The purpose of this post is just to dive in to configuration. You may run into some caveats depending on which feature you want to run simultaneously, please refer to the ASA General Operations CLI guide for particulars before deploying clustering.

Topology

Diagram of physical topology, showing Cluster Control and Cluster Data Links.  They’re going to the same pair of Nexus switches, but I split it out like this for clarity.

topology1

Enable Multiple Context Mode

Do this on both ASAs. Requires a reload.

mode multiple

Verify Cluster Licensing

Verify you have the clustering license enabled on both ASAs.

show activation-key

Configure Jumbo Frame Reservation

Do this on both ASAs if running in a Data Center requiring jumbo frames. Requires a reload.

jumbo-frame reservation

Configure Management Interfaces

ASA 1 – Configure Management IP and Pool (Used for cluster members)

changet c admin
ip local pool mgmt 10.180.0.28-10.180.0.34 mask 255.255.255.0

int management0/0
 management-only
 nameif mgmt
 security-level 100
 ip add 10.180.0.27 255.255.255.0 cluster-pool mgmt
route mgmt 0.0.0.0 0.0.0.0 10.180.0.1

ASA 2 – Remove IP on Management0/0 interface

changet c admin
int management0/0
 no ip add

Enable Spanned interface mode

Both ASAs [system context]

cluster interface-mode spanned check-details 
Cluster interface-mode has been changed to 'spanned' mode successfully. Please complete interface and routing configuration before enabling clustering.

Verify interface mode is spanned

show cluster interface-mode 
cluster interface-mode spanned

Configure Cluster Data Link

Both ASAs [system context]

int po20
 desc Data Link to Nexus
 port-channel span-cluster vss-load-balance

INFO: lacp port-priority on member interfaces of channel-group Port-channel20 will be controlled by CLACP.
INFO: CLACP vss-load-balance is enabled. This assumes all cluster units have the same interfaces connected to two switches in the VSS or VPC pair and each unit has the same number of interfaces connected to both switches (vss-id 1 and 2).

int t0/8
 desc Data - Nexus-1
 channel-group 20 mode active vss-id 1

int te2/6
 desc Data - Nexus-2            
 channel-group 20 mode active vss-id 2

Configure Cluster Control Link

Both ASAs [system context]

interface po21
 desc Cluster Control Link
 
int te0/9, te2/7
 channel-group 21 mode active

ASA-1 Configure cluster group

cluster group ASA-CLUSTER
 key CCLKey!
 local-unit ASA-1
 cluster-interface Po21 ip 10.180.255.17 255.255.255.240
 priority 1
 # Replicate console messages from slaves to master
 console-replicate
 health-check holdtime 3
 clacp system-mac auto system-priority 1
 enable

ASA-2 Configure cluster group

cluster group ASA-CLUSTER
 key CCLKey2015!
 local-unit ASA-2
 cluster-interface Po21 ip 10.180.255.18 255.255.255.240
 priority 2
 enable

Verify

show cluster info
show cluster info packet-dist
show cluster infor conn-dist
show cluster history

Execute commands cluster-wide

cluster exec show port-channel summ

This prompted after enabling the cluster:
INFO: Interface MTU should be increased to avoid fragmenting jumbo frames during transmit

mtu cluster 9100
sysopt connection tcpmss 9096

General configuration

Configure admin context and set hostname extension

prompt hostname context cluster-unit

admin-context admin
context admin
 allocate-interface Management0/0-1
 config-url disk0:/admin.cfg

Configure VLANs and Context Associations

We are going to configure just a single context with two VLANs.  The ASAs will control the bridging of the VLANs through BVIs, and the default gateway SVIs will reside on the Nexus switches.  Basic topology:

topology2

Configure “inside” L2 interfaces & VLANs

int po20.111
 vlan 111
int po20.112
 vlan 112

Configure “outside” L3 interfaces & VLANs

int po20.2111
 vlan 2111
int po20.2112
 vlan 2112

Create context “c1” and allocate the interfaces

context c1
 allocate-interface Po20.111, Po20.2111
 allocate-interface Po20.112, Po20.2112
 config-url disk0:/c1.cfg

Configure context c1

changet c c1
terminal width 500

Set mode to transparent

firewall transparent

Configure Bridged interfaces

int bvi1
 ip add 10.111.0.4 255.255.255.0 standby 10.111.0.5
int bvi2
 ip add 10.112.0.4 255.255.255.0 standby 10.112.0.5

Configure “inside” L2 interfaces

int po20.111
 nameif 111
 bridge-group 1
 security-level 100
int po20.112
 nameif 112
 bridge-group 2
 security-level 100

Configure “outside” L3 interfaces

int po20.2111
 nameif 2111
 bridge-group 1
 security-level 0
int po20.2112
 nameif 2112
 bridge-group 2
 security-level 0

Configure MTU

mtu 111 9100
mtu 112 9100
mtu 2111 9100
mtu 2112 9100

sysopt connection tcpmss 0

Configure Routing (Logging, SNMP, etc)

route 2111 0.0.0.0 0.0.0.0 10.111.0.1 1

Reference

https://www.cisco.com/c/en/us/td/docs/security/asa/asa93/configuration/general/asa-general-cli/ha-cluster.html#pgfId-2551312

https://www.cisco.com/c/en/us/td/docs/security/asa/asa93/configuration/firewall/asa-firewall-cli.html?mdfid=283123066

http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Data_Center/VMDC/ASA_Cluster/ASA_Cluster/ASA_Cluster.html

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s