ASA, Three Interfaces in Failover

Answered Question
Sep 29th, 2008

Hello Folks!!

I have two ASA 5520 Series, I want to implemented a DMZ three-homed with three ethernet interfaces and I want failover with this solution.

Is this possible with this device?.

What are the connections between the differents switch with SPT enabled to redundancy?.

Thanks in advance!

Correct Answer by Matthew Warrick about 8 years 4 months ago
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Matthew Warrick Mon, 09/29/2008 - 08:31

Assuming you have the proper licenses on each device, this is possible.

You will need a total of 4 interfaces to enable failover: inside, outside, DMZ, and fail-link.

Each firewall interface is a L3 host port so the device does not participate in or have any knowledge of STP. Each port on the switch side should be in "switchport host" with cdp disabled, etc. Try to think of the firewall as a "server".

Each interface on the firewall will need a primary and standby IP enabled. Ideally you will want the fail-link cabled via x-over if the firewalls are co-located.

The configuration examples section for ASAs has the rest of the commands you will need to complete the config.

Hope that helps.

elias.manchon Tue, 09/30/2008 - 00:57

Hi mattjw916,

I have sent a jpg file with the wire's connectios. Could you have a quick look at this file?.

Thanks again!!

elias.manchon Tue, 09/30/2008 - 08:10

Very Thanks Matt

Your diagram is very explanatory.

My last dude... If the Primary/Active ASA fail, then the secondary ASA take posession of role of Primary. But How could I do that the different IP's of my ISP for each ASA will be transparents for the configuration of the IPSec tunnels on the remotes side?.

Thanks again!!

Matthew Warrick Tue, 09/30/2008 - 08:39

When the primary/active fails the secondary/standby assumes the secondary/active state. The secondary device re-IPs itself with the primary's IP addresses and "impersonates" the dead firewall. Of course, that vastly oversimplifies the actual process but from the ISP and server's perspective the outside IP address of the active firewall never changes.

As long as it is a graceful failover the connection states should be maintained during a failover event. I personally haven't had to support any nailed-up ipsec tunnels but I assume they would remain connected without any intervention.

elias.manchon Tue, 09/30/2008 - 09:03

Hi Matt,

In short, you want say me that I can/must setup the secondary device with the same configuration that the primary device?

the public IPs of both of them are the same?

Thanks again

Matthew Warrick Tue, 09/30/2008 - 09:10

The secondary firewall doesn't really have its own config. Once you enable failover and establish IP connectivity between the firewalls the primary writes its config to the flash of the secondary automatically. To create a failover secondary firewall you only need to cable up a blank ASA, add a couple failover commands, and then primary sees and syncs it.

Here is a sample config that explains this all in great detail:

elias.manchon Tue, 09/30/2008 - 09:19

Sorry, I cannot to enter at this area. Would you mind send me by email?.



This Discussion