topic asa outside interface assigning ip in Network Security

asa outside interface assigning ip

bluesea2010 — Sat, 17 Jul 2021 05:20:18 GMT

Hi,

I have the below simple topology. I have only two public IPs from isp, One assigned on the CE router interface.
So one remaining for ASA outside interface. In that case, how can I assign a standby IP address like below

ASA1(config)# interface gi0/1
ASA1(config-if)# nameif OUTSIDE
ASA1(config-if)# ip address 192.168.2.254 255.255.255.0 standby 192.168.2.253

Or can I assign without a standby IP address like the one below

ASA1(config)# interface gi0/1
ASA1(config-if)# nameif OUTSIDE
ASA1(config-if)# ip address 5.5.5.2 255.255.255.0

What are the pros and cons without a standby IP address?

Thanks

Re: asa outside interface assigning ip

Rob Ingram — Sat, 17 Jul 2021 07:11:33 GMT

@bluesea2010

You don't have to assign a secondary IP address to an interface, you just cannot monitor for failover if you don't.

If you only have 1 IP address free to assign to the ASA's outside interface, then you don't have much choice. Ensure you assign a secondary IP address to the inside interfaces and monitor for failover.

HTH

Re: asa outside interface assigning ip

MHM Cisco World — Sat, 17 Jul 2021 10:11:56 GMT

there is no attachment for topology

Re: asa outside interface assigning ip

Marius Gunnerud — Sat, 17 Jul 2021 19:06:02 GMT

In my opinion there really are no "pro's" to not having a standby IP. As already mentioned, you will not be able to monitor the interface for a failover situation. Also, you will not be able to access the secondary ASA through the interface without the standby IP. Ofcourse, it is not a best practice to have management access to the device on the outside interface, but there might be situations where this could be required.

an advantage of having the standby IP is that if the failover link fails, the ASA will be able to send hello packets out the data interfaces to verify if the active ASA has actually failed or if it is just the failover link that is down.

Re: asa outside interface assigning ip

bluesea2010 — Sun, 18 Jul 2021 08:22:15 GMT

Hi,

What is the benefit of the above, I mean the situation when ASA understands only failover link failed ?

Second question in An active /standby HA scenario if I want to change configuration (1) to (2) , can I change straightaway ?

(1)

ASA1(config)# interface gi0/1
ASA1(config-if)# nameif OUTSIDE
ASA1(config-if)# ip address 5.5.5.2 255.255.255.0

(2)

ASA1(config)# interface gi0/1
ASA1(config-if)# nameif OUTSIDE
ASA1(config-if)# ip address 5.5.5.1 255.255.255.0 standby 5.5.5.2

Thanks

Re: asa outside interface assigning ip

Marius Gunnerud — Mon, 19 Jul 2021 18:43:48 GMT

What is the benefit of the above, I mean the situation when ASA understands only failover link failed ?

If the failover link fails but the standby ASA has no way to check if this is a link failure or if the primary ASA is actually down you will have a split-brain situation where both ASAs will become active and this will cause other connectivity issues.

Second question in An active /standby HA scenario if I want to change configuration (1) to (2) , can I change straightaway ?

You can change it straight away, but I would not recommend doing it the way you suggested. Or at least, it would depend how the setup towards your ISP is, i.e. which IP they are using. if 5.5.5.1 is free I would suggest setting that as the standby IP as this will not cause any outage. changing the primary IP might cause outage.

ASA1(config)# interface gi0/1
ASA1(config-if)# nameif OUTSIDE
ASA1(config-if)# ip address 5.5.5.2 255.255.255.0 standby 5.5.5.1