[Another] ASA Failover Question

Unanswered Question
Jun 10th, 2010

Howdy Everyone,

OK, so here's the deal:

I've recently undertaken an initiative to remove backdoor access to a data-reporting server, and to swing the connection to an external interface on our firewall.

Currently we have a server that is dual-homed--one NIC is connected to our internal network, and the other goes to a dumb switch that allows access from 4 outside corporations.  In other words, this secondary NIC has 4 different IPs that allow these companies to access the data on the server.

Here's what I propose to do:

I want to configure a switch that will VLAN-separate each company's network and trunk them to a single interface on our firewall.  I'll configure the port with sub-interfaces for each company--utilizing the IP addresses that were previously associated with the secondary NIC on the reporting server.  Finally, I will NAT traffic destined to those IPs to the IP on the primary server NIC.

I have tested this configuration in my lab and it works perfectly.  But here's the catch...  I have a second ASA in standby mode for failover.  So my question is this: Is there a way to make the standby IPs of the sub-interfaces transparent?  I understand that when the alternate ASA takes over, it assumes the IP of the primary interface, but I've found that the standby interface is still an active presence on the network even when in standby mode (i.e. it can be pinged, etc.)

The reason I ask is because I don't necessarily want to try to obtain an unused IP address from these other companies, but I don't want to use one that will jack up their routing either...  I understand that normally a change in the infrastructure like this would normally be coordinated with everyone involved, however this server is only accessed during specific periods and is not "critical" to business operation.  Ideally, I could make the change and nobody would ever have to be the wiser!

Hopefully someone out there can help me with this one?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
edadios Thu, 06/10/2010 - 16:06

You really need the second ip for every interface for the standby.

Otherwise if you don't configure them , it is not a supported setup, and things can go wrong.

Regards,

mortalkrab Thu, 06/10/2010 - 16:10

Yeah, I completely agree.  Without a standby IP the ASAs will not function in failover mode.  I'm only hoping that someone knows a way to make the standby IPs transparent to the rest of the network...

Actions

This Discussion