ASA Failover Basic Setup

1. Specify LAN failover physical interface and name it. In this lab, failover and stateful link are sharing the same interface.

ASAv1(config)#

failover lan unit primary

failover lan interface FO GigabitEthernet0/2

failover link FO GigabitEthernet0/2

failover interface ip FO 192.168.254.1 255.255.255.0 standby 192.168.254.2

ASAv2(config)#

failover lan unit secondary

failover lan interface FO GigabitEthernet0/2

failover link FO GigabitEthernet0/2

failover interface ip FO 192.168.254.1 255.255.255.0 standby 192.168.254.2

2. Enable failover interface

ASAv1(config)#int g0/2

ASAv1(config-if)#no shut

ASAv2(config)#int g0/2

ASAv2(config-if)#no shut

3. Enable failover

ASAv1(config)#failover

ASAv2(config)#failover

4. Assign failover pair a new hostname

ASAv1(config)#hostname ASA

ASA(config)#

5. Verify Failover status

ASA# show failover

6. Continue basic configuration on Active ASA, config inside and outside interfaces

ASA(config)# int g0/0

 ASA(config-if)# ip add 203.0.113.2 255.255.255.0 standby 203.0.113.3

ASA(config-if)# nameif outside

ASA(config-if)# no shut

ASA(config)# int g0/1

 ASA(config-if)# ip add 10.0.0.1 255.255.255.0 standby 10.0.0.2

ASA(config-if)# nameif inside

ASA(config-if)# no shut

7. Configure NAT for outbound access

ASA(config)# object network NET-10.0.0.0_24

ASA(config-network-object)# subnet 10.0.0.0 255.255.255.0

ASA(config-network-object)# nat (inside,outside) dynamic interface

8. Add default route

ASA(config)# route outside 0.0.0.0 0.0.0.0 203.0.113.1

9. Enable ICMP inspection to allow ping reply pass through

ASA(config)# policy-map global_policy

ASA(config-pmap)#  class inspection_default

ASA(config-pmap-c)# inspect icmp