Is virtual IP possible ? in ASA

balaji090 · ‎10-16-2009

not the loopback if your thinking of that !!

can we configure 2 asa's to listen to same logical IP address ie.. from the below diagram router would route to the ASA on 1 logical Ip

two interface of asa would have the physical Ip !

Looks like Harp and Vrrp not supported in asa If i am not wrong any suggestions ?

ASA -----ASA

| |

---------------Switch

| |

Router router

Panos Kampanakis · ‎10-16-2009

You are right. Features like HSRP, VRRP, GLBP are not supported on the ASA. If you have 2 ASAs in failover they share the same ip address, but only the active is taking passing the traffic. The do no pass traffic at the same time.

Now if you go in a more complicated scenario with an active/active context you can have 2 units passing traffic at the same time. But still these are different virtual firewalls that have different policies.

To summarize, HA pairs as know from IOS is not supported on ASAs in the same way.

I hope it helps.

PK

JORGE RODRIGUEZ · ‎10-16-2009

In addition to PK comments, using your same network diagram if you have your two routers either behind or in front of ASA speaking HSRP you can have your ASA use that virtual IP.. say your internet edge routers Active/standby its HSRP IP can be your ASA default route.

Regards

Jorge Rodriguez