Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

standy and active asa

When i log into my asa and create an access list, the rule does not work. is it possible that I am adding an acl on the standby and not the primary?

how do I check which is primary or standby?

1 ACCEPTED SOLUTION

Accepted Solutions

standy and active asa

Hello Tony,

First of all.

You are not on the active nor standby as failover is off

Second you need to have the access-group command in order for an ACL to take place

show run access-group will show us if you have it

Finally you need the static command because you want to start connections from the DMZ, and the static NAT is biderectional which means you can innitiate connections from the other site( in this case DMZ) so you need it,

For Networking Posts check my blog at http://www.laguiadelnetworking.com/category/english/

Cheers,

Julio Carvajal Segura

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
7 REPLIES

standy and active asa

Hello Tony,

Have you applied the access-group command?

Type the command:

Show failover (this will tell you if you are on the active or standby box

Also when you generate a new command on the standy unit you get a warning about a configuration mismatch so if you have not seen it you are on the primary.

For Networking Posts check my blog at http://www.laguiadelnetworking.com/category/english/

Cheers,

Julio Carvajal Segura

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

standy and active asa

this is what i see

show failover

Failover Off

Failover unit Secondary

Failover LAN Interface: failover GigabitEthernet1/1 (up)

Unit Poll frequency 1 seconds, holdtime 15 seconds

Interface Poll frequency 5 seconds, holdtime 25 seconds

Interface Policy 1

Monitored Interfaces 5 of 210 maximum

failover replication http

No I have not applied the access group command. I am trying to create this

access-list acl-dmz2 line 101 extended permit tcp any host x.x.x.x eq 1688

but it does not work.

Also I did not see any warning after creating the acl

New Member

standy and active asa

i think I am on the active since there are hitcounts on the acls. the other one has no hitcnts. but my simple acl is not working

New Member

standy and active asa

ok I think I found out why. IN addition to the access-list line

I also needed the static (inside,dmz) insideIP, insideIP netmask 255.255.255.255

why is that?

standy and active asa

Hello Tony,

First of all.

You are not on the active nor standby as failover is off

Second you need to have the access-group command in order for an ACL to take place

show run access-group will show us if you have it

Finally you need the static command because you want to start connections from the DMZ, and the static NAT is biderectional which means you can innitiate connections from the other site( in this case DMZ) so you need it,

For Networking Posts check my blog at http://www.laguiadelnetworking.com/category/english/

Cheers,

Julio Carvajal Segura

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

standy and active asa

thank you. I do have access-group.

standy and active asa

Hello Tony,

My pleasure

For Networking Posts check my blog at http://www.laguiadelnetworking.com/category/english/

Cheers,

Julio Carvajal Segura

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
144
Views
0
Helpful
7
Replies
CreatePlease login to create content