Solved: standy and active asa

Dragomir · ‎07-27-2013

When i log into my asa and create an access list, the rule does not work. is it possible that I am adding an acl on the standby and not the primary?

how do I check which is primary or standby?

Julio Carvajal · ‎07-27-2013

Hello Tony,

First of all.

You are not on the active nor standby as failover is off

Second you need to have the access-group command in order for an ACL to take place

show run access-group will show us if you have it

Finally you need the static command because you want to start connections from the DMZ, and the static NAT is biderectional which means you can innitiate connections from the other site( in this case DMZ) so you need it,

For Networking Posts check my blog at http://www.laguiadelnetworking.com/category/english/

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Julio Carvajal · ‎07-27-2013

Hello Tony,

Have you applied the access-group command?

Type the command:

Show failover (this will tell you if you are on the active or standby box

Also when you generate a new command on the standy unit you get a warning about a configuration mismatch so if you have not seen it you are on the primary.

For Networking Posts check my blog at http://www.laguiadelnetworking.com/category/english/

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Dragomir · ‎07-27-2013

this is what i see

show failover

Failover Off

Failover unit Secondary

Failover LAN Interface: failover GigabitEthernet1/1 (up)

Unit Poll frequency 1 seconds, holdtime 15 seconds

Interface Poll frequency 5 seconds, holdtime 25 seconds

Interface Policy 1

Monitored Interfaces 5 of 210 maximum

failover replication http

No I have not applied the access group command. I am trying to create this

access-list acl-dmz2 line 101 extended permit tcp any host x.x.x.x eq 1688

but it does not work.

Also I did not see any warning after creating the acl

Dragomir · ‎07-27-2013

i think I am on the active since there are hitcounts on the acls. the other one has no hitcnts. but my simple acl is not working

Dragomir · ‎07-27-2013

ok I think I found out why. IN addition to the access-list line

I also needed the static (inside,dmz) insideIP, insideIP netmask 255.255.255.255

why is that?

Julio Carvajal · ‎07-27-2013

Hello Tony,

First of all.

You are not on the active nor standby as failover is off

Second you need to have the access-group command in order for an ACL to take place

show run access-group will show us if you have it

Finally you need the static command because you want to start connections from the DMZ, and the static NAT is biderectional which means you can innitiate connections from the other site( in this case DMZ) so you need it,

For Networking Posts check my blog at http://www.laguiadelnetworking.com/category/english/

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Dragomir · ‎07-27-2013

thank you. I do have access-group.

Julio Carvajal · ‎07-27-2013

Hello Tony,

My pleasure

For Networking Posts check my blog at http://www.laguiadelnetworking.com/category/english/

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC