topic Cisco ASA failover in Network Security

Cisco ASA failover

Network Pro — Tue, 12 Mar 2019 00:17:29 GMT

hi,

i am trying to setup a failover pair on Cisco asa 5520 - need a statefull failover

Do i need two ports dedicated to obtain the above - one for LAN based failover and one for statefull failver ? also do i need a switch in between to connect them ?

could you please help me with a config ?

Thanks

Re: Cisco ASA failover

Karsten Iwen — Thu, 01 Nov 2012 16:36:28 GMT

You can combine both funtions (LAN-link and stateful link) on one ethernet-link. That is quite common and works well on a 5520. A crossover-cable is supported on the ASA for that functionality.

All you need is in the config-guide:

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/ha_active_standby.html

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Cisco ASA failover

Network Pro — Fri, 02 Nov 2012 08:46:21 GMT

Thanks Karsten. Just wondering is there any drawbacks by using just 1 link ? because we this is a vpn termination unit and essentially needs to be up 24/7

Re: Cisco ASA failover

Karsten Iwen — Fri, 02 Nov 2012 08:56:08 GMT

For the 5520 there is no real drawback when you use one of the Gig-links for the FO-traffic (the 5510 supports a 100 MBit/s link for FO, but on the ASA you shouldn't use the m0/0-interface). Only on the high-end-systems it is imnportant to use a link that is fast enough to send all the state-changes to the standby-unit.

To increase the availability of this important link you could use the redundant-interface feature or even a port-channel for FO.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Cisco ASA failover

Network Pro — Fri, 02 Nov 2012 11:19:25 GMT

so does the failover link should be differennt from the statefull link (just for statefull info to pass through?)

Cisco ASA failover

Karsten Iwen — Fri, 02 Nov 2012 12:00:23 GMT

so does the failover link should be differennt from the statefull link (just for statefull info to pass through?)

no, the 5520 has no problems to provide both functions through one physical link.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Cisco ASA failover

Network Pro — Tue, 06 Nov 2012 09:18:43 GMT

thanks i will try this

Cisco ASA failover

Network Pro — Wed, 12 Dec 2012 14:31:54 GMT

Hi,

just a quick question. Do i need to use a seperate switch for the cables coming from the outside interface and inside interface (i mean a cable will be coming out of each firewall for hte outside interface and inside interface that will go into a switch, isnt it ? so do i need to use two seperate switches - one for inside pair and other for outside pair? or can i use hte same switch and vlan off. also i have dmz setup so i need a another switch for this dmz as well ?)

Thanks

Cisco ASA failover

Karsten Iwen — Wed, 12 Dec 2012 14:40:29 GMT

Technically, that can be done. Just use different VLANs for inside, outside and DMZ. But it's not a best practice to use the same switch for inside and outside. If your switch has a bug or misconfiguration, it is possible that you directly connect you inside network with the internet. The firewall would be bypassed in that case. So better use your existing switch for inside and buy an 8-port-switch or something like that for outside.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Cisco ASA failover

Network Pro — Wed, 12 Dec 2012 14:45:32 GMT

Thanks for hte quick reply karsten but for dmz do i need another one as well ?

Re: Cisco ASA failover

Karsten Iwen — Wed, 12 Dec 2012 15:01:08 GMT

if you are paranoid, yes!

But many times that interface is shared on the outside- or inside-switch.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Re: Cisco ASA failover

Network Pro — Wed, 12 Dec 2012 15:41:06 GMT

Thanks Karsten