Configuration for Cisco ASA Series
Overview
The Accelerated 6300-CX Cellular Extender provides a reliable, high-speed cellular connection that is compatible with existing wireline infrastructure. While its 4G LTE speeds are capable of operating as a primary WAN uplink, the 6300-CX can also be configured as a backup. This network redundancy solution delivers the ultimate flexibility to minimize expenses when it comes time for upgrading equipment to the latest wireless standards.
Business continuity depends on the seamless integration of failover-connectivity solutions to prevent service interruptions. Now more than ever, contingency networks play a strategic role in sustaining business operations. Unplanned outages can cost companies significant time and money, frustrating employees and clients alike, which creates a negative perception that is difficult to overcome.
Cellular data (4G LTE) bypasses wireline Internet service providers (ISPs) to facilitate the best redundancy possible. Additionally, in some situations it may be a challenge to acquire access to wired circuits or an event may call for temporary online access. Accelerated Concepts extensively tests the 6300-CX Cellular Extender to ensure its interoperability with a wide variety of security appliances, including equipment produced by Fortinet, to best accommodate enterprise networks. Pairing the Accelerated 6300-CX with a dedicated firewall offers comprehensive security and flexibility for small business, retail, government, remote sites, and branch offices.
Cisco’s Adaptive Security Appliance (ASA) series is a threat-focused line of next-generation firewalls (NGFWs) designed for multilayered network protection. The latest ASA hardware is capable of integrating its proven security capabilities with Cisco’s FirePOWER service that bolsters the device’s readiness to defend against advanced and zero-day attacks. This next-generation intrusion prevention system (NGIPS) incorporates comprehensive access and application control, threat prevention, routing policies, and contextual network awareness all under a single security appliance, a solution that was previously achieved by pairing an ASA firewall with a separate module dedicated to FirePOWER functionality.
For additional information, please refer to Cisco’s ASA 5500 Series Configuration Guide.
Interoperability Matrix
This section covers interoperability information of the hardware tested for this solution. It includes the firmware versions of both devices as well as the date of testing.
Date | ASA Firmware | ASDM Version | 6300-CX Firmware |
---|---|---|---|
12/2016 | 9.6(1) | 7.6(1) | 16.11.142 |
Caveats
The delivery of wireless services varies depending on the carrier and may lead to differences in the area of coverage, type of service (3G, 4G, LTE, etc.), available bandwidth, and IP address designation (Private or Public) among other factors. The interoperability test designed for this solution guide included LTE service, maximum coverage availability, and a public IP address assigned to each device.
Using the 6300-CX as a secondary connection assumes that a WAN Ethernet cable is plugged into the port configured for the primary uplink on the ASA device. Connect the 6300-CX’s backup Ethernet cable to a port available for configuration as the secondary interface and proceed to the configuration described herein. (Compatible with all ASA series firewalls.)
Accelerated 6300-CX Cellular Extender Setup
Initial Setup
Affix both antennas to the router and insert an activated SIM card before deploying the device. Be sure to select a location with optimal signal strength. For detailed instruction, refer to the tables that follow. Subsequent sections will outline site selection, powering options, and other device functionality.
|
Site Survey
If you are unsure of the available cellular signal strength, or are choosing between several locations, please follow the instructions to identify the ideal installation site.
|
Remote Power Installation – Powering Option #1
The included Power-over-Ethernet (PoE) injector allows the device to be positioned away from power outlets to simplify its installation needs. The adaptor consolidates the DC power and Ethernet connections so that both can be run to the 6300-CX via a single Ethernet cable. Distances of 300 ft have been tested on CAT6 and 250 ft on CAT5e. Note that cable conditions and the number of splices will impact actual distance.
|
Direct Power Installation – Powering Option #2
If you plan to collocate the 6300-CX with the firewall device, you can directly power the 6300-CX without the PoE cable.
|
Understanding the 6300-CX LEDs
Once power has been established, your device will initialize and attempt to connect to the network. Device initialization may take 30-60 seconds. Indicator lights on the Wireless Strength Indicator show you the Cellular Network Signal Strength. The Network Status Light on the front left of the device displays connectivity information.
Please visit www.accelerated.com for additional information and trouble-shooting tips.
Disable IP Passthrough on the Accelerated 6300-CX Cellular Extender
For failover configuration with a Cisco ASA firewall, the 6300-CX must be able to provide a static IP address to the secondary WAN interface (port). It cannot do so, however, until IP Passthrough is disabled on the Accelerated device. Reconfiguring the 6300-CX in this manner places the CX in “Router Mode.” The settings outlined below should be applied from the Configuration tab of Accelerated View™ although local administration is also possible if the need arises.
