I am purchasing 2 new ASA 5520 and wish for the to act as a failover pair in Active/Stanby mode. How many physical interfaces do I need in order to allow this to happen. Please note that the failover should be stateful!
I don't think that I can purchase a Failover licence for the second firewall, I think it must be the same as the active firewall, is this correct.
Thanks for your answer. Am I right then in saying that I will need to purchase an addtional 4 interfaces if I want to have ASA as my internet firewall. i.e. if I create a DMZ segment, outside, and inside segment + the failover interfaces, or can you use subiterfaces to segment the network?
I dont think you need to purchase additional interfaces for this. If you need 3 interfaces such as outside, inside & dmz, you can use 3 interfaces for these.
For failover+stateful, you can share both of them on the left interface. However there still be one more additional interface available (management interface), which also could be used for any of the above purposes, if we disable the "management-only" option on this interface. If we have a pair of ASA-5510, all these interfaces will be 100Mbps interfaces. If its ASA-5520 pair or higher, the management interface would be 100Mbps and all other interfaces would be 1Gbps interfaces.
The LAN failover and Stateful failover interfaces can use the same physical interface. However, on a 5520, this interface must be one of the 4 gig interfaces. You should not use the management0/0 interface for the lan/state link, as the interface must be as fast or faster than the other interfaces in the ASA.
Finally, to answer your other question, yes the ASA does support dot1q trunking, and if you wanted you could place the inside, outside and dmz all on the same physical interface (say Gig0/1) and each would be a sub-interface.
For your question about the license, the ASAs do not have the concept of Unrestricted, Restricted, and Failover-Only licenses. The PIXes did. All 5520s support A/S failover.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...