Cisco ASA 5500-X Series Firewalls Configuration Guide

Category
Networking
Type
Configuration Guide
CLI Book 1: Cisco ASA Series General Operations CLI Configuration
Guide, 9.14
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS,
INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH
THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY,
CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB's public domain version of
the UNIX operating system. All rights reserved. Copyright ©1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS" WITH ALL FAULTS.
CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT
LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS
HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network
topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional
and coincidental.
All printed copies and duplicate soft copies of this document are considered uncontrolled. See the current online version for the latest version.
Cisco has more than 200 offices worldwide. Addresses and phone numbers are listed on the Cisco website at www.cisco.com/go/offices.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL:
https://www.cisco.com/c/en/us/about/legal/trademarks.html. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a
partnership relationship between Cisco and any other company. (1721R)
©2021 Cisco Systems, Inc. All rights reserved.
CONTENTS
About This Guide xlix
PREFACE
Document Objectives xlix
Related Documentation xlix
Document Conventions xlix
Communications, Services, and Additional Information li
Getting Started with the ASA 53
PART I
Introduction to the Cisco ASA 1
CHAPTER 1
Hardware and Software Compatibility 1
VPN Compatibility 1
New Features 1
New Features in ASA 9.14(3) 2
New Features in ASA 9.14(2) 2
New Features in ASA 9.14(1.30) 2
New Features in ASAv 9.14(1.6) 2
New Features in ASA 9.14(3) 3
Firewall Functional Overview 3
Security Policy Overview 3
Permitting or Denying Traffic with Access Rules 3
Applying NAT 3
Protecting from IP Fragments 3
Applying HTTP, HTTPS, or FTP Filtering 4
Applying Application Inspection 4
Sending Traffic to Supported Hardware or Software Modules 4
Applying QoS Policies 4
CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.14
iii
Applying Connection Limits and TCP Normalization 4
Enabling Threat Detection 4
Firewall Mode Overview 5
Stateful Inspection Overview 5
VPN Functional Overview 6
Security Context Overview 7
ASA Clustering Overview 7
Special and Legacy Services 7
Getting Started 9
CHAPTER 2
Access the Console for the Command-Line Interface 9
Access the ASA Hardware or ISA 3000 Console 9
Access the Firepower 2100 Platform Mode Console 10
Access the Firepower 1000 and 2100 Appliance Mode Console 12
Access the ASA Console on the Firepower 4100/9300 Chassis 14
Access the Software Module Console 15
Access the ASA 5506W-X Wireless Access Point Console 16
Configure ASDM Access 16
Use the Factory Default Configuration for ASDM Access 16
Customize ASDM Access 17
Start ASDM 19
Factory Default Configurations 21
Restore the Factory Default Configuration 22
Restore the ASAv Deployment Configuration 24
ASA 5506-X Series Default Configuration 24
ASA 5508-X and 5516-X Default Configuration 27
ASA 5525-X through ASA 5555-X Default Configuration 28
Firepower 1010 Default Configuration 28
Firepower 1100 Default Configuration 30
Firepower 2100 Platform Mode Default Configuration 31
Firepower 2100 Appliance Mode Default Configuration 32
Firepower 4100/9300 Chassis Default Configuration 34
ISA 3000 Default Configuration 34
ASAv Deployment Configuration 36
CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.14
iv
Contents
Set the Firepower 2100 to Appliance or Platform Mode 38
Work with the Configuration 39
Save Configuration Changes 40
Save Configuration Changes in Single Context Mode 40
Save Configuration Changes in Multiple Context Mode 40
Copy the Startup Configuration to the Running Configuration 42
View the Configuration 42
Clear and Remove Configuration Settings 42
Create Text Configuration Files Offline 44
Apply Configuration Changes to Connections 44
Reload the ASA 44
Licenses: Product Authorization Key Licensing 47
CHAPTER 3
About PAK Licenses 47
Preinstalled License 47
Permanent License 47
Time-Based Licenses 48
Time-Based License Activation Guidelines 48
How the Time-Based License Timer Works 48
How Permanent and Time-Based Licenses Combine 48
Stacking Time-Based Licenses 49
Time-Based License Expiration 50
License Notes 50
AnyConnect Plus and Apex Licenses 50
Other VPN License 51
Total VPN Sessions Combined, All Types 51
VPN Load Balancing 51
Legacy VPN Licenses 51
Encryption License 51
Carrier License 52
Total TLS Proxy Sessions 52
VLANs, Maximum 53
Botnet Traffic Filter License 53
Shared AnyConnect Premium Licenses (AnyConnect 3 and Earlier) 53
CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.14
v
Contents
Failover or ASA Cluster Licenses 53
Failover License Requirements and Exceptions 53
ASA Cluster License Requirements and Exceptions 55
How Failover or ASA Cluster Licenses Combine 55
Loss of Communication Between Failover or ASA Cluster Units 56
Upgrading Failover Pairs 57
No Payload Encryption Models 57
Licenses FAQ 57
Guidelines for PAK Licenses 58
Configure PAK Licenses 59
Order License PAKs and Obtain an Activation Key 60
Obtain a Strong Encryption License 61
Activate or Deactivate Keys 63
Configure a Shared License (AnyConnect 3 and Earlier) 64
About Shared Licenses 64
About the Shared Licensing Server and Participants 64
Communication Issues Between Participant and Server 65
About the Shared Licensing Backup Server 66
Failover and Shared Licenses 66
Maximum Number of Participants 68
Configure the Shared Licensing Server 68
Configure the Shared Licensing Backup Server (Optional) 69
Configure the Shared Licensing Participant 70
Supported Feature Licenses Per Model 71
Licenses Per Model 71
ASA 5506-X and ASA 5506W-X License Features 71
ASA 5506H-X License Features 72
ASA 5508-X License Features 73
ASA 5516-X License Features 74
ASA 5525-X License Features 75
ASA 5545-X License Features 76
ASA 5555-X License Features 77
ISA 3000 License Features 79
Monitoring PAK Licenses 80
CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.14
vi
Contents
Viewing Your Current License 80
Monitoring the Shared License 88
History for PAK Licenses 90
Licenses: Smart Software Licensing 99
CHAPTER 4
About Smart Software Licensing 99
Smart Software Licensing for the ASA on the Firepower 4100/9300 Chassis 99
Smart Software Manager and Accounts 100
Offline Management 100
Permanent License Reservation 100
Satellite Server (Smart Software Manager On-Prem) 102
Licenses and Devices Managed per Virtual Account 102
Evaluation License 102
About Licenses by Type 103
AnyConnect Plus, AnyConnect Apex, And VPN Only Licenses 103
Other VPN License 103
Total VPN Sessions Combined, All Types 104
Encryption License 104
Carrier License 106
Total TLS Proxy Sessions 106
VLANs, Maximum 107
Botnet Traffic Filter License 107
Failover or ASA Cluster Licenses 107
Failover Licenses for the ASAv 107
Failover Licenses for the Firepower 1010 107
Failover Licenses for the Firepower 1100 108
Failover Licenses for the Firepower 2100 110
Failover Licenses for the ASA on the Firepower 4100/9300 Chassis 111
ASA Cluster Licenses for the Firepower 4100/9300 112
Prerequisites for Smart Software Licensing 113
Regular and Satellite Smart License Prerequisites 113
Permanent License Reservation Prerequisites 114
License PIDs 114
Guidelines for Smart Software Licensing 118
CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.14
vii
Contents
Defaults for Smart Software Licensing 118
ASAv: Configure Smart Software Licensing 119
ASAv: Configure Regular Smart Software Licensing 119
ASAv: Configure Satellite Smart Software Licensing 122
ASAv: Configure Utility Mode and MSLA Smart Software Licensing 124
ASAv: Configure Permanent License Reservation 127
Install the ASAv Permanent License 127
(Optional) Return the ASAv Permanent License 129
(Optional) Deregister the ASAv (Regular and Satellite) 130
(Optional) Renew the ASAv ID Certificate or License Entitlement (Regular and Satellite) 130
Firepower 1000, 2100: Configure Smart Software Licensing 131
Firepower 1000, 2100: Configure Regular Smart Software Licensing 131
Firepower 1000, 2100: Configure Satellite Smart Software Licensing 135
Firepower 1000, 2100: Configure Permanent License Reservation 138
Install the Firepower 1000, 2100 Permanent License 138
(Optional) Return the Firepower 1000, 2100 Permanent License 140
(Optional) Deregister the Firepower 1000, 2100 (Regular and Satellite) 141
(Optional) Renew the Firepower 1000, 2100 ID Certificate or License Entitlement (Regular and
Satellite) 142
Firepower 4100/9300: Configure Smart Software Licensing 142
Licenses Per Model 145
ASAv 145
Firepower 1010 148
Firepower 1100 Series 148
Firepower 2100 Series 149
Firepower 4100 Series ASA Application 151
Firepower 9300 ASA Application 152
Monitoring Smart Software Licensing 153
Viewing Your Current License 153
Viewing Smart License Status 154
Viewing the UDI 156
Debugging Smart Software Licensing 156
Smart Software Manager Communication 157
Device Registration and Tokens 157
CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.14
viii
Contents
Periodic Communication with the License Authority 157
Out-of-Compliance State 158
Smart Call Home Infrastructure 159
Smart License Certificate Management 159
History for Smart Software Licensing 159
Logical Devices for the Firepower 4100/9300 163
CHAPTER 5
About Firepower Interfaces 163
Chassis Management Interface 163
Interface Types 164
FXOS Interfaces vs. Application Interfaces 165
About Logical Devices 166
Standalone and Clustered Logical Devices 166
Requirements and Prerequisites for Hardware and Software Combinations 166
Guidelines and Limitations for Logical Devices 167
Guidelines and Limitations for Firepower Interfaces 167
General Guidelines and Limitations 168
Requirements and Prerequisites for High Availability 168
Configure Interfaces 168
Configure a Physical Interface 169
Add an EtherChannel (Port Channel) 170
Configure Logical Devices 173
Add a Standalone ASA 173
Add a High Availability Pair 179
Change an Interface on an ASA Logical Device 179
Connect to the Console of the Application 180
History for Logical Devices 182
Transparent or Routed Firewall Mode 185
CHAPTER 6
About the Firewall Mode 185
About Routed Firewall Mode 185
About Transparent Firewall Mode 185
Using the Transparent Firewall in Your Network 186
Management Interface 186
CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.14
ix
Contents
Passing Traffic For Routed-Mode Features 186
About Bridge Groups 187
Bridge Virtual Interface (BVI) 187
Bridge Groups in Transparent Firewall Mode 187
Bridge Groups in Routed Firewall Mode 188
Passing Traffic Not Allowed in Routed Mode 189
Allowing Layer 3 Traffic 189
Allowed MAC Addresses 190
BPDU Handling 190
MAC Address vs. Route Lookups 190
Unsupported Features for Bridge Groups in Transparent Mode 192
Unsupported Features for Bridge Groups in Routed Mode 192
Default Settings 194
Guidelines for Firewall Mode 194
Set the Firewall Mode 195
Examples for Firewall Mode 196
How Data Moves Through the Secure Firewall ASA in Routed Firewall Mode 196
An Inside User Visits a Web Server 196
An Outside User Visits a Web Server on the DMZ 198
An Inside User Visits a Web Server on the DMZ 199
An Outside User Attempts to Access an Inside Host 199
A DMZ User Attempts to Access an Inside Host 200
How Data Moves Through the Transparent Firewall 201
An Inside User Visits a Web Server 202
An Inside User Visits a Web Server Using NAT 203
An Outside User Visits a Web Server on the Inside Network 205
An Outside User Attempts to Access an Inside Host 206
History for the Firewall Mode 207
High Availability and Scalability 211
PART II
Multiple Context Mode 213
CHAPTER 7
About Security Contexts 213
Common Uses for Security Contexts 213
CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.14
x
Contents
Context Configuration Files 214
Context Configurations 214
System Configuration 214
Admin Context Configuration 214
How the ASA Classifies Packets 214
Valid Classifier Criteria 214
Classification Examples 215
Cascading Security Contexts 217
Management Access to Security Contexts 218
System Administrator Access 218
Context Administrator Access 218
Management Interface Usage 218
About Resource Management 219
Resource Classes 219
Resource Limits 219
Default Class 220
Use Oversubscribed Resources 221
Use Unlimited Resources 221
About MAC Addresses 222
MAC Addresses in Multiple Context Mode 222
