Solved: You can easily set up

satya mothukuri · ‎08-04-2014

Hi All,

I want to know what all fail-over I can build for single ASA. I am planning to connect as per the attached.

Please let me know all configuration that i can build. Do i need to assign 2 ip's for that 2 interfaces connected to inside,dmz and outside.

Please let me know if you any other design.

Regards,

Satya.M

nkarthikeyan · ‎08-04-2014

Hi Satya,

Also you can have redundant interfaces in a member group as well.

Examples

The following example creates two redundant interfaces:

hostname(config)# interface redundant 1

hostname(config-if)# member-interface gigabitethernet 0/0

hostname(config-if)# member-interface gigabitethernet 0/1

hostname(config-if)# interface redundant 2

hostname(config-if)# member-interface gigabitethernet 0/2

hostname(config-if)# member-interface gigabitethernet 0/

Regards

Karthik

View solution in original post

raghavsukhwal · ‎08-04-2014

Hi Satya,

You cannot assign IP's of the same subnet to two different interfaces of the ASA in the routed mode. So as per your diagram, you cannot connect Inside interface of the ASA to both the 6504E switches or to the DMZ switches as you have shown. If you want to do such a failover, you can use 2 ASA's with Active/Standby failover while connecting ASA-1 to 6504EGa and ASA-2 to 6504EGb. You can also do Active/Active failover.

Also with 1 ASA, if you want to configure 2 ISP's on 2 interfaces, please remember policy based routing is not supported on ASA so at any gien time only 1-ISP will be active for all the traffic going out. You can have the failover configured so that everything fail's over to the secondary ISP when Primary goes down with tracks etc.

I hope this helps. If not, can you please post your exact requirements for the failover so that we can suggest you better.

Best,

Raghav

satya mothukuri · ‎08-04-2014

Thanks Raghav,

I want to know what is "resilient interface" in single ASA design. Yes as u said we can't assign same subnet for 2 interfaces, i guess etherchannel is also not possible. Only Interface failover is possible. Do let me know how this is config in my setup.

Regards,

Satya.M

nkarthikeyan · ‎08-04-2014

Hi Sathya,

You can do ether channel in cisco ASA that is possible.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/interface_start.html#wp1319434

Regards

Karthik

nkarthikeyan · ‎08-04-2014

Hi Satya,

Also you can have redundant interfaces in a member group as well.

Examples

The following example creates two redundant interfaces:

hostname(config)# interface redundant 1

hostname(config-if)# member-interface gigabitethernet 0/0

hostname(config-if)# member-interface gigabitethernet 0/1

hostname(config-if)# interface redundant 2

hostname(config-if)# member-interface gigabitethernet 0/2

hostname(config-if)# member-interface gigabitethernet 0/

Regards

Karthik

Marius Gunnerud · ‎08-05-2014

You can easily set up redundancy using a single ASA...Just remember that this will not be hardware redundancy so if the ASA fails you will have no connectivity.

You can connected the ASA to the two 6500 switches given that those switches are configured as VSS. then you just need to configure the two interfaces connected to the switches in a port-channel.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

satya mothukuri · ‎08-05-2014

Thanks Karthik. So in the above config i need to give how many IP add??

2 interfaces will have same IP or 1 each of same subnet/diff???

Regards,

Satya.M

nkarthikeyan · ‎08-05-2014

Hi Sathya,

You can have the single IP address on the redundant interfaces and you have to nameif on the interface redundant not on the actual physical interface.....

and at a time one interface will be active and other one on standby and it uses the same ip address when you have single asa....

Regards

Karthik

Failover for Single ASA

Examples

Examples