11-22-2007 08:20 AM - edited 03-11-2019 04:34 AM
Hello all
I setup an active/passive failover configuration on a pair of ASA5510 used as VPN concentrators and and firewall. As they permet clientless SSL VPN, port 80 and 443 on the outside interface are open (80 just for the redirection to 443).
That works fine on the active unit.
But these ports shouldn't be open on the standby unit!!! If I connect to the standby unit (http://), I get redirected to https://, get the right certificate but then the following error:
"can not load file".
--> I don't think the standby unit should respond on any port on the outside interface.
Or do I understand something wrong here?
--> how to protect the Standby unit?
Greetings
Rufer
11-22-2007 09:49 AM
Hi Rufer
Although I have yet to try it, someone told me only yesterday that, as it should never be used, it really doesn't matter if you give the ASA a "duff" standby address - say for instance something out of an unused private range - rather than assigning it one of your free IP addresses from your outside range.
I was fairly surprised, but he was adamant that this does indeed work, is a good way to preserve your pool of outside addresses, and does not affect the functionality of the ASA with respect to its failover capability. I'd be interested to here if it works for you, or if anyone has used this method.
HTH
Kev
11-22-2007 11:37 PM
Hello Kev
We don't use NAT at all, so I don't see a way to do this. The standby address has to be in the same subnet than the active address. If you have more detailed information, let me know.
Greetings
Rufer
11-23-2007 02:56 AM
Hi Rufer
So this has nothing to do with NAT, it is mearly using a random/spurios private address (ie unroutable to from the public sense) on your standby unit. As I mentioned, I've not tried it as I don't have an ASA FO pair handy to play with at this time, but I heard that it was possible to configure on the ASA something like:
ip address
Like you, I was always under the impression that the standby IP needed to be in the same subnet so if you have attempted this and it came back with some error message to this affect, then I apologise as I have clearly been misled. I'm dropping the chap a quick email to find out if he was winding me up... :-S
[Edit: Have received response which clarifies what he was saying. Unfortunately the method infact only works on a Pix, the ASA will indeed complain vigorously. I don't know what else to suggest, except maybe perhaps you can request your ISP "deny ip any any" to your ASA standby address on their gateway router to afford you some protection?]
Thanks
Kev
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide