I've been asked to look into setting up our 2 x ASA 5510's in failover and have a couple of questions that I hope somebody can answer for me.
For the purpose of my questions details are as follows:-
A stack of 3 x 2960's (IP Address 10.152.#.254) providing LAN services on range 10.152.#.# with 2 x Default GW's of...
0.0.0.0 0.0.0.0 10.152.#.253 - this is ASA1 connected to ISP1
0.0.0.0 0.0.0.0 10.152.#.252 10 - this is ASA2 connected to ISP2 (theory being that if ASA1 dies then LAN will re-route out through ASA2)
ISP1 has address range of 83.#.#.#
ISP2 has address range of 80.#.#.#
ASA1 is the primary device with most of our services running through it including external VPN and NAT'd external addresses to internal hosts using ISP1 IP address range.
ASA2 is a secondary device that is currently not being used for much apart from an alternative VPN entry point, but will be used for a digital delivery system in the not too distant future and also perhaps a couple of NAT'd external addresses to internal hosts using ISP2 IP address range.
I've read through the docs for both active/active and active/standby failover and understand that obviously I could use ASA2 as a failover device for ASA1 to cover off services on ISP1 or vice a versa - but this would mean that it no longers serves ISP2 etc.
1) Is it possible to have both ASA's doing what they are currently doing but be configured as active/active failover for each other and their services - in my mind this would not be possible as for eg if we lost link to ISP1 then it would be pointless ASA2 NAT'ing ASA1's external addresses, effectively ISP1 address 83.#.#.# would be being NAT'd on a device that is connected to 80.#.#.# externally. However if we had a failure on ASA1 and NOT the link, assuming that ASA2 can see ISP1 link then it could NAT external addresses (I hope I'm making sense here) and services would continue as normal.
2) Both devices are the same software etc and both have Security Plus License with active/active failover capability but I've read somewhere that one of the devices should have an Unrestricted License?? Is the Sec Plus license on both not enough for A/A failover?
I believe that we should actually have 4 x ASA's 2 covering off ISP1 and the other 2 covering off ISP2, both pairs running in either A/A or A/S, and so if we lose the actual link to ISP1 then the LAN default route changes to ISP2 as above.
Is 1 possible or am I right in my thinking of how it should be done?
You mention that there is VPN on the ASAs. Active/Active failover is not compatible with VPN. So if you are using VPN on the ASA then Active/Standby is what you need to use for High Availability/failover.
It is difficult to get failover of the ISP links if the ISP link is connected directly to the ASA but should be possible if the ISP links are connected to a switch which connects to both ASAs.
Thanks for your reply, it's much appreciated. Since my post and receiving your reply I've actually put a switch in so that both ASA's can see both ISP links.
I had also read, in the documentation, that if your using VPN then it is not compatible with active/active failover but at the time had just assumed that because both ASA's were running their own IPSec VPN then if one ASA failed then our users would just use the other ASA's VPN access.
So, to confirm, if we are running VPN setup on both and/or either ASA's then we cannot configure active/active failover and our only option is active/standby?
Another question would be... Is it possible for me to setup one of the ASA's to manage both links simultaneously, with NAT'd addresses from internal to external hosts on both networks, VPN running on both/either etc?
Just to confirm: if you are running VPN on an ASA then that ASA is not compatible with active/active failover. But active/standby is not necessarily your only option.
It should be possible to setup one of the ASAs to manage both links. Are you asking this in terms of then setting up the ASAs as an active/standby failover pair?
One other alternative that you might consider would be to have each ASA set up to run VPN as a load sharing cluster.
And of course there is also the option to have each ASA run independently, each ASA to run VPN, and each ASA to configure the other one as a backup server in the VPN client (this works for both the traditional IPSec client and the AnyConnect client).
So there are multiple ways that you might be able to achieve some redundancy between both ASAs for the VPN.
Thanks for your reply.. this is helping me find the direction and setup I want.
The ultimate goal is to have the 2 ASA's providing cover for each other while managing both links (using both for traffic simultaneously), providing VPN access and also having internal hosts having external NAT'd addresses for access.
At the moment I'm thinking...
De-configure 2nd ASA
Setup primary ASA as follows:-
Ethernet 0/0 - outside - 83.244.#.# - connected to switch which can see both ISP links (this is already setup)
Ethernet 0/1 - inside - 10.152.#.# (this is already setup)
Ethernet 0/2 - outside2 - 80.169.#.# - connected to switch which can see both ISP links (this is currently outside IF on 2nd ASA)
Ethernet 0/3 - LAN based and stateful failover (crossover cable to be used and 2 ip's on any range so the 2 IF's can takl to each other?)
Static routes (main ones):-
outside 0.0.0.0 0.0.0.0 83.244.#.# 1 (track this route using gateway IP?)
outside2 0.0.0.0 0.0.0.0 80.169.#.# 1 (track this route using gateway IP?)
IPSec VPN - currently only allowed on outside IF so I will allow access on outside2 IF when configured.
Host A Internal 10.152.#.#, External 83.244.#.#
Host B Internal 10.152.#.#, External 80.169.#.#
Once setup and working I would then configure the 2nd ASA as the Standby unit.
1) Would the above work
2) I found an article about using Policy Based Routing and IPSLA however I then read further down and it said that ASA's don't yet support PBR so I guess the question, how would I be able to utilise both links?
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :