Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA, Three Interfaces in Failover

Hello Folks!!

I have two ASA 5520 Series, I want to implemented a DMZ three-homed with three ethernet interfaces and I want failover with this solution.

Is this possible with this device?.

What are the connections between the differents switch with SPT enabled to redundancy?.

Thanks in advance!

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: ASA, Three Interfaces in Failover

10 REPLIES
New Member

Re: ASA, Three Interfaces in Failover

Assuming you have the proper licenses on each device, this is possible.

You will need a total of 4 interfaces to enable failover: inside, outside, DMZ, and fail-link.

Each firewall interface is a L3 host port so the device does not participate in or have any knowledge of STP. Each port on the switch side should be in "switchport host" with cdp disabled, etc. Try to think of the firewall as a "server".

Each interface on the firewall will need a primary and standby IP enabled. Ideally you will want the fail-link cabled via x-over if the firewalls are co-located.

The configuration examples section for ASAs has the rest of the commands you will need to complete the config.

Hope that helps.

New Member

Re: ASA, Three Interfaces in Failover

Hi mattjw916,

I have sent a jpg file with the wire's connectios. Could you have a quick look at this file?.

Thanks again!!

New Member

Re: ASA, Three Interfaces in Failover

I'd cable it up more like this based on the diagram you provided.

Hope that helps.

Matt

New Member

Re: ASA, Three Interfaces in Failover

Very Thanks Matt

Your diagram is very explanatory.

My last dude... If the Primary/Active ASA fail, then the secondary ASA take posession of role of Primary. But How could I do that the different IP's of my ISP for each ASA will be transparents for the configuration of the IPSec tunnels on the remotes side?.

Thanks again!!

New Member

Re: ASA, Three Interfaces in Failover

When the primary/active fails the secondary/standby assumes the secondary/active state. The secondary device re-IPs itself with the primary's IP addresses and "impersonates" the dead firewall. Of course, that vastly oversimplifies the actual process but from the ISP and server's perspective the outside IP address of the active firewall never changes.

As long as it is a graceful failover the connection states should be maintained during a failover event. I personally haven't had to support any nailed-up ipsec tunnels but I assume they would remain connected without any intervention.

New Member

Re: ASA, Three Interfaces in Failover

Hi Matt,

In short, you want say me that I can/must setup the secondary device with the same configuration that the primary device?

the public IPs of both of them are the same?

Thanks again

New Member

Re: ASA, Three Interfaces in Failover

The secondary firewall doesn't really have its own config. Once you enable failover and establish IP connectivity between the firewalls the primary writes its config to the flash of the secondary automatically. To create a failover secondary firewall you only need to cable up a blank ASA, add a couple failover commands, and then primary sees and syncs it.

Here is a sample config that explains this all in great detail:

http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml

New Member

Re: ASA, Three Interfaces in Failover

Sorry, I cannot to enter at this area. Would you mind send me by email?.

Thanks.

New Member

Re: ASA, Three Interfaces in Failover

New Member

Re: ASA, Three Interfaces in Failover

Matt, Very Thanks for all!!

158
Views
0
Helpful
10
Replies