Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Cisco ASA 5520 Failover behaviour

                   Hi Guys,

I am new to cisco Asa firewall ,, so spare me if i will ask basic doubts ..

if I want to configure ASA in Active / standby mode , then their interfaces should be in same subnet Ip.

Now , say for e.g for DMZ & inside zone I am using common subnet on both ASA.

lets say :- for DMZ 192.168.1.1/24 for primary ASA & 192.168.1.2/24 for secondary ASA

               for inside 172.16.1.1/24 for primary ASA & 172.16.1.2/24 for scondary ASA.

Can I use different subnet for outside interfaces ,,lets say  1.1.1.1/24 for primary ASA & 2.2.2.2/24 for secondary ASA.???

6 REPLIES

Re: Cisco ASA 5520 Failover behaviour

Hi Bro

In ACTIVE/STANDBY mode, both IP Addresses MUST be in the same network address. No 2-ways about it. Here's a sample for your kind reference;


!
hostname HQPIXFW1
!
interface Ethernet0
nameif outside
security-level 50
ip address 2.2.2.1 255.255.255.248 standby 2.2.2.2
!
interface Ethernet1
nameif inside
security-level 50
ip address 172.16.1.1 255.255.255.0 standby 172.16.1.2
!
interface Ethernet2
nameif dmz
security-level 50
ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2
!
interface Ethernet3
description LAN/STATE Failover Interface
!

access-list acl_in extended permit ip any any
access-list acl_out extended permit ip any any


failover
failover lan unit primary <--- The other unit, change this value to "secondary"
failover lan interface failover Ethernet3
failover lan enable
failover polltime unit 1 holdtime 3
failover polltime interface 3 holdtime 15
failover key cisco123456789
failover link failover Ethernet3
failover interface ip failover 1.1.1.1 255.255.255.252 standby 1.1.1.2

no nat-control


access-group acl_out in interface outside
access-group acl_in in interface inside

route outside 0.0.0.0 0.0.0.0 2.2.2.6

P/S: If you think this comment is useful, please do rate them nicely :-) and select the option “This Question is Answered”

Warm regards, Ramraj Sivagnanam Sivajanam Technical Specialist/Service Delivery Manager – Managed Service Department
Community Member

Cisco ASA 5520 Failover behaviour

hi Ramraj,

Thks for ur reply,,,

If this is the case ,how can I terminate two separate links from the ISP on the ASA ??

Cisco ASA 5520 Failover behaviour

Hi Bro

You could either place 2 units (for redundancy purposes) of L3 Cisco switches on the outside interface of the Cisco FW (assuming both ISP links are provided in UTP cable form) or you could connect both the ISP link to 2 separate Cisco Routers and both these Cisco Routers connect to the outside interface of the Cisco FW, via L2 Cisco switches.

End of the day, you still need switches for both the Cisco FW to communicate with each other for failover purposes. No 2-ways about it.

P/S: If you think this comment is useful, please do rate them nicely :-) and select the option “This Question is Answered”

Warm regards, Ramraj Sivagnanam Sivajanam Technical Specialist/Service Delivery Manager – Managed Service Department
VIP Purple

Cisco ASA 5520 Failover behaviour

And another way:

Use two different interfaces for you outside-connections. One will be primary, the other can only be used as backup.

Community Member

Cisco ASA 5520 Failover behaviour

I suppose you guys are correct....

But my doubt came because in Juniper SRX firewall you can assign diffrent Ip address......

chekout this link :-

http://www.juniper.net/techpubs/software/junos-security/junos-security10.0/junos-security-swconfig-security/cc_deployment_scenarios.html  and go in "Asymmetric Routing Chassis Cluster Scenario" section.

Isn't all the kinds of firewall behaves in a same way as far as failover is concerned ??

VIP Purple

Re: Cisco ASA 5520 Failover behaviour

On the ASA you need to activate the Security-Contexts (virtual firewalls) where one context connects to ISP1 and another context connects to ISP2. But with that deployment you are restricted to pure firewalling. No VPN, dynamic routing ...

Sent from Cisco Technical Support iPad App

1269
Views
0
Helpful
6
Replies
CreatePlease to create content