站長新書 站長開講 首頁 最新文章 站長著作及審校 FreeBSD 筆記 Linux 筆記 Windows 筆記 虛擬化筆記 網管人雜誌 遊山玩水 關於本站
站長新書 VMware vSphere ICM 團購開跑了!!

Active Standby HA 實作

前言

[Cisco ASA 5510 Series] 為思科新一代的 UTM 防方牆內含 IPSec/SSL VPN、全新的自適應識別和防禦 AIM、入侵偵測 IPS、安全服務模組 SSM...等功能,本次實作為利用二台 [Cisco ASA 5510 Series] 設定 Active / Standby 方式來達成 HA (High Availability).

Cisco ASA 5510 基本觀念了解:

Cisco ASA 5510 HA 前置作業及觀念: (show version)

HA 註冊 - 填入 License Key HA 註冊 - 確定 License 內容 HA 註冊 - 填入機器序號 HA 註冊 - 核對資料 HA 註冊成功 HA 功能尚未啟用 HA 功能啟用成功 3DES/AES 註冊 - 登入 3DES/AES 註冊 - 點選連結 3DES/AES 註冊 - 填入機器序號

實作環境

本次實作的環境設定如下,其中 Primary / Secondary 的網卡介面 e0/3 則使用網路線對接即可 (詳細拓樸如附圖)

HA 架構圖

安裝及設定

本次實作設定部份分為 Primary 及 Secondary 大部份的設定都設定在 Primary 上進行,而 Secondary 只要設定 Failover 部份即可,當 Failover 設定成功後 Secondary 會從 Primary 把設定同步回來。

透過電腦的 RS-232 Port 用原廠附的 Console 線與 Cisco ASA 5510 的 Console Port 對接,超級終端機設定值如下

Com Port 設定內容

Primary ASA

步驟1.基本設定

 ciscoasa> enable                                                                   //進入 Privileged 模式
 Password:                                                                          //預設密碼為空白
 ciscoasa#configure terminal                                                        //進入 Configure 模式
 ciscoasa(config)#enable password asa15                                             //設定 Telnet 登入密碼為 asa15
 ciscoasa(config)#passwd asa15                                                      //設定 Privileged 登入密碼為 asa15
 ciscoasa(config)#hostname 5510-HA                                                  //設定主機名稱為 5510-HA
 5510-HA(config)#                                                                   //主機名稱改變

ASA 開機初始設定 登入 ASA

步驟2.網路設定

 5510-HA(config)#interface ethernet 0/0                                             //進入網卡介面 e0/0
 5510-HA(config-if)#ip address 61.60.59.58 255.255.255.0 standby 61.60.59.57        //設定屆時 WAN 的 Active / Standby IP
 5510-HA(config-if)#nameif outside                                                  //設定網卡名稱為 outside
 INFO: Security level for "outside" set to 0 by default.                            //預設的 security-level 為 0
 5510-HA(config-if)#no shutdown                                                     //啟用網卡介面 e0/0
 5510-HA(config-if)#exit                                                            //離開網卡介面 e0/0
 5510-HA(config)#interface ethernet 0/1                                             //進入網卡介面 e0/1
 5510-HA(config-if)#ip address 192.168.1.254 255.255.255.0 standby 192.168.1.253    //設定屆時 LAN 的 Active / Standby IP
 5510-HA(config-if)#nameif inside                                                   //設定網卡名稱為 outside
 INFO: Security level for "inside" set to 100 by default.                           //預設的 security-level 為 100
 5510-HA(config-if)#no shutdown                                                     //啟用網卡介面 e0/1
 5510-HA(config-if)#interface ethernet 0/3                                          //進入網卡介面 e0/3
 5510-HA(config-if)#no shutdown                                                     //啟用網卡介面 e0/3
 5510-HA(config)#route outside 0 0 61.60.59.254                                     //設定 Default Gateway
 5510-HA(config)#http server enable                                                 //啟動 Http Server (也就是 ASDM)
 5510-HA(config)#http 0 0 inside                                                    //允許任何網段從 inside 進入連結 ASDM
 5510-HA(config)#telnet 0 0 inside                                                  //允許任何網段從 inside 進入 telnet

Cisco ASDM 圖形化管理介面

步驟3.NAT / Port Forwarding 設定

 5510-HA(config)#global (outside) 1 interface                                       //設定 NAT WAN 介面
 INFO: outside interface address added to PAT pool
 5510-HA(config)#nat (inside) 1 192.168.1.0 255.255.255.0                           //設定要進行 NAT 的 LAN 介面
 5510-HA(config)#access-list LAN_to_WAN permit icmp any any                         //設定 LAN 主機可執行 Ping 至 Internet 主機 (規則名稱為 LAN_to_WAN)
 5510-HA(config)#access-group LAN_to_WAN in interface outside                       //把剛才設定的規則套用到 WAN 介面上
 5510-HA(config)# global (outside) 1 61.60.59.56 netmask 255.255.255.0              //設定 PAT IP 及指定介面
 INFO: Global 61.60.59.56 will be Port Address Translated
 5510-HA(config)# static (inside,outside) 61.60.59.56 192.168.1.200                 //設定 IP Map
 5510-HA(config)# access-list LAN_to_WAN permit tcp any host 61.60.59.56 eq 3389    //設定 IP Port Forwarding (所以屆時 61.60.59.56:3389 -> 192.168.1.200:3389)

步驟4.Active / Standby Failover 設定

 5510-HA(config)#failover                                                           //啟用 failover 功能
 5510-HA(config)#failover lan unit primary                                          //指定此台為 Primary
 5510-HA(config)#failover lan interface failover Ethernet0/3                        //指定 failover 介面為 e0/3
 INFO: Non-failover interface config is cleared on Ethernet0/3 and its sub-interfaces
 5510-HA(config)#failover interface ip failover 10.0.0.1 255.255.255.0 standby 10.0.0.2  //指定 failover 介面的 Active / Standby IP
 5510-HA(config)#copy running-config startup-config                                 //把目前設定寫入啟動設定中

Secondary ASA

步驟1.Active / Standby Failover 設定

 ciscoasa> en                                                                       //進入 Privileged 模式
 Password:                                                                          //預設密碼為空白
 ciscoasa#
 ciscoasa#configure terminal                                                        //進入 Configure 模式
 ciscoasa(config)#interface ethernet 0/3                                            //進入網卡介面 e0/3
 ciscoasa(config-if)#no shutdown                                                    //啟用網卡介面 e0/3
 ciscoasa(config-if)#failover                                                       //啟用 failover 功能
 ciscoasa(config)#failover lan unit secondary                                       //指定此台為 Secondary
 ciscoasa(config)#failover lan interface failover Ethernet0/3                       //指定 failover 介面為 e0/3
 INFO: Non-failover interface config is cleared on Ethernet0/3 and its sub-interfaces
 ciscoasa(config)#failover interface ip failover 10.0.0.1 255.255.255.0 standb 10.0.0.2  //指定 failover 介面的 Active / Standby IP
 ciscoasa(config)#.                                                                 //設定成功後出現下面訊息二台 ASA 開始同步設定
         Detected an Active mate
 Beginning configuration replication from mate.                                     //開始同步設定資料
 End configuration replication from mate.                                           //同步完成
 5510-HA(config)#                                                                   //ASA 設定同步完成 (主機名稱變成一樣的)
 5510-HA(config)#copy running-config startup-config                                 //把目前設定寫入啟動設定中

Active / Standby HA 狀態確認

上述步驟完成後相信 Active / Standby HA 已經完成,接下來就是日後要維護時可隨時透過指令來查詢 Failover 的運作狀況

Primary ASA (目前為 Active 角色)

 5510-HA(config)#show failover
 Failover On                                                                        //Failover 啟用中
 Failover unit Primary                                                              //此台為 Primary
 Failover LAN Interface: failover Ethernet0/3 (up)                                  //Failover 介面為 e0/3 且有連通中
 Unit Poll frequency 1 seconds, holdtime 15 seconds
 Interface Poll frequency 5 seconds, holdtime 25 seconds
 Interface Policy 1
 Monitored Interfaces 2 of 250 maximum
 Version: Ours 8.0(4), Mate 8.0(4)
 Last Failover at: 08:30:59 UTC Mar 10 2010
         This host: Primary - Active                                                //目前此台 ASA 為 Active
                 Active time: 282 (sec)
                 slot 0: ASA5510 hw/sw rev (2.0/8.0(4)) status (Up Sys)
                   Interface outside (61.60.59.58): Normal
                   Interface inside (192.168.1.254): Normal
                 slot 1: empty
         Other host: Secondary - Standby Ready
                 Active time: 0 (sec)
                 slot 0: ASA5510 hw/sw rev (2.0/8.0(4)) status (Up Sys)
                   Interface outside (61.60.59.57): Normal
                   Interface inside (192.168.1.253): Normal
                 slot 1: empty
 Stateful Failover Logical Update Statistics
         Link : Unconfigured.
 5510-HA(config)#show failover state
                State          Last Failure Reason      Date/Time
 This host  -   Primary
                Active         None
 Other host -   Secondary
                Standby Ready  None
 ====Configuration State===
         Sync Done
 ====Communication State===
         Mac set
 5510-HA(config)#show failover interface
         interface failover Ethernet0/3
                 System IP Address: 10.0.0.1 255.255.255.0
                 My IP Address    : 10.0.0.1
                 Other IP Address : 10.0.0.2
 5510-HA(config)#show monitor-interface
         This host: Primary - Active
                 Interface outside (61.60.59.58): Normal
                 Interface inside (192.168.1.254): Normal
         Other host: Secondary - Standby Ready
                 Interface outside (61.60.59.57): Normal
                 Interface inside (192.168.1.253): Normal

