Solved: ASA 5510 Active/Active - Cisco Community

312

Views

0

Helpful

3

Replies

We have an ASA5510 v9.14 and are looking at setting up a second unit to run in active/active.

The ASA has site-site vpns, most static end points, but we have several dynamic site-site vpns. We also have SSL anyconnect users and staff use cisco vpn clients on their laptops.

We know the static site-site vpns work in active/active, but what about the dynamic site-site and the SSL connections?

1 Accepted Solution

Accepted Solutions

Hi,

I am actually not sure about possible Dynamic L2L VPN connections. The ASA Configuration Guide does not really mention any specific information about the Site to Site VPN. I would assume that it should be possible as the configurations are almost identical. Sadly I have not had the opportunity to test these setups at all since it requires an ASA in Multiple Context mode and I tend to test thing with an ASA5505. I guess if I have the time I might be able to test this for you on some older 5520 unless there is some RAM restrictions for using the newer softwares.

The Remote VPN Client situation should be clear though. The documentation simply states that its not possible to use those.

Here is a link to the latest ASA Configuration Guide and the Multiple Context section

http://www.cisco.com/c/en/us/td/docs/security/asa/asa92/configuration/general/asa-general-cli/ha-contexts.html#pgfId-1707996

Also notice that if you are using ASA5510 you are required to have both units with Security Plus license or Multiple Context and Failover is not supported.

Here is a link to a 9.1 software version document related to licensing listing the options for each model

http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/license/license_management/license.html#wp2125486

Naturally if you can afford it you could leave your current ASA to serve as a dedicated VPN device for your needs and aquire new ASA pair just for the A/A setup behind which you would migrate anything you need. Naturally if the VPN ASAs public interface IP address is used for something that requires users to have it in the future too then it would be problematic to use the mentioned setup. If its not tied to something else and you had a single public subnet you could connect both the VPN ASA and the A/A Failover pair to the same public subnet on your WAN device (perhaps needing a switch depending on the current setup)

Hope this helps :)

- Jouni

View solution in original post

3 Replies 3

Hi,

I am actually not sure about possible Dynamic L2L VPN connections. The ASA Configuration Guide does not really mention any specific information about the Site to Site VPN. I would assume that it should be possible as the configurations are almost identical. Sadly I have not had the opportunity to test these setups at all since it requires an ASA in Multiple Context mode and I tend to test thing with an ASA5505. I guess if I have the time I might be able to test this for you on some older 5520 unless there is some RAM restrictions for using the newer softwares.

The Remote VPN Client situation should be clear though. The documentation simply states that its not possible to use those.

Here is a link to the latest ASA Configuration Guide and the Multiple Context section

http://www.cisco.com/c/en/us/td/docs/security/asa/asa92/configuration/general/asa-general-cli/ha-contexts.html#pgfId-1707996

Also notice that if you are using ASA5510 you are required to have both units with Security Plus license or Multiple Context and Failover is not supported.

Here is a link to a 9.1 software version document related to licensing listing the options for each model

http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/license/license_management/license.html#wp2125486

Naturally if you can afford it you could leave your current ASA to serve as a dedicated VPN device for your needs and aquire new ASA pair just for the A/A setup behind which you would migrate anything you need. Naturally if the VPN ASAs public interface IP address is used for something that requires users to have it in the future too then it would be problematic to use the mentioned setup. If its not tied to something else and you had a single public subnet you could connect both the VPN ASA and the A/A Failover pair to the same public subnet on your WAN device (perhaps needing a switch depending on the current setup)

Hope this helps :)

- Jouni

Many thanks for your reply.

The current ASA5510 has security plus and so does the second one.

We have an old third 5510 without plus so were thinking of moving the vpn to this if required.

Is there any virtual option for a VPN concentrator instead of using this third ASA?

Hi,

All the ASAs follow the same restrictions atleast.

Other than that there is I guess different Cisco Router models and some Small Business products that support VPNs.

I am not sure what you mean with the virtual option in this case. If you simply mean that you want to configure the VPN connections (L2L VPN and Client VPN) on the same device but separate them from eachother on the same hardware then you naturally have the option to use a Cisco Router and use VRFs in your configurations to separate each connection to its own routing table. You can then further build a connection from that VRF to perhaps some virtual firewall you are running on the A/A ASA pair.

We for exampe use the Cisco ASR Routers but we also use a lot of ASA firewalls for VPN purposes.

I am not however familiar with the SSL VPN and Cisco Routers. To my understanding its supported but I am not aware what possible limitations it might have.

- Jouni

Review Cisco Networking products for a $25 gift card