10-24-2006 12:25 PM - edited 03-09-2019 04:39 PM
Hi - Can anyone tell me if the Active/Active failover on ASA's require two router ports for the egress traffic? In other words, a path for each subnet of the two contexts? Or in the lowest form, can A/A failover work with a single port gateway router?
Thanks
Dave
Solved! Go to Solution.
10-24-2006 12:45 PM
Dave,
Multiple contexts can share outside access by assigning each one of them an IP address on the same subnet. But for A/A failover, it requires each context has its own physical interface, thus a single port gateway router is not going work, except implementing vlan routing using router-in-the-stick approach.
Thanks,
Hang
10-24-2006 12:45 PM
Dave,
Multiple contexts can share outside access by assigning each one of them an IP address on the same subnet. But for A/A failover, it requires each context has its own physical interface, thus a single port gateway router is not going work, except implementing vlan routing using router-in-the-stick approach.
Thanks,
Hang
10-24-2006 01:08 PM
Thanks very much for the confirmation Hang. I can't believe how difficult this A/A is getting!
Dave
10-24-2006 06:52 PM
Hi Hang,
I was reviewing your response and I have a quick question if you may allow me; since we can configure 2 interfaces (one from each context) on the outside zone, why do we need here to configure VLAN routing using router-in-the-stick, because I believe both contexts should route the traffic to the inside interface of the router which is basically part of the same subnet of the outside interfaces of the ASA?!
Second, I recall there was a limitation in the ASA A/A setup which doesnt allow configuring the same NAT and static rules for the same inside subnet to outside (i.e. when you configure the same static commands to publish your DMZ services as an example on both context to the outside zone, you get an error related to duplicate static entrie); have you ever come across such problem or are you aware of such limitation in ASA A/A setup? My understanding is that Cisco A/A is mainly designed to support different inside zones and NOT the same inside zone!!
Appreciate your feedback.
Regards,
Haitham
10-24-2006 09:26 PM
Haitham,
You are right. If the outside zone of both contexts are on the same subnet (with the upstream router), router-in-the-stick approach is not needed.
I don't think I understand your second question completely. But I give it a try. You can treat different context as two different security appliance. Therefore, the configuration on one context is independent of configuration on another context. I used to put an identical configuration (with NAT) on two contexts. Even this setup does not do me any good, network wise, but my PIX never complains. A/A just provides high availability and load balancing. From the configuration point of view, it should not be any difference with an individual ASA.
Hope I answer your question,
Hang
10-24-2006 09:46 PM
Hang,
Thanks for your response... regarding the second part, can you please confirm to me if I have a shared DMZ between the 2 contexts, will I be able to configure the same static rule to publish my web server, for example, on the 2 different contexts with no errors? I tried this case with version 7.1 and it gave me duplicate static entries when I entried the same static rule on both contexts!!
In summary, will you be able to apply exactly the same ACL and NAT rules on both contexts for redundancy and Load Balancing?
I hope I have clarified my question better.
Regards,
Haitham
10-24-2006 10:19 PM
Haitham,
It should work, below is the config I put in, no complaint. I created two contexts here, TAC and SHUB. They both share interface e2 for DMZ.
interface Ethernet0
!
interface Ethernet0.1
vlan 11
!
interface Ethernet0.2
vlan 12
!
interface Ethernet0.3
vlan 13
!
interface Ethernet1
!
interface Ethernet1.1
vlan 21
!
interface Ethernet1.2
vlan 22
!
interface Ethernet1.3
vlan 23
!
interface Ethernet2
!
hostname TAC
domain-name tac.com
enable password xxx
names
!
interface Ethernet0.2
nameif outside
security-level 0
ip address 10.2.2.1 255.255.255.0
!
interface Ethernet1.2
nameif inside
security-level 100
ip address 10.2.0.1 255.255.255.0
!
interface Ethernet2
nameif DMZ
security-level 50
ip address 192.168.0.1 255.255.255.0
!
global (outside) 1 10.2.2.3
nat (inside) 1 0.0.0.0 0.0.0.0
static (DMZ,outside) 10.2.2.5 192.168.0.5 netmask 255.255.255.255
hostname SHUB
enable password xxx
names
!
interface Ethernet0.3
nameif outside
security-level 0
ip address 10.2.2.2 255.255.255.0
!
interface Ethernet1.3
nameif inside
security-level 100
ip address 10.2.0.1 255.255.255.0
!
interface Ethernet2
nameif DMZ
security-level 80
ip address 192.168.0.2 255.255.255.0
!
global (outside) 1 10.2.2.3
nat (inside) 1 0.0.0.0 0.0.0.0
static (DMZ,outside) 10.2.2.5 192.168.0.5 netmask 255.255.255.255
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: