ASA 5520 dual security contexts

Unanswered Question
Jul 9th, 2008

hi.

i have 2 ISP links and 2 ASA 5520 firewalls

i would like each firewall to provide redundancy for the other

my thought is to create 2 security contexts on each firewall. one for ISP 1 and one for ISP 2.

firewall 1 would be active for the ISP 1 context and passive for the ISP 2 context and firewall 2 would be active for the ISP 2 context and passive for the ISP 1 context.

is this possible?

am i making this too complicated possibly?

if anyone has any advice or good articles please feel free to comment

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
dhananjoy chowdhury Wed, 07/09/2008 - 23:56

Hi,

First of all, this setup seems to be a bit complicated.

And most important is please note down your business requirements (current & future).

Because if you configure the ASA boxes in context mode, it won't support features like VPN, dynamic routing protocols, etc.

mikedelafield Tue, 07/15/2008 - 00:27

We have 2 ISP links, on different ranges, which are redundant for each other

However i only have 2 firewalls. With one in use on each ISP link.

In this case I have a single point of failure on either link, so I was looking to create 2 contexts on each firewall. Acting as Active/Passive for eachother

I cannot think of another way of doing this other other than purhcasing additional ASAs

dhananjoy chowdhury Tue, 07/15/2008 - 09:12

Hi,

Configuring Active/Passive(Standby) failover with Dual ISP configuration for Internet Links may suffice your requirement. Contexts are not required so you will have the VPN and dynmaic routing protocol features also.

For configuring dual ISP's, the steps are here:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

And for configuring Active/Standby

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml

Hope this helps.

Actions

This Discussion