Secondary ASA (目前為 Standby 角色)

 5510-HA(config)#show failover                                             
 Failover On                                                                        //Failover 啟用中
 Failover unit Secondary                                                            //此台為 Secondary
 Failover LAN Interface: failover Ethernet0/3 (up)                                  //Failover 介面為 e0/3 且有連通中
 Unit Poll frequency 1 seconds, holdtime 15 seconds
 Interface Poll frequency 5 seconds, holdtime 25 seconds
 Interface Policy 1
 Monitored Interfaces 2 of 250 maximum
 Version: Ours 8.0(4), Mate 8.0(4)
 Last Failover at: 08:06:40 UTC Mar 10 2010
         This host: Secondary - Standby Ready                                       //目前此台 ASA 為 Standby
                 Active time: 0 (sec)
                 slot 0: ASA5510 hw/sw rev (2.0/8.0(4)) status (Up Sys)
                   Interface outside (61.60.59.57): Normal
                   Interface inside (192.168.1.253): Normal
                 slot 1: empty
         Other host: Primary - Active
                 Active time: 456 (sec)
                 slot 0: ASA5510 hw/sw rev (2.0/8.0(4)) status (Up Sys)
                   Interface outside (61.60.59.58): Normal
                   Interface inside (192.168.1.254): Normal
                 slot 1: empty
 Stateful Failover Logical Update Statistics
         Link : Unconfigured.
 5510-HA(config)#show failover state
                State          Last Failure Reason      Date/Time
 This host  -   Secondary
                Standby Ready  None
 Other host -   Primary
                Active         None
 ====Configuration State===
         Sync Done - STANDBY
 ====Communication State===
         Mac set
 5510-HA(config)#show failover interface
         interface failover Ethernet0/3
                 System IP Address: 10.0.0.1 255.255.255.0
                 My IP Address    : 10.0.0.2
                 Other IP Address : 10.0.0.1
 510-HA(config)# show monitor-interface
         This host: Secondary - Standby Ready
                 Interface outside (61.60.59.57): Normal
                 Interface inside (192.168.1.253): Normal
         Other host: Primary - Active
                 Interface outside (61.60.59.58): Normal
                 Interface inside (192.168.1.254): Normal

測試 Active / Standby HA 機制是否能運作

您可在二台都通電運作的情況下在 Standby 主機執行指令 failover activeActive 搶過來 (執行的 Active -> Standby),而本次實作測試為 Active 主機電源線直接拔掉來驗證 Active / Standby HA 機制是否能運作,Primary 目前為 Active 角色當電源被拔掉後 Standby 主機會接手 Active 角色,待 Primary 電源恢復後則為 Standby。

把 Primary 電源線拔掉 (Secondary 由 Standby -> Active)

 5510-HA(config)#Failover LAN Failed                                                //Primary 電源線拔掉後此時 HA 機制生效接手為 Active
        Switching to Active
 5510-HA(config)#show failover
 Failover On                                                                        //Failover 啟用中
 Failover unit Secondary                                                            //此台為 Secondary
 Failover LAN Interface: failover Ethernet0/3 (Failed - No Switchover)              //Failover 介面為 e0/3 連接狀態為中斷
 Unit Poll frequency 1 seconds, holdtime 15 seconds
 Interface Poll frequency 5 seconds, holdtime 25 seconds
 Interface Policy 1
 Monitored Interfaces 2 of 250 maximum
 Version: Ours 8.0(4), Mate 8.0(4)
 Last Failover at: 08:41:51 UTC Mar 10 2010
         This host: Secondary - Active                                              //目前此台 ASA 為 Standby
                 Active time: 107 (sec)
                  slot 0: ASA5510 hw/sw rev (2.0/8.0(4)) status (Up Sys)
                   Interface outside (61.60.59.58): Normal (Waiting)
                   Interface inside (192.168.1.254): Normal (Waiting)
                 slot 1: empty
         Other host: Primary - Failed
                 Active time: 730 (sec)
                 slot 0: ASA5510 hw/sw rev (2.0/8.0(4)) status (Unknown/Unknown)
                   Interface outside (61.60.59.57): Unknown
                   Interface inside (192.168.1.253): Unknown
                 slot 1: empty
 Stateful Failover Logical Update Statistics
         Link : Unconfigured.
 5510-HA(config)#show failover state
                State          Last Failure Reason      Date/Time
 This host  -   Secondary
                Active         None
 Other host -   Primary
                Failed         Comm Failure             08:41:51 UTC Mar 10 2010    //發生時間
 ====Configuration State===
         Sync Done - STANDBY
 ====Communication State===
 5510-HA(config)#show monitor-interface
         This host: Secondary - Active
                 Interface outside (61.60.59.58): Normal (Waiting)
                 Interface inside (192.168.1.254): Normal (Waiting)
         Other host: Primary - Failed
                 Interface outside (61.60.59.57): Unknown
                 Interface inside (192.168.1.253): Unknown

待 Primary 電力恢復後則為 Standby 角色,您應該會有疑問那麼 Standby 接手時間要多久,此次實測的結果約為 3 ~ 6 秒 則 Standby 就可接手如下圖持續 Ping 的話可看到當 Primary 電力失去時大約漏了三個封包。

HA 測試結果

補充. 如何使 Rules 更簡潔?

當要設定的 Access Rules 及 NAT Rules 愈來愈多時若不將相關的 IP 網段及 Service 設為群組 (Group)將造成 Rules 管理上的困擾!! 例如要設定 Port Forwarding 時將 Internet 的流量導至 DMZ Server 上相關服務 Port 若有 3 個 Port 則必須建立 3 筆 Access Rules,但若轉換為 Service Groups 則不但只要一筆即可,在操作介面上會顯得簡潔且日後要增減服務 Port 也更為方便,以下為簡述將 IP 網段設定為 Network Groups 將 Service 設定為 Service Groups.

  1. 開啟 ASDM
  2. 點選 【Configuration】 >> 【Firewall】 >> 【Objects】 >> 【Network Objects/Groups】 >> 【Add】 >> 【Network Object Groups】
    1. 【Group Name】 為填入此 Network Groups 的名稱
    2. 【Description】 為此 Network Groups 的內容描述
    3. 你可以點選現存的網段或自行新增網段,完成設定後按下 OK 即新增完成
  3. 日後當要設定 Rules 時即可在 【Source】 或 【Destination】 選擇您所新增的 Network Groups
  1. 開啟 ASDM
  2. 點選 【Configuration】 >> 【Firewall】 >> 【Objects】 >> 【Service Groups】 >> 【Add】 >> 【Service Groups】
    1. 【Group Name】 為填入此 Service Groups 的名稱
    2. 【Description】 為此 Service Groups 的內容描述
    3. 你可以點選 Well Know 的服務或自行新增 Port (或 Port Range),完成設定後按下 OK 即新增完成
  3. 日後當要設定 Rules 時即可在 【Service】內選擇您所新增的 Service Groups

Running-Config

 : Saved
 : Written by enable_15 at 00:38:48.296 CST Sat Mar 13 2010
 !
 ASA Version 8.0(4) 
 !
 hostname ASA5510-HA
 enable password k5oGzdLgCIdw7VXk encrypted
 passwd k1oGndLgCIdw5VXk encrypted
 names
 !
 interface Ethernet0/0
  nameif wan
  security-level 0
  ip address 61.60.59.58 255.255.255.0 standby 61.60.59.57 
 !
 interface Ethernet0/1
  nameif lan
  security-level 100
  ip address 192.168.1.254 255.255.255.0 standby 192.168.1.253
 !
 interface Ethernet0/2
  shutdown
  no nameif
  no security-level
  no ip address
 !
 interface Ethernet0/3
  description LAN Failover Interface
 !
 interface Management0/0
  nameif man
  security-level 0
  no ip address
 !
 ftp mode passive
 clock timezone CST 8
 object-group protocol TCPUDP
  protocol-object udp
  protocol-object tcp
 object-group protocol DM_INLINE_PROTOCOL_1
  protocol-object udp
  protocol-object tcp
 access-list WAN_To_LAN extended permit tcp any eq 3389
 logging enable
 logging asdm informational
 mtu wan 1500
 mtu lan 1500
 mtu man 1500
 failover
 failover lan unit secondary
 failover lan interface failover Ethernet0/3
 failover interface ip failover 10.0.0.1 255.255.255.0 standby 10.0.0.2
 icmp unreachable rate-limit 1 burst-size 1
 asdm image disk0:/asdm-613.bin
 no asdm history enable
 arp timeout 14400
 global (wan) 1 interface
 nat (lan) 1 192.168.1.0 255.255.255.0  
 static (lan,wan) 61.60.59.56 192.168.1.200 netmask 255.255.255.255
 access-group WAN_To_LAN in interface wan
 access-group LAN_To_WAN in interface lan
 route wan 0.0.0.0 0.0.0.0 61.60.59.254 1
 timeout xlate 3:00:00
 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
 dynamic-access-policy-record DfltAccessPolicy
 http server enable
 http 0.0.0.0 0.0.0.0 lan
 no snmp-server location
 no snmp-server contact
 snmp-server enable traps snmp authentication linkup linkdown coldstart
 service resetoutside
 crypto ipsec security-association lifetime seconds 28800
 crypto ipsec security-association lifetime kilobytes 4608000
 telnet 0.0.0.0 0.0.0.0 lan
 telnet timeout 5
 ssh timeout 5
 console timeout 0
 threat-detection basic-threat
 threat-detection statistics access-list
 no threat-detection statistics tcp-intercept
 ntp server 220.130.158.52 source wan
 ntp server 220.130.158.51 source wan prefer
 ntp server 220.130.158.72 source wan
 ntp server 220.130.158.71 source wan
 !
 class-map inspection_default
  match default-inspection-traffic
 !
 !
 policy-map type inspect dns preset_dns_map
  parameters
   message-length maximum 512
 policy-map global_policy
  class inspection_default
   inspect dns preset_dns_map 
   inspect ftp 
   inspect h323 h225 
   inspect h323 ras 
   inspect netbios 
   inspect rsh 
   inspect rtsp 
   inspect skinny  
   inspect esmtp 
   inspect sqlnet 
   inspect sunrpc 
   inspect tftp 
   inspect sip  
   inspect xdmcp 
   inspect pptp 
 !
 service-policy global_policy global
 prompt hostname context 
 Cryptochecksum:be8009cb2ffe7db565d9d64c837d2f5b
 : end

參考

[ Cisco Security Appliance Command Line Configuration Guide, Version 7.2]

[ PIX/ASA : Connecting Single Internal Networks with Internet Configuration Example]

[ PIX/ASA 7.x : Port Redirection(Forwarding) with nat, global, static and access-list Commands]

[ PIX/ASA: Upgrade a Software Image using ASDM or CLI Configuration Example]

[Managing Software, Licenses, and Configurations]

[PIX/ASA 7.x : Port Redirection(Forwarding) with nat, global, static and access-list Commands]

[ ASA Active/Standby Failover]

[奇科電腦_技術文件 Cisco PIX/ASA 整合性防火牆的最新功能及技術 (上)]

[奇科電腦_技術文件 Cisco PIX/ASA 整合性防火牆的最新功能及技術 (中)]

[奇科電腦_技術文件 Cisco PIX/ASA 整合性防火牆的最新功能及技術 (下)]

MeFAQ

Q.突然無法使用 ASDM 登入 Cisco ASA 5510?

Error Message:

本來都很順便可以使用 ASDM 登入,但是今天突然無法使用 ASDM 登入 Cisco ASA 5510,並且出現下列錯誤訊息?

 Exception in thread "SGZ Loader: launchSgzApplet" java.lang.NumberFormatException: For input string: "1 year 4" 

Ans:

根據官網 [Cisco Adaptive Security Device Manager - ASDM Troubleshooting] 可知,舊版的 Firmware Bug 當使用 超過一年 之後必須要把 Cisco ASA 重新啟動 才行,事實證明真的重開後就一切順利了。

Go To Oddmuse OrgGo To FreeBSD OrgCreative Commons 2.5 Taiwansitestates.com