topic Single ASA 5512-X directly connected to Active/Standy ASA 5512X in Network Security

Single ASA 5512-X directly connected to Active/Standy ASA 5512X pair

Mark Mattix — Tue, 12 Mar 2019 02:29:42 GMT

I was wondering if anyone could offer any advice or tips to how this proposed configuration would function. I planned on putting 2 interfaces on my single ASA 5512-X in an outside VLAN with the IP 192.168.1.1. One of these connections would run to the Active ASA and the other connection would run to the Standby ASA. I do not own the redundant ASAs but that network admin is working with me.

My question is, in the redundant ASA config one will be using the primary IP of 192.168.1.2 and the Standby will be using the 192.168.1.3. Will my single ASA have issues seeing both of these devices or should my static routes pointing to 192.168.1.2 as the next hop be sufficient in controlling the routing. I was concerned about my single device seeing 2 other devices and somehow getting confused on where to route the data, I wouldn't want data to be routed to the standby interface as that will be in standby mode and I'm assuming drop the traffic?

Is this method a good design? Instead of putting 2 ports on my single ASA in the outside VLAN should I instead just use a switch to connect the 2 links coming from the redundant ASAs and then just run 1 link from the switch to my single ASA? I'd appreciate any advice!

Single ASA 5512-X directly connected to Active/Standy ASA 5512X

Michael Muenz — Fri, 23 Aug 2013 08:52:15 GMT

The primary IP should always be your gateway, because this IP goes to standby with a failover.

Cabling is ok for this, because with a switch between them, you'll have a single point of failure again ...

Michael

Please rate all helpful posts

Single ASA 5512-X directly connected to Active/Standy ASA 5512X

Mark Mattix — Fri, 23 Aug 2013 20:11:52 GMT

Thank you for your reply Michael but I have another question. I'm trying to configure this and I cannot issue the int vlan command. I have read elsewhere that you have to use subinterfaces with a trunk link but I am not trunking these ports anywhere. I just want ot create an outside vlan in order to associate 2 ports with the outside vlan. Is this possible?

Single ASA 5512-X directly connected to Active/Standy ASA 5512X

Michael Muenz — Mon, 26 Aug 2013 07:16:22 GMT

Correct, only the 5505 supports VLAN's because the ports on the 55XX are routed ports, not swichports.

Cheapest solution would be to put a switch beween them. Sorry!

Michael

Please rate all helpful posts

Single ASA 5512-X directly connected to Active/Standy ASA 5512X

Mark Mattix — Tue, 27 Aug 2013 12:34:02 GMT

Thanks Michael, I was thinking about using a switch in front of them but thought there would be a better way or doing it. I appreciate your help!

Single ASA 5512-X directly connected to Active/Standy ASA 5512X

Mark Mattix — Tue, 27 Aug 2013 16:21:30 GMT

I have another question, if I have 20+ different subnets behind firewall 192.168.1.1 should I be using PAT to go to the other network? Also if I have a server on one of my networks that the redundant firewall side needs to reach should I do a static NAT? Thanks

Single ASA 5512-X directly connected to Active/Standy ASA 5512X

Michael Muenz — Wed, 28 Aug 2013 09:27:37 GMT

You mean traffic between these networks or traffic going to outside? If outside I'd say yes, because you don't have full control over the other firewall pair.

When you have an inside server I'd expand the network 192.168.1.0/29 to 28 or 27 and add a NAT IP to the firewall.

Michael

Please rate all helpful posts