I've just started configuring 2x new ASA5520's. They will be either in active/active, or active/passive failover. I'd like to have stateful failover.
A couple of questions:
What is the "management" interface for (other than the potential obvious) - i know traffic can't flow into that interface and out another interface, so is it ONLY meant for managing/configuring the units?
I know that i need a dedicated network between the 2 ASA's for the failover. Can i use the above mentioned management interface for this, rather than one of the Gigabit interfaces?
Both devices have the AIP-SSM-10 module which ALSO has an interface on it. Is this just for administaring the module?
Also, anyone who has a similar setup to me, tips, experiences and pointers gladly accepted.
Setup is pretty simple:
Redundant Ethernet internet connections coming through 2x 2801's
Web,mail, app servers & 2811's providing VPN connections in DMZ
Users behind ASA's
Software VPN's will be done directly to ASA's using IPSEC VPN Client - may look at ssl in future.
mgmt can be used for failover but it is only 10/100.
mgmt interface has been designed to connect a PC to the management interface for administration ( Cisco design )
if you have huge traffic, then use the 3rd interface for failover since it will be stateful, so speed & bandwidth will be crucial. Connect both the ASA Gigabit directly with a straight cable for failover.
AIP-SSM-10 module interface is only for administration,
actual setup & admin can be done by connecting to the IP either by session 1 fromm the ASA or via the ASDM by
https:\\IP of the IPS console
The config is very similar to PIX, in fact the ACLS can be pasted directly.
The ASA will have 1 active & 1 standby
the active ASA will have the active IP & replicate the config to the standby.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :