Hi All, pardon me if this question is too easy for the firewall gurus out there. I need to integrate a second firewall for redundancy in my production environment to separate a customer network. All I know is the virtual IP for the pair of customer gateways (3845) running HSRP and the return traffic from the customer network is directed to a single IP a.b.c.d(from the transit network).

The single ASA in production has the outside interface configured with the IP a.b.c.d and the has a static route to direct all traffic to the virtual IP. This interface is directly connected to one of the gateways.

Remember the customer network can only send traffic back on IP a.b.c.d

The second GW interface on the transit network is not currently connected. Now what is the best way to introduce the second ASA without affecting production?

Thank you in advance.

mark.j.hodge Tue, 01/08/2008 - 07:24

First you need to check if your firewall is capable of running in a failover pair. You need to have a failover license, and a spare physical interface if you want statefull failover.

The second device needs to be identical hardware to support failover.

If, as you say the existing ASA is "directly connected to one of the gateways", then you will need to introduce a switch between them. In fact you should do this anyway as the HSRP will not help you if the gateway the ASA is connected to fails.

You then need to assign an IP address for the second ASA for each network the existing device is connected to, this will be a.b.c.e for the interface you have specified.

Physicaly connect the second ASA to all networks using the same ports, i.e. ethernet0 on ASA-1 connects to the same network as ethernet0 on ASA-2.

Connect the two ASAs together using the failover cable, making sure the primary end is connected to the live device.

Configure failover on the primary device, you should be able to use the wizard. This will include adding all the IP addresses.

Then comes the sweaty palms, turn on the second device. The config should sync through the failover cable, and you will have a redundant cluster.

