ASA Failover configuration reassurance

Unanswered Question
Oct 9th, 2009

Hi all,

Just need some reassurance on the set up of failover for ASA 5510.

Due to the limitations on Public IP Address I have only been allocated 1 usable IP address for the outside interface. I am sure that for Failover that the only unique IP address on each unit if on the management interface to allow for the state tables and configuration to be shared.

I did the course around a year and a half ago and have not had the opportunity to work on once since, however a lot of the guides on cisco show that the ASA use a unique IP on all the interfaces.

Thanks in advance

Richard

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Stuart Hare Fri, 10/09/2009 - 06:05

Richard,

What mode are you runnning the ASA in Routed or Transparent?

In routed mode you typically need to have 2 unique ip addresses for each interface, a primary ip and a standby ip.

i.e.

interface e0/0

nameif outside

ip add 192.1.2.1 255.255.255.0 standby 192.1.2.2

no sh

When the ASA fails over to the secondary, the secondary device will adopt the primary IP and become the active device.

Not aware of a way that you can configure failover with on 1 ip address per interface.

Not sure where your going with the mgmt interface either unless your in transparent mode.

Stu

richard.jackson Fri, 10/09/2009 - 06:32

Hi Stuart

Thanks for the response

I am running in routed mode:-

At the moment the customer has a single PIXwith an IP (eg) 1.1.1.1 on this there is a /29 network. default gateway is 1.1.1.4

As there are no spare IP address within that range on the outside interface I was hoping that the primary would have the IP of 1.1.1.1 on the outside interface and that I would not need to set an unique IP on the Secondary ASA outside; it would only assume the IP address of 1.1.1.1 in the event of the primary failing. If this is not possible the customer will need to obtain a new block of public IPs

I can put unique private IPs for the management Interfaces to transfer state tables/configs etc and for the LAN default gateways my issue is only on the outside interface

I can add a network diagram if required

Cheers

Rich

Saurabh Kishore Fri, 10/09/2009 - 11:41

Hi,

In case you do not have another public ip address to assign to the standby ip address on the outside interface that does not stop you from configuring failover on the firewall.

the standby ip address is needed if you need to manage the standby device. however if you do not apply the interfaces with a standby ip address there should not be an issue in configuring failover.

Actions

This Discussion