Automatic MAC Addresses 222
VPN Support 223
Licensing for Multiple Context Mode 223
Prerequisites for Multiple Context Mode 224
Guidelines for Multiple Context Mode 225
Defaults for Multiple Context Mode 226
Configure Multiple Contexts 226
Enable or Disable Multiple Context Mode 226
Enable Multiple Context Mode 227
Restore Single Context Mode 228
Configure a Class for Resource Management 228
Configure a Security Context 233
Assign MAC Addresses to Context Interfaces Automatically 236
Change Between Contexts and the System Execution Space 237
CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.14
xi
Contents
Manage Security Contexts 237
Remove a Security Context 237
Change the Admin Context 238
Change the Security Context URL 239
Reload a Security Context 240
Reload by Clearing the Configuration 240
Reload by Removing and Re-adding the Context 241
Monitoring Security Contexts 241
View Context Information 241
View Resource Allocation 243
View Resource Usage 246
Monitor SYN Attacks in Contexts 248
View Assigned MAC Addresses 250
View MAC Addresses in the System Configuration 250
View MAC Addresses Within a Context 252
Examples for Multiple Context Mode 253
History for Multiple Context Mode 254
Failover for High Availability 259
CHAPTER 8
About Failover 259
Failover Modes 259
Failover System Requirements 260
Hardware Requirements 260
Software Requirements 260
License Requirements 261
Failover and Stateful Failover Links 261
Failover Link 261
Stateful Failover Link 262
Avoiding Interrupted Failover and Data Links 263
MAC Addresses and IP Addresses in Failover 265
Stateless and Stateful Failover 267
Stateless Failover 267
Stateful Failover 267
Bridge Group Requirements for Failover 269
CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.14
xii
Contents
Bridge Group Requirements for Appliances, ASAv 269
Failover Health Monitoring 270
Unit Health Monitoring 270
Interface Monitoring 270
Failover Times 272
Configuration Synchronization 273
Running Configuration Replication 273
File Replication 274
Command Replication 274
About Active/Standby Failover 275
Primary/Secondary Roles and Active/Standby Status 275
Active Unit Determination at Startup 275
Failover Events 275
About Active/Active Failover 276
Active/Active Failover Overview 277
Primary/Secondary Roles and Active/Standby Status for a Failover Group 277
Active Unit Determination for Failover Groups at Startup 277
Failover Events 278
Licensing for Failover 279
Guidelines for Failover 281
Defaults for Failover 283
Configure Active/Standby Failover 283
Configure the Primary Unit for Active/Standby Failover 283
Configure the Secondary Unit for Active/Standby Failover 287
Configure Active/Active Failover 288
Configure the Primary Unit for Active/Active Failover 288
Configure the Secondary Unit for Active/Active Failover 293
Configure Optional Failover Parameters 294
Configure Failover Criteria and Other Settings 294
Configure Interface Monitoring 298
Configure Support for Asymmetrically Routed Packets (Active/Active Mode) 298
Manage Failover 302
Force Failover 302
Disable Failover 303
CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.14
xiii
Contents
Restore a Failed Unit 304
Re-Sync the Configuration 304
Test the Failover Functionality 305
Remote Command Execution 305
Send a Command 305
Change Command Modes 306
Security Considerations 307
Limitations of Remote Command Execution 307
Monitoring Failover 308
Failover Messages 308
Failover Syslog Messages 308
Failover Debug Messages 308
SNMP Failover Traps 308
Monitoring Failover Status 309
History for Failover 309
Failover for High Availability in the Public Cloud 313
CHAPTER 9
About Failover in the Public Cloud 313
About Active/Backup Failover 314
Primary/Secondary Roles and Active/Backup Status 314
Failover Connection 314
Polling and Hello Messages 314
Active Unit Determination at Startup 315
Failover Events 315
Guidelines and Limitations 317
Licensing for Failover in the Public Cloud 318
Defaults for Failover in the Public Cloud 318
About ASAv High Availability in Microsoft Azure 318
About the Azure Service Principal 319
Configuration Requirements for ASAv High Availability in Azure 320
Configure Active/Backup Failover 321
