https://community.cisco.com/t5/network-security/asa-three-interfaces-in-failover/m-p/1076947#M895756 <HTML><HEAD></HEAD><BODY><P>I'd cable it up more like this based on the diagram you provided. </P><P></P><P>Hope that helps.</P><P></P><P>Matt</P><P></P><P> </P><P></P></BODY></HTML> Tue, 30 Sep 2008 14:32:38 GMT Matthew Warrick 2008-09-30T14:32:38Z https://community.cisco.com/t5/network-security/asa-three-interfaces-in-failover/m-p/1076944#M895739 <P>Hello Folks!!</P><P></P><P>I have two ASA 5520 Series, I want to implemented a DMZ three-homed with three ethernet interfaces and I want failover with this solution. </P><P></P><P>Is this possible with this device?.</P><P></P><P>What are the connections between the differents switch with SPT enabled to redundancy?.</P><P></P><P>Thanks in advance!</P> Mon, 11 Mar 2019 13:50:46 GMT https://community.cisco.com/t5/network-security/asa-three-interfaces-in-failover/m-p/1076944#M895739 elias.manchon 2019-03-11T13:50:46Z https://community.cisco.com/t5/network-security/asa-three-interfaces-in-failover/m-p/1076945#M895747 <HTML><HEAD></HEAD><BODY><P>Assuming you have the proper licenses on each device, this is possible.</P><P></P><P>You will need a total of 4 interfaces to enable failover: inside, outside, DMZ, and fail-link.</P><P></P><P>Each firewall interface is a L3 host port so the device does not participate in or have any knowledge of STP. Each port on the switch side should be in "switchport host" with cdp disabled, etc. Try to think of the firewall as a "server". </P><P></P><P>Each interface on the firewall will need a primary and standby IP enabled. Ideally you will want the fail-link cabled via x-over if the firewalls are co-located.</P><P></P><P>The configuration examples section for ASAs has the rest of the commands you will need to complete the config.</P><P></P><P>Hope that helps.</P></BODY></HTML> Mon, 29 Sep 2008 15:31:35 GMT https://community.cisco.com/t5/network-security/asa-three-interfaces-in-failover/m-p/1076945#M895747 Matthew Warrick 2008-09-29T15:31:35Z https://community.cisco.com/t5/network-security/asa-three-interfaces-in-failover/m-p/1076946#M895750 <HTML><HEAD></HEAD><BODY><P>Hi mattjw916,</P><P></P><P>I have sent a jpg file with the wire's connectios. Could you have a quick look at this file?. </P><P></P><P>Thanks again!!</P><P></P><P> </P><P></P></BODY></HTML> Tue, 30 Sep 2008 07:57:35 GMT https://community.cisco.com/t5/network-security/asa-three-interfaces-in-failover/m-p/1076946#M895750 elias.manchon 2008-09-30T07:57:35Z https://community.cisco.com/t5/network-security/asa-three-interfaces-in-failover/m-p/1076947#M895756 <HTML><HEAD></HEAD><BODY><P>I'd cable it up more like this based on the diagram you provided. </P><P></P><P>Hope that helps.</P><P></P><P>Matt</P><P></P><P> </P><P></P></BODY></HTML> Tue, 30 Sep 2008 14:32:38 GMT https://community.cisco.com/t5/network-security/asa-three-interfaces-in-failover/m-p/1076947#M895756 Matthew Warrick 2008-09-30T14:32:38Z https://community.cisco.com/t5/network-security/asa-three-interfaces-in-failover/m-p/1076948#M895761 <HTML><HEAD></HEAD><BODY><P>Very Thanks Matt</P><P></P><P>Your diagram is very explanatory.</P><P></P><P>My last dude... If the Primary/Active ASA fail, then the secondary ASA take posession of role of Primary. But How could I do that the different IP's of my ISP for each ASA will be transparents for the configuration of the IPSec tunnels on the remotes side?.</P><P></P><P>Thanks again!!