The step-by-step guidance provided below assumes that default configurations, most notably the stock IP subnets, are being leveraged on both the Accelerated 6300-CX and the Cisco ASA. These values can be altered as necessary to meet any preexisting network conditions; unless otherwise indicated, assume the 192.168.0.X subnet belongs to the 6300-CX and that the 192.168.1.X subnet is assigned to the ASA.
Please refer to the 6300-CX User Manual for an in-depth walkthrough of both remote and local administration.
NOTE: The MAC address is a 12-character code included on the 6300-CX’s bottom label.
NOTE:Devices sync with Accelerated View once a day by default; pending configuration updates will apply at this time. |
ASA Configuration with the Accelerated 6300-CX
Failover Interface Settings
IP Policies and Static Routes serve as the foundation for how firewalls control and shape the flow of data through the networks they safeguard. Cisco ASA devices come preconfigured with security settings in place, though these routes and policies assume a traditional, single-WAN setup. The first Ethernet port, labeled “1,” is designated for the primary WAN uplink with the remaining ports relegated to LAN access. An interface must be configured for the secondary WAN uplink to establish failover functionality. More importantly, both uplink interfaces must be configured to use a static IP address.
NOTE: Device administration is best handled using the Cisco ASDM desktop application, which connects a computer to the firewall’s GUI without having to enable http server access. Initialize the ASDM-IDM Launcher and connect to the default gateway address provided by the ASA firewall: 192.168.1.1; the username and password are blank by default.
For an in-depth walkthrough of how to manage your ASA device via ASDM, please refer to Cisco’s Configuration Guide.
NOTE: If the primary Internet connection routes traffic using either the 192.168.1.X or 192.168.0.X subnet, an alternative subnet will need to be used for the ASA and 6300-CX respectively.
|
NOTE: Changes made to the ASA configuration via ASDM are inactive until the Apply button is clicked.
Static Routes and Tracking
The Cisco ASA device is ready for dual-WAN configuration once its two WAN connections are properly set (per the guidance from page 7 of this document). Any active interface must have a static route defined in order authorize traffic over the network. The firewall can then leverage advanced prioritization options to further reinforce the failover redundancy provided by the 6300-CX’s backup LTE connection.
Failover itself is accomplished by the simultaneous application of interface metrics, which allows the network to establish a primary (the shorter/ smaller metric) and secondary (the longer/ larger metric) uplink, coupled with the tracking options configurable via static routes. With tracking enabled, the firewall actively verifies whether or not its primary WAN interface is online.
For an in-depth walkthrough of how to manage your ASA device via ASDM, please refer to Cisco’s Configuration Guide.
NOTE:Please refer to Cisco’s guidance on how to perform a configuration backup if there is concern over being able to recreate any policies or routes.
NOTE:Set the Number of Packets to 3 unless otherwise specified. |
NAT Rules
The Cisco ASA comes with a default NAT rule for its primary interface to ensure the proper flow of traffic as packets travel across static routes. Once configured for two WAN interfaces, a second NAT rule should be defined for the failover connection. Note that any additional preexisting rules will need to be recreated for the secondary interface to maintain security continuity during failover.
For an in-depth walkthrough of how to manage your ASA device via ASDM, please refer to Cisco’s Configuration Guide.
|
DHCP and DNS Configuration
To ensure seamless failover, it is best to specify DHCP and DNS settings so that the internal interface is used to provide consistency no matter whether the primary or failover WAN is leveraged for connectivity.
|
NOTE: Changes made to the ASA configuration via ASDM are inactive until the Apply button is clicked.
Verification/ Monitoring
Cisco ASDM provides real-time monitoring of traffic flowing through ASA devices. After completing the Accelerated 6300-CX configuration to establish backup connectivity, route monitoring can confirm that both the failover and failback mechanisms are functioning as intended.
Look for the line currently selected as the DEFAULT. This will change from the primary to secondary interface as soon as the failover condition is triggered (per the tracking parameters established during static route configuration), and revert back to primary once the connection is reestablished.
For an in-depth walkthrough of how to manage your ASA device via ASDM, please refer to Cisco’s Configuration Guide.
|
NOTE: Changes made to the ASA configuration via ASDM are inactive until the Apply button is clicked.