ASA Next generation firewall

fogemarttt · ‎11-25-2014

Hello All,

I am implementing my first ASA NGFW (5515X). I have many issues.

I am implementing routed mode. I want to filter traffic as is went on my vlan server. I have two Cisco 6500 in VSS mode.

I have connected the gi0/0 and gi0/1 of each ASA to both 6500.

The port-channel is not going up.

on ASA, that is my configuration.

!

interface gigabitEthernet 0/0

no shutdown

channel-group 1 mode passive

exit

!

interface gigabitEthernet 0/1

no shutdown

channel-group 1 mode passive

exit

!

interface port-channel 1

no shutdown

ip address 10.1.1.1

exit

!

on the chassis, we have the channel group in active mode and many Vlan on this chassis.

it is not possible to put Port-channel or interface in ASA to trunk mode.

Show port-channel 1 summary

Po1(N) Gi0/0(w) Gi0/1(w).

how to solve this issue and what are the commands ?

How can I do ? the target is to have redundancy between the two cisco 6500.

2- Point : Failover between two ASA

I have connected the port Gi0/3 on both ASA together (not a crossover cable but straight-through). 172.16.1.1/29 and 172.16.1.2/29

the ping between the two ASA on this interface is working properly.

I have authorized the ASDM on this interface on both ASA.

ASA 1 : http 172.16.1.1 interface failover

ASA2: http 172.16.1.2 interface failover

When I launch HA wizard on ASDM, I have an error on check the compatibility peer (cannot contact the peer).

What are the best ways to achieve failover between the two ASA and what are the commands please ?

3 - ASA (CX) NGFW.

The scope of this project is to filter traffic going to Gi0/5 (inside interface) using ASA NGFW (PRSM).

If the failover is OK ? is it all that needed for ASA NGFW failover ? or there is another configuration ?

All the filter must be done using ASA NGFW (layer 3 filtering and port filtering).

The traffic comes to the ASA, then went to ASA NGFW for filtering and after filtering, going back to the ASA again, to reach the final destination.

Marvin Rhoads · ‎11-25-2014

1. It should work with the ASA passive and the 6500 VSS pair active in the portchannel. Have you tried reversing those roles?

2. I'd step through the configuration guide section on failover. It's normally quite straightforward to setup. The physical interfaces are autosensing so no crossover cable is necessary.

3. In an HA pair, the NGFW (CX module configured via PRSM) configurations do not automatically synchronize unless you use multi-device mode PRSM (licensed product on a separate VM). Otherwise you have to setup each module independently.

fogemarttt · ‎11-26-2014

Thanks you Marvin,

I am not getting your point of view in step 3.

If I configured ASA failover as example on 5515X using ASDM, it will not replicate my ASA NGFW configurations ? (because using onbox PRSM), there is no step to implement failover.

you means that, absolutely I must have off-box PRSM for ASA NGFW failover or HA ?

Marvin Rhoads · ‎11-26-2014

You're welcome.

Regarding your question about failover for the NGFW - you do not have to use off-box PRSM. However, if you choose not to, then any changes you make on the primary unit via its on-box PRSM must also be made on the standby unit via its separate on-box PRSM. Admittedly that's a bit cumbersome but that's the way it is.

(The service policy on the base ASA that redirects traffic into the CX module is replicated.)

Please take a moment to rate responses and/or mark your question as answered.