redundant internet with firewall asa 5515-x

khang2711 · ‎11-29-2012

Hi any one,

I have the diagram:

LAN -- Core Switch 3750X -- Firewall ASA 5515X --- MPLS --- Firewall ASA 5515X --- LAN

I configure Site to site VPN through MPLS line.

Now, I have one question:

How can I configure the firewall that comply with the above diagram means if the active link dies, firewall forward the packet to the standby link ?

Please answer me.

Thanks,

Vo

Eugene Korneychuk · ‎11-29-2012

Hello Vo,

When failover will happen, IP and Mac-address will be swapped between Primary and Secondary unit. So tunnel between P-P ASA should move to P-S ASA.

Thank you.

khang2711 · ‎11-29-2012

Thanks for your answer.

I will configure Firewall with mode Active - Passive to Site to site VPN between 2 Site.

Howerver, with mode Active - Passive, if the active link dies, all packet will run on the standby link or all packet will be dropped?

Vo Vo

Eugene Korneychuk · ‎11-30-2012

Hello Vo,

Packets will be dropped, since we need to establish new ipsec tunnel.

Thank you.

khang2711 · ‎11-30-2012

Ok, another question: if the active link dies, firewall will route the packet to the stanby link automatic or we must configure manual.

Thanks for your supports.

Eugene Korneychuk · ‎11-30-2012

Hello,

Firewall will route the packets to standby automatically cause it will be owner of address which is specified in the peer, no manual intervention is required.

Please rate helpfull posts

khang2711 · ‎11-30-2012

Thank you very much.