Cisco Cisco IPS 4520 Sensor Weißbuch
13
Firewall
August 2012 Series
13
HTTPS and Secure Shell (SSH) are more secure replacements for the HTTP
and Telnet protocols. They use Secure Sockets Layer (SSL) and Transport
Layer Security (TLS) to provide device authentication and data encryption.
and Telnet protocols. They use Secure Sockets Layer (SSL) and Transport
Layer Security (TLS) to provide device authentication and data encryption.
Use SSH and HTTPS protocols in order to more securely manage the
device. Both protocols are encrypted for privacy, and the non-secure
protocols, Telnet and HTTP, are turned off.
device. Both protocols are encrypted for privacy, and the non-secure
protocols, Telnet and HTTP, are turned off.
Simple Network Management Protocol (SNMP) is enabled to allow the
network infrastructure devices to be managed by a Network Management
System (NMS). SNMPv2c is configured for a read-only community string.
network infrastructure devices to be managed by a Network Management
System (NMS). SNMPv2c is configured for a read-only community string.
Step 1:
Allow internal administrators to remotely manage the appliance over
HTTPS and SSH.
domain-name
cisco.local
http server enable
http
10.4.48.0 255.255.255.0 inside
ssh
10.4.48.0 255.255.255.0 inside
ssh version 2
Step 2:
Configure the appliance to allow SNMP polling from the NMS.
snmp-server host inside
10.4.48.35
community
cisco
snmp-server community
cisco
Configuring Firewall High Availability
Process
The Cisco ASA appliances are set up as a highly available active/standby
pair. Active/standby is used, rather than an active/active configuration,
because this allows the same appliance to be used for firewall and VPN
services (VPN functionality is disabled on the appliance in active/active
configuration). In the event that the active ASA appliance fails or needs to be
taken out of service for maintenance, the secondary ASA appliance
pair. Active/standby is used, rather than an active/active configuration,
because this allows the same appliance to be used for firewall and VPN
services (VPN functionality is disabled on the appliance in active/active
configuration). In the event that the active ASA appliance fails or needs to be
taken out of service for maintenance, the secondary ASA appliance
assumes all active firewall, IPS, and VPN functions. In an active/standby
configuration, only one device is passing traffic at a time; thus, the Cisco
ASAs must be sized so that the entire traffic load can be handled by either
device in the pair.
configuration, only one device is passing traffic at a time; thus, the Cisco
ASAs must be sized so that the entire traffic load can be handled by either
device in the pair.
Both units in the failover pair must be the same model, with identical feature
licenses and IPS (if the software module is installed). For failover to be
enabled, the secondary Cisco ASA unit needs to be powered up and cabled
to the same networks as the primary unit.
licenses and IPS (if the software module is installed). For failover to be
enabled, the secondary Cisco ASA unit needs to be powered up and cabled
to the same networks as the primary unit.
One interface on each Cisco ASA is configured as the state-synchronization
interface, which the appliances use to share configuration updates, deter-
mine which device in the high availability pair is active, and exchange state
information for active connections. The failover interface carries the state
synchronization information. All session state is replicated from the primary
to the standby unit though this interface. There can be a substantial amount
of data, and it is recommended that this be a dedicated interface.
interface, which the appliances use to share configuration updates, deter-
mine which device in the high availability pair is active, and exchange state
information for active connections. The failover interface carries the state
synchronization information. All session state is replicated from the primary
to the standby unit though this interface. There can be a substantial amount
of data, and it is recommended that this be a dedicated interface.
By default, the appliance can take from 2 to 25 seconds to recover from a
failure. Tuning the failover poll times can reduce that to 0.5 to 5 seconds.
On an appropriately sized ASA, the poll times can be tuned down without
performance impact to the appliance, which minimizes the downtime a user
experiences during failover. Reducing the failover timer intervals below the
values in this guide is not recommended.
failure. Tuning the failover poll times can reduce that to 0.5 to 5 seconds.
On an appropriately sized ASA, the poll times can be tuned down without
performance impact to the appliance, which minimizes the downtime a user
experiences during failover. Reducing the failover timer intervals below the
values in this guide is not recommended.
Procedure 1
Configure resilience on primary firewall
This procedure describes how to configure active/standby failover. The
failover key value must match on both devices in an active/standby pair. This
key is used for two purposes: to authenticate the two devices to each other,
and to secure state synchronization messages between the devices, which
enables the Cisco ASA pair to maintain service for existing connections in
the event of a failover.
failover key value must match on both devices in an active/standby pair. This
key is used for two purposes: to authenticate the two devices to each other,
and to secure state synchronization messages between the devices, which
enables the Cisco ASA pair to maintain service for existing connections in
the event of a failover.
Step 1:
On the primary Cisco ASA, enable failover.
failover
Step 2:
Configure the Cisco ASA as the primary appliance of the high
availability pair.
failover lan unit primary