Need some help with the implementation design of asa 5510's
Essentially, I currently use linux firewalls for clients. It's a simplistic (but poor) design. There is a primary and a secondary. They each have 2 interfaces on them. The public side has 2 ips. One is the ip we manage the server on , and the other is the external address we route through. This external address moves between the pri and sec, depending on which is the active one in case we have to fail over. So to recap, we have 1 ip that does not move, and 1 ip that does move (within the same netblock.) So for a pri-sec combo, 3 IP's used on the public side.
We have a similar setup on the internal side. 1 Ip that stays on each (For failover info) and then the gateway for the netblock we're firewalling. (again, 3 ips used. With one ip moving between the 2 depending on which is active.)
We're implementing some ASA's for clients as well (For various reasons.) The problem i'm running into is trying to set these up in a similar configuration to our current firewalls. I have 2 netblocks. I have a pair i'd like to set up in a failover configuration.
I can do away with the 3 internal interfaces and just have 1 IP (the gateway for the client machines) on an inside interface and fail that back and forth since I can use another interface for the failover.. ) but my problem comes with the public (outside) side of the asa's. The public interfaces on the linux firewalls are what we use for general management. And the external IP that moves between the pri and sec is what we route the client netblocks through. I can't seem to find a way to make a setup like this work, so I'm coming here for some advice. :)
With 2 netblocks, I need to be able to set up a failover configuration (preferably stateful), but still be able to access both asa's remotely independent of whichever is active. This is probably extremely simplistic, but at this hour of night, my brain is fried.
Thank you in advance. I know the above is ill thought out and chaotic.
Re: Need some help with the implementation design of asa 5510's
you cannot have secondary IP addresses configured on the ASA interfaces, like the linux firewalls or the routers... You can probably manage the ASA through the outside segment on the same IP as the outside interface through SSH, https etc, or do the following:
1) ASA firewalls do support VLANs. you can actually trunk the port between the router and the firewall and configure 2 seperate VLANs , 1 for management and 1 for failover with 2 seperate IP subnets.. u also need to configure dot1q encapsulation on ur router and configure sub-interfaces....
2) when u seperate these subnets through VLANs , they are logically seperated DMZ zones, so the security is even more enhanced on your management VLAN.
For information on configuring VLAN on your ASA, please refer to:
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :