Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Need some help with the implementation design of asa 5510's

Essentially, I currently use linux firewalls for clients. It's a simplistic (but poor) design. There is a primary and a secondary. They each have 2 interfaces on them. The public side has 2 ips. One is the ip we manage the server on , and the other is the external address we route through. This external address moves between the pri and sec, depending on which is the active one in case we have to fail over. So to recap, we have 1 ip that does not move, and 1 ip that does move (within the same netblock.) So for a pri-sec combo, 3 IP's used on the public side.

We have a similar setup on the internal side. 1 Ip that stays on each (For failover info) and then the gateway for the netblock we're firewalling. (again, 3 ips used. With one ip moving between the 2 depending on which is active.)

We're implementing some ASA's for clients as well (For various reasons.) The problem i'm running into is trying to set these up in a similar configuration to our current firewalls. I have 2 netblocks. I have a pair i'd like to set up in a failover configuration.

I can do away with the 3 internal interfaces and just have 1 IP (the gateway for the client machines) on an inside interface and fail that back and forth since I can use another interface for the failover.. ) but my problem comes with the public (outside) side of the asa's. The public interfaces on the linux firewalls are what we use for general management. And the external IP that moves between the pri and sec is what we route the client netblocks through. I can't seem to find a way to make a setup like this work, so I'm coming here for some advice. :)

With 2 netblocks, I need to be able to set up a failover configuration (preferably stateful), but still be able to access both asa's remotely independent of whichever is active. This is probably extremely simplistic, but at this hour of night, my brain is fried.

Thank you in advance. I know the above is ill thought out and chaotic.


Re: Need some help with the implementation design of asa 5510's


you cannot have secondary IP addresses configured on the ASA interfaces, like the linux firewalls or the routers... You can probably manage the ASA through the outside segment on the same IP as the outside interface through SSH, https etc, or do the following:

1) ASA firewalls do support VLANs. you can actually trunk the port between the router and the firewall and configure 2 seperate VLANs , 1 for management and 1 for failover with 2 seperate IP subnets.. u also need to configure dot1q encapsulation on ur router and configure sub-interfaces....

2) when u seperate these subnets through VLANs , they are logically seperated DMZ zones, so the security is even more enhanced on your management VLAN.

For information on configuring VLAN on your ASA, please refer to:

Hope this helps.. all the best... rate replies if found useful..


CreatePlease to create content