The method described here only includes the absolutely necessary basic configuration of the firewall cluster. All further configurations of policies and firewall rules are then only carried out via the active cluster unit. For the initialisation of a firewall cluster in active/standby mode, the required steps can be grouped into the following chapters.

Check and update the firmware
  • Connect to the ASA via the console and then activate privilege level 15.    
  • Read out the current version of the firmware and management software (ASDM) and check whether the installed versions on both firewalls (ASAs) are identical (show version). 
  • If the two versions are not the same, you have to update to the same version or, better still, upgrade both firewalls to the latest firmware.
  • Finally, all firmware versions that are no longer needed should be erased. Implemented via the CLI (delete flash:/asa "x.y.z "k8.bin - delete flash:/asdm-"x.y.z".bin)
Basic installation of the future primary cluster unit
  • to make sure that there are no old configuration fragments from previous tests, I reset all settings to the factory state
    conf t
    configure factory-default
    exit
  • Save the new configuration
    write memory
  • After saving the configuration, I reboot. Now I don't have to worry about old configuration lines.
    reload
  • By resetting to the factory state (factory defaults), a basic configuration must of course be stored again. Fortunately, the basic configuration only has to be stored on the future primary cluster unit. For this reason, the following steps are only necessary for the primary cluster unit. I will describe how to configure the slave unit later. For example, no DHCP service should be active on the management interface. Also, the own DNS and a coordinated host name should be used. It should also be possible to manage the cluster via HTTP and SSH later.
    conf t
    no dhcpd address 192.168.1.2-192.168.1.254 management
    no dhcpd enable management
    no http 192.168.1.0 255.255.255.0 management
    hostname golem
    domain-name je-ru.de
    interface Management0/0
    ip address 10.10.10.2 255.255.255.0 standby 10.10.10.3
    no shut
    http 10.10.10.0 255.255.255.0 management
    exit
  • Since I don't want everyone to be able to read my passwords, I activate password encryption. Everyone knows the default passwords from Cisco, so I quickly change them too.
    conf t
    password encryption aes
    enable password „verdammt_streng-geheim“
    password „streng-geheim“
    exit
  • Before I can no longer log in, quickly create a personalised account for the administrator.
    conf t
    username meiner password „mein-passwort“ privilege 15
    exit
  • Since I don't want to use the certificates supplied by Cisco, I have to erase them and create new ones. But in order not to fall into the next trap, I will first quickly set the current time.
    conf t
    clock set 14:31:00 20 April 2018
    crypto key zeroize rsa
    crypto key generate rsa label „golem“ modulus 2048
    exit
  • For SSH access, I only allow version 2 and set the timeout value to 5 minutes for inactivity, I also allow file transfer via secure copy (scp).
    conf t
    ssh scopy enable
    ssh timeout 5
    ssh version 2
    ssh 10.10.10.0 255.255.255.0 management
    exit
  • We are already proceeding with the configuration of the AAA parameters. Authenticate via local database for ssh and http. Deactivate the account after 2 failed login attempts. Activate authentication via TLS. Limit the number of possible connections from the same source IP to 3. Activate the maximum time an authentication can be stored of 1 second.
    conf t
    aaa authentication http console LOCAL
    aaa authentication ssh console LOCAL
    aaa local authentication attempts max-fail 2
    aaa authentication secure-http-client
    aaa proxy-limit 3
    timeout uauth 0:0:1
    exit
  • Now I only need to configure the primary cluster and the monitoring.
    conf t
    failover lan unit primary
    interface GigabitEthernet0/3
    no shutdown
    failover lan interface SYNC GigabitEthernet0/3
    failover interface ip SYNC 10.10.20.1 255.255.255.252 standby 10.10.20.2
    failover key „sehr-lang“
    failover link SYNC
    monitor-interface WAN
    monitor-interface DMZ
    monitor-interface LAN
    failover interface-policy 50%
    end
  • Almost finished, quickly save the current configuration of the authentication, authorisation and accounting parameters, etc. to finish.
    write memory
Basic installation of the later standby cluster unit
  • To make sure that all configuration fragments from previous tests are not still configured, I reset all settings to the factory state.
    conf t
    configure factory-default
    exit
  • Save the new configuration
    write memory
  • After saving the configuration, I reboot. Now I don't have to worry about old configuration lines.
    reload
  • By resetting to the factory state (factory defaults), a basic configuration must of course be stored again.  For example, no DHCP service should be active on the management interface. Also, the own DNS and a coordinated host name should be used.
    conf t
    no dhcpd address 192.168.1.2-192.168.1.254 management
    no dhcpd enable management
    no http 192.168.1.0 255.255.255.0 management
    exit
  • Since I don't want to use the certificates supplied by Cisco, I have to erase them and create new ones. But in order not to fall into the next trap, I will first quickly set the current time.
    conf t
    clock set 14:31:00 20 April 2018
    crypto key zeroize rsa
    crypto key generate rsa label „golem“ modulus 2048
    exit
  • Now I only need to configure the primary cluster and the monitoring.
    conf t
    failover lan unit secondary
    interface GigabitEthernet0/3
    no shutdown
    failover lan interface SYNC GigabitEthernet0/3
    failover interface ip SYNC 10.10.20.1 255.255.255.252 standby 10.10.20.2
    failover key „sehr-lang“
    failover link SYNC
    monitor-interface WAN
    monitor-interface DMZ
    monitor-interface LAN
    failover interface-policy 50%
    end
  • Finally, save the current configuration of the authentication, authorisation and accounting parameters.
    write memory
Activate permanent synchronisation between the cluster units
  • Finally, the permanent synchronisation of the configuration has to be activated on the standby unit. Attention: Certificates are not synchronised between the two cluster units.
    conf t
    failover
    end