</P></BODY></HTML> Tue, 30 Sep 2008 15:10:09 GMT https://community.cisco.com/t5/network-security/asa-three-interfaces-in-failover/m-p/1076948#M895761 elias.manchon 2008-09-30T15:10:09Z https://community.cisco.com/t5/network-security/asa-three-interfaces-in-failover/m-p/1076949#M895763 <HTML><HEAD></HEAD><BODY><P>When the primary/active fails the secondary/standby assumes the secondary/active state. The secondary device re-IPs itself with the primary's IP addresses and "impersonates" the dead firewall. Of course, that vastly oversimplifies the actual process but from the ISP and server's perspective the outside IP address of the active firewall never changes.</P><P></P><P>As long as it is a graceful failover the connection states should be maintained during a failover event. I personally haven't had to support any nailed-up ipsec tunnels but I assume they would remain connected without any intervention.</P></BODY></HTML> Tue, 30 Sep 2008 15:39:33 GMT https://community.cisco.com/t5/network-security/asa-three-interfaces-in-failover/m-p/1076949#M895763 Matthew Warrick 2008-09-30T15:39:33Z https://community.cisco.com/t5/network-security/asa-three-interfaces-in-failover/m-p/1076950#M895765 <HTML><HEAD></HEAD><BODY><P>Hi Matt,</P><P></P><P>In short, you want say me that I can/must setup the secondary device with the same configuration that the primary device?</P><P></P><P>the public IPs of both of them are the same?</P><P></P><P>Thanks again</P></BODY></HTML> Tue, 30 Sep 2008 16:03:14 GMT https://community.cisco.com/t5/network-security/asa-three-interfaces-in-failover/m-p/1076950#M895765 elias.manchon 2008-09-30T16:03:14Z https://community.cisco.com/t5/network-security/asa-three-interfaces-in-failover/m-p/1076951#M895768 <HTML><HEAD></HEAD><BODY><P>The secondary firewall doesn't really have its own config. Once you enable failover and establish IP connectivity between the firewalls the primary writes its config to the flash of the secondary automatically. To create a failover secondary firewall you only need to cable up a blank ASA, add a couple failover commands, and then primary sees and syncs it.</P><P></P><P>Here is a sample config that explains this all in great detail:</P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml" target="_blank">http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml</A></P></BODY></HTML> Tue, 30 Sep 2008 16:10:00 GMT https://community.cisco.com/t5/network-security/asa-three-interfaces-in-failover/m-p/1076951#M895768 Matthew Warrick 2008-09-30T16:10:00Z https://community.cisco.com/t5/network-security/asa-three-interfaces-in-failover/m-p/1076952#M895771 <HTML><HEAD></HEAD><BODY><P>Sorry, I cannot to enter at this area. Would you mind send me by email?.</P><P></P><P>Thanks.</P></BODY></HTML> Tue, 30 Sep 2008 16:19:20 GMT https://community.cisco.com/t5/network-security/asa-three-interfaces-in-failover/m-p/1076952#M895771 elias.manchon 2008-09-30T16:19:20Z https://community.cisco.com/t5/network-security/asa-three-interfaces-in-failover/m-p/1076953#M895772 <HTML><HEAD></HEAD><BODY><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml" target="_blank">http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml</A></P><P></P><P>Try this one. It shouldn't require an account I don't think.</P></BODY></HTML> Tue, 30 Sep 2008 16:40:00 GMT https://community.cisco.com/t5/network-security/asa-three-interfaces-in-failover/m-p/1076953#M895772 Matthew Warrick 2008-09-30T16:40:00Z https://community.cisco.com/t5/network-security/asa-three-interfaces-in-failover/m-p/1076954#M895776 <HTML><HEAD></HEAD><BODY><P>Matt, Very Thanks for all!!</P></BODY></HTML> Tue, 30 Sep 2008 17:54:47 GMT https://community.cisco.com/t5/network-security/asa-three-interfaces-in-failover/m-p/1076954#M895776 elias.manchon 2008-09-30T17:54:47Z