Update ASA Firmware in Failover

Upload the ASA image and ASDM to BOTH active and Standby units.

On the Primary, set it as the Boot Image and ASDM Active image.
On the Secondary just transfer the file over.

Reboot the Standby Unit
failover reload-standby

Once the secondary firewall is ready, it should show Standby-Ready

Make your Primary Firewall the standby
no Failover active

Now you can reboot the primary firwall, which is now the standby firewall.
If you are SSHed in, you would then again issue
failover reload-standby

If you are consoled in to the primary firwall, then just run
reload

Once its been rebooted, and the primary firewall is showing as Standby-Ready
On the Console of the primary, run this
failover active

Setup Cisco ASA in Active / Standby Fail-over

You will need a Crossover cable to connect the two firewalls together.

Start with the First Firewall Unit.

Clear the Config for the Failover Interface

clear configure interface m0/0
int m0/0
no shut

Set the Interface for Fail-over
failover lan interface failover m0/0

Setup IP address for the Fail-over Interface
failover interface ip failover 172.16.254.254 255.255.255.0 standby 172.16.254.250

Create Standby IP address for EVERY SINGLE Interface you have now, or add later

interface Ethernet0/0
ip address 192.168.1.1 255.255.255.0 standby 192.168.1.254

Create and setup shared Key for Failover
failover key 123456

Define this firewall as the Primary
failover lan unit primary

Activate Failover Feature
failover

Turn on Stateful Failover

failover link failover M0/0

Save Config
<code>Write mem

Now work on the second firewall (standby)

Go ahead and connect the two together for the failover connection

Clear config for the failover interface

clear configure interface m0/0
interface m0/0
no shut

Set the Interface for Fail-over
failover lan interface failover m0/0

Setup IP address for the Fail-over Interface
failover interface ip failover 172.16.254.254 255.255.255.0 standby 172.16.254.250

Set the shared Key for Failover (Same as the one you created before)
failover key 123456

Define this firewall as the secondary unit
failover lan unit secondary

Activate Failover Feature
failover

To check things out
show failover

You can connect to the Primary ASA and adjust the Timeouts if you wish

failover poll 1 hol 3
failover poll interface 3
int m0/0
failover poll interface 3

When you save your config, the changes will be replicated to the standby unit.

Cisco OSPF routing

Create an ospf record ID, then add your Networks that you are connected to and want used for Routing detection (inside network, Tunnel Network, etc) Using Wildcard mask


router ospf 1
 network 172.16.1.0 0.0.0.255 area 0
 network 172.16.12.0 0.0.0.3 area 0

Cisco 1921 Dual ISP config

Source

Basic configuration for setting up the Dual ISP on cisco Routers


hostname Router 
!

ip cef

!####Establish sla monitors for use in tracking objects####!

ip sla monitor 1
  type echo protocol ipIcmpEcho 12.34.45.1
  threshold 3 
  frequency 5

ip sla monitor schedule 1 life forever start-time now

ip sla monitor 2 
  type echo protocol ipIcmpEcho 23.34.56.1 
  threshold 3 
  frequency 5

ip sla monitor schedule 2 life forever start-time now

!

!####Configure Tracking objects (referencing IP SLA monitor’s above)####!

track 101 rtr 1 reachability
! 
track 102 rtr 2 reachability 
! 
! 
! 
! 
!####Configure Interfaces with NAT####!

interface FastEthernet0 
  ip address 192.168.1.254 255.255.255.0
  ip nat inside 
! 
interface s0/0 
  ip address 12.34.45.2 255.255.255.0 
  ip nat outside 
! 
interface s0/1 
  ip address 23.45.67.2 255.255.255.0 
  ip nat outside 
! 
ip classless

!####Configure gateway of last resort with tracking objects####! 
ip route 0.0.0.0 0.0.0.0 12.34.45.1 track 101 
ip route 0.0.0.0 0.0.0.0 23.45.67.1 track 102

!####Configure NAT statements for most outbound traffic####! 
ip nat inside source route-map ISP1 interface s0/0 overload 
ip nat inside source route-map ISP2 interface s0/1 overload

!####Configure NAT statements for your mail server####! 
!(remember to setup dns for mail on both public IP addresses)!

ip nat inside source static tcp 192.168.1.10 25 12.34.45.2 25 route-map ISP1 extendable 
ip nat inside source static tcp 192.168.1.10 25 23.45.67.2 25 route-map ISP2 extendable 
! 
! 
access-list 10 permit 192.168.1.0 0.0.0.255 
! 
!####Configure route maps for reference in NAT statements####!

route-map ISP2 permit 10 
  match ip address 10 
  match interface s0/1

! 
route-map ISP1 permit 10 
  match ip address 10 
  match interface s0/0 
!