Clustering Individual Interface Mode
​
Although there still exists a master , but every ASA will have its own IP address assigned to it.
This requires a router on either side to run some type of routing protocol as it will form neighborship with all the firewalls.
In interface mode load balancing is done by ECMP (equal cost load balancing). Reason it is not preferred is because of the high convergence time and high utilization of the ASA.
Remember : In spanned mode , load balancing was done by switch using port channel.
We will still do all the configuration on the master , but the method varies .We will not configure any port channel but we will put individual interfaces of switch in respective vlan.
​
1) Configure switch to provide basic connectivity
2) On the both ASA's bring the interface up and specify interface mode.
3) Configure cluster group and make ASA 1 as primary.
4) Create a pool of IP address that will be assigned on the inside and outside
​
​
2) On the both ASA's bring the interface up and specify interface mode
​
ASA -1
​
!1. Bring the interface up
​
interface gi 0/0
no shut
!2. Set the cluster mode
​
cluster interface-mode individual force
​
​
3) Configure cluster group and make ASA 1 as primary.
​
​
!3. Configure cluster configuration.
​
cluster group MYLAB
local-unit PRIMARY
cluster-interface gig 0/0 ip 10.100.100.1 255.255.255.0
priority 1
key cisco123
enable noconfirm
​
ASA 2
​
!1. Bring the interface up
​
interface gi 0/0
no shut
!2. Set the cluster mode
​
cluster interface-mode individual force
​
!3. Configure cluster configuration.
​
cluster group MYLAB
local-unit SECONDARY
cluster-interface gig 0/0 ip 10.100.100.2 255.255.255.0
priority 10
key cisco123
enable noconfirm
​
#show cluster info
​
​
4) Create a pool of IP address that will be assigned on the inside and outside
​
​
We will create a pool of IP address that is assigned on the inside and outside.
​
a) To configure the IP address on all the interfaces . You need to create a pool to accomplish this.
​
For outside
---------------------
ip local pool OUTSIDE 192.1.20.11-192.1.20.15
ip local pool INSIDE 10.11.11.11-15
!
interface gi 0/3
nameif outside
security-level 0
no shut
ip address 192.1.20.10 255.255.255.0 cluster-pool OUTSIDE
​
Every (gi 0/3) interface on the outside will get IP address from this pool (OUTSIDE)
For Inside
=============
​
interface gi 0/1
nameif inside
security-level 100
no shut
ip address 10.11.11.10 255.255.255.0 cluster-pool INSIDE
​
​
#show cluster info
#show interface IP brief -> all the interface should now automatically have an IP address
​
​
On master
------------------
​
router eigrp 100
no auto
network 192.1.20.0
network 10.11.11.0
​
object network pool1
range 192.1.20.51 192.1.20.100
exit
​
object network INS_NET
subnet 10.11.11.0 255.255.255.0
nat (ins,out) dynamic pool1
​
R1
int lo 0
ip address 1.1.1.1 255.255.255.0
no shut
​
router eigrp 100
no auto
network 10.11.11.0
network 1.1.1.0
​
line vty 0 4
password cisco
login
​
​
​
R2
​
int lo 0
ip address 2.2.2.2 255.255.255.0
no shut
router eigrp 100
no auto
network 192.1.20.0
net 2.2.2.0
line vty 0 4
password cisco
login
telnet from inside to outside
R1# telnet 2.2.2.2 /sou lo0