I got the item as below
Site A - 1 unit of Netscreen VPN firewall
Site B - 2 units of ASA VPN firewall
I'm trying to configure a Site to Site VPN but facing some problem with active standby configuration.
At first i tried Site A 1 unit Netscreen and Site B 1 unit ASA site to site vpn. there is no problem.
but if add in another ASA at site B and configure it as Active/Standby then i having some question that i need some help from here
Things that confused me.
1) do i need to use 2 Public IP on the ASA? ( one Public IP for Active and another one Public IP for Standby IP. it seem like a waste of the public IP.)
2) Failover link and Stateful Failover can be configure on the same interface?
Please help on this case, how to configure Site to Site VPN with Active/Standby configuration.
So as Richard said, to your first question, if you configure only an active IP address for the outside interface without a standby IP, then depending on which ASA is active at the moment, that ASA will take up that IP address while the standby ASA will show it's outside IP as 0.0.0.0.
With regards to your second question, if you would like to configure your outside interface in the following format:
ip address 184.108.40.206 255.255.255.0 standby 220.127.116.11
assuming 18.104.22.168 and 22.214.171.124 are the 2 IP addresses you have gotten from your 2 ISPs, this will not be possible because they both lie in differnet subnets and the ASA will pop up an error with the subnet being different for both the IP addresses (one is 126.96.36.199/24 and other is 188.8.131.52/24).
If you would like to monitor the outside interface, only way to go about with it will be to get a 2nd IP address from the ISP in the same subnet that you already have and add that as the sandby IP address to the outside interface. Let me know if there is anything that is unclear or if i have uderstood wrong.
Your original question was in terms of active/standby so I will answer in terms of active/standby.
1) Yes you would configure the same IP address from the ISP on both ASA outside interfaces. You seem to not quite realize that when you configure a pair of ASA in active/standby that they share the same configuration. In configuring interfaces in active/standby you configure an "active" IP address and (usually) a "standby" IP address (but the standby address is not required as discussed in previous posts). The ASA that is active will have the active address and the ASA that is standby will have the standby address (if one is configured). For example let us think about a situation in which there are 2 ASAs (A and B) and addresses are configured as 184.108.40.206 and 220.127.116.11. In the beginning let us assume that A is active and B is standby. So A will have address 18.104.22.168 and B will have 22.214.171.124. Then assume that there is some fail over event. Now B is active and A is standby (or perhaps out of service depending on what type of fail over event it was). So now B has address 126.96.36.199 and A would have 188.8.131.52.
2) I am not clear how to interpret the second part of your question. If you have 2 ISP (connected to 2 different interfaces) then you should be able to configure addresses from each ISP on each interface and active/standby would work. How to use those addresses will depend on how you have configured the ASA. If your question is asking if you can configure an address from one ISP on ASA A and configure an address from the other ISP on ASA B then that does not work with active/standby. You should be able to do this with active/active but tht gets into a significantly different type of failover configuration and operation.
just to add on to this,
just be careful when you dedicate an interface for stateful failover, make sure that it is of the highest capacity or atleast the same capacity as th eother interface
so if you are using gig interface for passing traffic use a gig port for stateful failover, many times we have seen poeple using management interface for steful when they have gig ports and they run into issues wherein the stateful function is not working as expected
you can read more here