> For the complete documentation index, see [llms.txt](https://adavyshin.gitbook.io/networks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://adavyshin.gitbook.io/networks/docs/rabota-s-asa-os.md).

# Работа с ASA OS

🧭 Данная практическая часть затрагивает межсетевые экране <kbd>DC-ASA01</kbd> и <kbd>DC-ASA02</kbd>, расположенные внутри сети `172.16.2.0/24` в локации Data Center. Нам необходимо собрать отказоустойчивую пару на межсетевых экранов, настроить сетевую конфигурацию, настроить подключение с помощью утилиты ASDM.

1. 🔧 Назначаем роль на <kbd>DC-ASA01</kbd>:

```
failover
failover lan unit primary
```

2. 🔧 Настраиваем интерфейс для синхронизации на <kbd>DC-ASA01</kbd>:

```
interface GigabitEthernet0/6
  description FAILOVER_AND_STATE
  no shutdown
!
failover lan interface HA_SYNC GigabitEthernet0/6
failover link HA_SYNC GigabitEthernet0/6
```

3. 🔧 Настройка адресации на интерфейсе синхронизации на <kbd>DC-ASA01</kbd>:

```
failover interface ip HA_SYNC 192.168.255.1 255.255.255.0 standby 192.168.255.2
```

4. 🔧 Настройка рабочих интерфейсов на <kbd>DC-ASA01</kbd>:

```
interface GigabitEthernet0/0
  nameif INSIDE
  security-level 100
  ip address 172.16.2.1 255.255.255.0 standby 172.16.2.2
!
interface GigabitEthernet0/1
  nameif OUTSIDE
  security-level 0
  ip address 198.51.100.101 255.255.255.0 standby 198.51.100.102
!
```

5. 🔧 Настройка второй устройства <kbd>DC-ASA02</kbd> в HA-паре:

```
failover
failover lan unit secondary
```

6. 🔧 Включаем интерфейс для синхронизации для <kbd>DC-ASA02</kbd>:

```
interface GigabitEthernet0/6
   description FAILOVER_AND_STATE
   no shutdown
!
failover lan interface HA_SYNC GigabitEthernet0/6
failover link HA_SYNC GigabitEthernet0/6
!
failover interface ip HA_SYNC 192.168.255.1 255.255.255.0 standby 192.168.255.2
```

7. 🔎 Для отображения текущего состояния статуса HA-пары

```
show failover
```

8. 🔧 Для удобного отображения hostname в CLI на  <kbd>DC-ASA01</kbd> применяем:

```
prompt hostname priority state
```

9. 🔧 Настройка доступа по SSH и HTTP для ASDM

```
http server enable
http 172.16.2.0 255.255.255.0 INSIDE
ssh 172.16.2.0 255.255.255.0 INSIDE
```

10. 🔧 Создание учётных записей на HA `DC-ASA01/02`

```
username admin password Pa$$w0rd privilege 15
!
aaa authentication ssh console LOCAL
!
aaa authentication http console LOCAL
```

11. 🔧 Создание правил трансляции через `Object NAT` на HA `DC-ASA01/02`

```
object network INSIDE_NET
  subnet 172.16.2.0 255.255.255.0
  description DC_NETWORK_172.16.2.0s24
  nat (INSIDE,OUTSIDE) dynamic interface
```

12.🔧 Создание статических маршрутов на HA `DC-ASA01/02`

```
route OUTSIDE 0.0.0.0 0.0.0.0 198.51.100.1 1
```

🔧 Публикация DC-TACACS во внешний мир по сокету TCP\8443

```
object network DC-TACACS
 host 172.16.2.20
!
object service TCP_SRC_8008
 service tcp source eq 8008
!
object service TCP_SRC_8443
 service tcp source eq 8443
!
nat (INSIDE,OUTSIDE) source static DC-TACACS interface service TCP_SRC_8008 TCP_SRC_8443
```

🔧 Создание правил доступа на HA `DC-ASA01/02`

```
object service TCP_DST_8008
  service tcp destination eq 8008
!
access-list TO_OUTSIDE extended permit object TCP_DST_8008 any object DC-TACACS log
!
access-group TO_OUTSIDE in interface OUTSIDE
```

❕ Разрешение трафика между интерфейсами одного уровня доверия

```
same-security-traffic permit inter-interface
```

❕ Разрешения трафика в рамках одного интерфейса

```
same-security-traffic permit intra-interface
```


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://adavyshin.gitbook.io/networks/docs/rabota-s-asa-os.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.