Configure the Primary Unit for Active/Backup Failover 321
Configure the Secondary Unit for Active/Backup Failover 322
Configure Optional Failover Parameters 323
CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.14
xiv
Contents
Configure Failover Criteria and Other Settings 323
Configure Authentication Credentials for an Azure Service Principal 325
Configure Azure Route Tables 326
Enable Active/Backup Failover 327
Enable the Primary Unit for Active/Backup Failover 327
Enable the Secondary Unit for Active/Backup Failover 328
Manage Failover in the Public Cloud 329
Force Failover 329
Update Routes 330
Validate Azure Authentication 331
Monitor Failover in the Public Cloud 331
Failover Status 331
Failover Messages 332
History for Failover in the Public Cloud 333
ASA Cluster 335
CHAPTER 10
About ASA Clustering 335
How the Cluster Fits into Your Network 335
Cluster Members 336
Bootstrap Configuration 336
Control and Data Node Roles 336
Cluster Interfaces 336
Cluster Control Link 336
Configuration Replication 337
ASA Cluster Management 337
Management Network 337
Management Interface 337
Control Unit Management Vs. Data Unit Management 338
Crypto Key Replication 338
ASDM Connection Certificate IP Address Mismatch 338
Inter-Site Clustering 338
Licenses for ASA Clustering 339
Requirements and Prerequisites for ASA Clustering 339
Guidelines for ASA Clustering 341
CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.14
xv
Contents
Configure ASA Clustering 346
Cable the Units and Configure Interfaces 347
About Cluster Interfaces 347
Cable the Cluster Units and Configure Upstream and Downstream Equipment 356
Configure the Cluster Interface Mode on Each Unit 356
Configure Interfaces on the Control Unit 357
Create the Bootstrap Configuration 364
Configure the Control Node Bootstrap Settings 364
Configure Data Node Bootstrap Settings 369
Customize the Clustering Operation 372
Configure Basic ASA Cluster Parameters 372
Configure Health Monitoring and Auto-Rejoin Settings 372
Configure Connection Rebalancing and the Cluster TCP Replication Delay 376
Configure Inter-Site Features 377
Manage Cluster Nodes 383
Become an Inactive Node 383
Deactivate a Node 384
Rejoin the Cluster 385
Leave the Cluster 385
Change the Control Node 387
Execute a Command Cluster-Wide 387
Monitoring the ASA Cluster 388
Monitoring Cluster Status 388
Capturing Packets Cluster-Wide 392
Monitoring Cluster Resources 393
Monitoring Cluster Traffic 393
Monitoring Cluster Routing 398
Configuring Logging for Clustering 398
Monitoring Cluster Interfaces 399
Debugging Clustering 399
Examples for ASA Clustering 400
Sample ASA and Switch Configuration 400
ASA Configuration 400
Cisco IOS Switch Configuration 402
CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.14
xvi
Contents
Firewall on a Stick 403
Traffic Segregation 405
Spanned EtherChannel with Backup Links (Traditional 8 Active/8 Standby) 407
OTV Configuration for Routed Mode Inter-Site Clustering 413
Examples for Inter-Site Clustering 416
Individual Interface Routed Mode North-South Inter-Site Example 416
Spanned EtherChannel Routed Mode Example with Site-Specific MAC and IP Addresses 417
Spanned EtherChannel Transparent Mode North-South Inter-Site Example 418
Spanned EtherChannel Transparent Mode East-West Inter-Site Example 419
Reference for Clustering 420
ASA Features and Clustering 420
Unsupported Features with Clustering 420
Centralized Features for Clustering 421
Features Applied to Individual Nodes 422
AAA for Network Access and Clustering 423
Connection Settings and Clustering 423
FTP and Clustering 423
ICMP Inspection and Clustering 423
Multicast Routing and Clustering 423
NAT and Clustering 424
Dynamic Routing and Clustering 425
SCTP and Clustering 427
SIP Inspection and Clustering 428
SNMP and Clustering 428
STUN and Clustering 428
Syslog and NetFlow and Clustering 428
Cisco TrustSec and Clustering 428
VPN and Clustering 428
Performance Scaling Factor 429
Control Node Election 429
High Availability Within the ASA Cluster 430
Node Health Monitoring 430
Interface Monitoring 430
Status After Failure 430
CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.14
xvii
Contents
Rejoining the Cluster 431
Data Path Connection State Replication 431
How the ASA Cluster Manages Connections 432
Connection Roles 432
New Connection Ownership 434
Sample Data Flow for TCP 434
Sample Data Flow for ICMP and UDP 435
Rebalancing New TCP Connections Across the Cluster 436
History for ASA Clustering 436
ASA Cluster for the Firepower 4100/9300 443
CHAPTER 11
About Clustering on the Firepower 4100/9300 Chassis 443
Bootstrap Configuration 444
Cluster Members 444
Cluster Control Link 444
Size the Cluster Control Link 445
Cluster Control Link Redundancy 445
Cluster Control Link Reliability 446
Cluster Control Link Network 446
Cluster Interfaces 446
Connecting to a VSS or vPC 447
Configuration Replication 447
ASA Cluster Management 447
Management Network 447
Management Interface 447
Control Unit Management Vs. Data Unit Management 447
Crypto Key Replication 448
ASDM Connection Certificate IP Address Mismatch 448
Spanned EtherChannels (Recommended) 448
Inter-Site Clustering 449
Requirements and Prerequisites for Clustering on the Firepower 4100/9300 Chassis 449
Licenses for Clustering on the Firepower 4100/9300 Chassis 451
Licenses for Distributed S2S VPN 452
Clustering Guidelines and Limitations 452
CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.14
xviii
Contents
Configure Clustering on the Firepower 4100/9300 Chassis 457
FXOS: Add an ASA Cluster 457
Create an ASA Cluster 458
Add More Cluster Members 467
ASA: Change the Firewall Mode and Context Mode 468
ASA: Configure Data Interfaces 468
ASA: Customize the Cluster Configuration 471
Configure Basic ASA Cluster Parameters 471
Configure Health Monitoring and Auto-Rejoin Settings 473
Configure Connection Rebalancing and the Cluster TCP Replication Delay 476
Configure Inter-Site Features 477
Configure Distributed Site-to-Site VPN 483
FXOS: Remove a Cluster Unit 489
ASA: Manage Cluster Members 491
Become an Inactive Member 491
Deactivate a Unit 492
Rejoin the Cluster 493
Change the Control Unit 493
Execute a Command Cluster-Wide 494
ASA: Monitoring the ASA Cluster on the Firepower 4100/9300 chassis 495
Monitoring Cluster Status 495
Capturing Packets Cluster-Wide 499
Monitoring Cluster Resources 499
Monitoring Cluster Traffic 499
Monitoring Cluster Routing 504
Monitoring Distributed S2S VPN 504
Configuring Logging for Clustering 505
Debugging Clustering 505
Troubleshooting Distributed S2S VPN 505
Examples for ASA Clustering 507
Firewall on a Stick 507
Traffic Segregation 507
Spanned EtherChannel with Backup Links (Traditional 8 Active/8 Standby) 507
OTV Configuration for Routed Mode Inter-Site Clustering 507
CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.14
xix
Contents
Examples for Inter-Site Clustering 510
Spanned EtherChannel Routed Mode Example with Site-Specific MAC and IP Addresses 510
Spanned EtherChannel Transparent Mode North-South Inter-Site Example 511
Spanned EtherChannel Transparent Mode East-West Inter-Site Example 512
Reference for Clustering 513
ASA Features and Clustering 513
Unsupported Features with Clustering 513
Centralized Features for Clustering 514
Features Applied to Individual Units 515
AAA for Network Access and Clustering 515
Connection Settings 516
FTP and Clustering 516
ICMP Inspection 516
Multicast Routing and Clustering 516
NAT and Clustering 516
Dynamic Routing and Clustering 518
SCTP and Clustering 519
SIP Inspection and Clustering 519
SNMP and Clustering 519
STUN and Clustering 519
Syslog and NetFlow and Clustering 519
Cisco TrustSec and Clustering 519
VPN and Clustering on the FXOS Chassis 519
Performance Scaling Factor 520
Control Unit Election 520
High Availability Within the Cluster 521
Chassis-Application Monitoring 521
Unit Health Monitoring 521
Interface Monitoring 521
Decorator Application Monitoring 522
Status After Failure 522
Rejoining the Cluster 522
Data Path Connection State Replication 523
How the Cluster Manages Connections 523
CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.14
xx
Contents
1 / 1

Cisco ASA 5500-X Series Firewalls Configuration Guide

Category
Networking
Type
Configuration Guide

Ask a question and I''ll find the answer in the document

Finding information in a document is now easier with AI

Ask the document