Summary:
Step 1. Configure the HA
Step 2. Change the firewall mode
Step 3. Create admin context
Step 4. Create channel groups
Step 5. Create a context firewall
Step 6. Configure the context firewall
​
​
Details:
Step 1. Configure the HA
​
failover
failover lan unit primary
failover lan interface failover GigabitEthernet0/7
failover replication http
failover link failover GigabitEthernet0/7------------------------------------------------------# we using g0/7 as HA interface
failover interface ip failover 172.12.12.1 255.255.255.252 standby 172.12.12.2
​
​
Step 2. Change the firewall mode
mode multiple
​
- This will requires a reboot
- It will create an admin context after reboot
​
Step 3. Create admin context
​
context admin
allocate-interface Management0/0
Step 4. Create channel groups
​
changeto system
​
int gig0/0
channel-group 1 mode active
int gig0/1
channel-group 1 mode active
​
Step 5. Create context firewalls (in this case, I create 2 sub-interfaces off the port-channel 1 and assigned the interfaces to a single context firewall)
​
chagneto system
interface Port-channel1.720
vlan 720
interface Port-channel1.726
vlan 726
context ABC001-vFW
description ABC001-vFW
​
allocate-interface Port-channel1.720
allocate-interface Port-channel1.726
​
​
Step 6. Configure the context firewall
​
changeto context ABC001-vFW
​
enable password XXXXXXXX level 15
username admin password XXXXXXXX privilege 15
​
int Port-channel1.720
ip address 24.41.49.242 255.255.255.248 standby 24.41.49.243
nameif outside
security-level 0
​
interface Port-channel1.726
ip address 27.153.192.18 255.255.255.240 standby 27.153.192.19
nameif dmz
security-level 50
​
​
route outside 0.0.0.0 0.0.0.0 24.141.49.246 1 -------------------------------------------! Default route
​
ssh 123.123.123.1 255.255.255.0 outside --------------------------------------------------! Allow ssh access
ssh 123.123.123.2 255.255.255.0 outside
crypto key generate rsa -------------------------------------------------------------------------! Generates RSA key for ssh
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
ssh timeout 60
​
​
http server enable ------------------------------------------------------------------------------------! Allow http access
http server idle-timeout 30
http 123.123.123.1 255.255.1.0 outside
http 123.123.123.2 255.255.255.0 outside
​
logging enable -----------------------------------------------------------------------------------------! Enable logging
logging timestamp
logging standby
logging buffer-size 1024000
logging monitor errors
logging buffered informational
logging trap informational
logging history informational
logging asdm informational
logging host outside 111.111.11.11 !! syslog server
logging permit-hostdown
​
​
access-list outside_access_in extended permit udp host 123.123.123.1 host 123.123.123.2 eq domain ---! ACL
access-group outside_access_in in interface outside ----------------------------------------------------------------------! Access-group