Hi mattjw916,

I have sent a jpg file with the wire's connectios. Could you have a quick look at this file?.

Thanks again!!

I'd cable it up more like this based on the diagram you provided.

Hope that helps.

Matt

Very Thanks Matt

Your diagram is very explanatory.

My last dude... If the Primary/Active ASA fail, then the secondary ASA take posession of role of Primary. But How could I do that the different IP's of my ISP for each ASA will be transparents for the configuration of the IPSec tunnels on the remotes side?.

Thanks again!!

When the primary/active fails the secondary/standby assumes the secondary/active state. The secondary device re-IPs itself with the primary's IP addresses and "impersonates" the dead firewall. Of course, that vastly oversimplifies the actual process but from the ISP and server's perspective the outside IP address of the active firewall never changes.

As long as it is a graceful failover the connection states should be maintained during a failover event. I personally haven't had to support any nailed-up ipsec tunnels but I assume they would remain connected without any intervention.

Hi Matt,

In short, you want say me that I can/must setup the secondary device with the same configuration that the primary device?

the public IPs of both of them are the same?

Thanks again

The secondary firewall doesn't really have its own config. Once you enable failover and establish IP connectivity between the firewalls the primary writes its config to the flash of the secondary automatically. To create a failover secondary firewall you only need to cable up a blank ASA, add a couple failover commands, and then primary sees and syncs it.

Here is a sample config that explains this all in great detail:

http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml

Sorry, I cannot to enter at this area. Would you mind send me by email?.

Thanks.

Matt, Very Thanks for all!!