07-08-2007 01:30 PM - edited 03-09-2019 06:20 PM
Hi
I just got two ASA5510-SEC-BUN-K9 and I'm wondering is it possible to implement an Active/Standby Failover configuration (Routed mode) with two ASA5510 and redundant pair of switches from both inside and outside interfaces? In other words, I would like to have two L2 links from each ASA (in pair od ASAa) to each L2 switch (in pair of redundant L2 Switches). The configuration I would like to achive is just like one in Cisco Security Appliance Command Line Configuration Guide, page B-23, figure B-8, with only difference that I wouldn't go with multiple security contexts (I want Active/Standby failover).
Thanks in advance
Zoran Milenkovic
07-08-2007 01:50 PM
Hello Zoran,
Absolutely. You can have 2 ASAs configured in Active/Standby mode. For reference, here is a link which has a network connectivity diagram based on PIX, however, connectivity would still be same with ASAs-
http://www.cisco.com/en/US/docs/security/pix/pix63/configuration/guide/failover.html#wp1053462
The difference is that on ASA, you can only have LAN-Based failover, hence you'll need to use one additional interface on both ASAs for failover-link. You can connect these two failover-link interfaces directly using a cross cable.
Apart from this, please refer to following link on how to go with configuration of Lan-based Active/Standby failover-
http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/failover.html#wp1064158
Also make sure that both ASAs have required hardware/software/license based on following link-
http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/failover.html#wp1047269
Hope this helps.
Regards,
Vibhor.
07-08-2007 03:51 PM
Hello Vibhor,
Thanks for a prompt reply! Unfortunately, I'm still confused with that how should I configure ASAs interfaces!?
I have two ASAs with all needed licenses and 5 FE interfaces on each. One I will use for combined state/failover link, and that's OK. Then, first two interfaces I will use to connect each ASA with two redundant L2 switches in INSIDE zone, and the last two FE interfaces I will use to connect each ASA with two redundant L2 switches in OUTSIDE zone.
But, the question is how should I configure those interfaces?
AFAIK there is no chance to create BVI or something similar on ASA, is there? It would bi nice to use VLAN interface and those two pairs of interfaces as switchports, but it seems that's possible only on 5505!? The other option might be to create a virtual IP for all those interfaces (like virtual IP in HSRP), but I haven't seen ASA supports it also. So is there any suggestions?
TIA
Zoran
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide