ASA standby ip address

Unanswered Question
Sep 2nd, 2008

is it necessary to put standby ip address on a Active/Standby scenario? What is the different with or without standby ip address?

Below is my config on Active/Standby ASA and i did not apply standby ip on the interfaces ...

so, basically i just use simple layer-3 address assignment on the interface.

interface Ethernet0/0

nameif outside

security-level 0

ip address 10.10.1.2 255.255.255.0

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 192.168.2.10 255.255.255.0

!

interface Ethernet0/2

nameif dmz

security-level 50

ip address 172.35.1.1 255.255.255.0

!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Marwan ALshawi Tue, 09/02/2008 - 18:23

Hi Gerard

first of all,

Active/Standby Failover lets you use a standby security appliance to take over the functionality of a failed unit. When the active unit fails, it changes to the standby state while the standby unit changes to the active state. The unit that becomes active assumes the IP addresses (or, for a transparent firewall, the management IP address) and MAC addresses of the failed unit and begins to pass traffic. The unit that is now in standby state takes over the standby IP addresses and MAC addresses. Because network devices see no change in the MAC to IP address pairing, no ARP entries change or time out anywhere on the network

based on the above detail the answer to you Question is:

** configure the active and standby IP addresses for each data interface (routed mode) or for the management interface (transparent mode). The standby IP address is used on the security appliance that is currently the standby unit. It must be in the same subnet as the active IP address**

and the following link will be a good refrence to use

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml

good luck

If helpful Rate

Actions

This Discussion