Cisco ASA 5520 Failover behaviour

shekhar · ‎07-31-2012

Hi Guys,

I am new to cisco Asa firewall ,, so spare me if i will ask basic doubts ..

if I want to configure ASA in Active / standby mode , then their interfaces should be in same subnet Ip.

Now , say for e.g for DMZ & inside zone I am using common subnet on both ASA.

lets say :- for DMZ 192.168.1.1/24 for primary ASA & 192.168.1.2/24 for secondary ASA

for inside 172.16.1.1/24 for primary ASA & 172.16.1.2/24 for scondary ASA.

Can I use different subnet for outside interfaces ,,lets say 1.1.1.1/24 for primary ASA & 2.2.2.2/24 for secondary ASA.???

Ramraj Sivagnanam Sivajanam · ‎07-31-2012

Hi Bro

In ACTIVE/STANDBY mode, both IP Addresses MUST be in the same network address. No 2-ways about it. Here's a sample for your kind reference;

!
hostname HQPIXFW1
!
interface Ethernet0
nameif outside
security-level 50
ip address 2.2.2.1 255.255.255.248 standby 2.2.2.2
!
interface Ethernet1
nameif inside
security-level 50
ip address 172.16.1.1 255.255.255.0 standby 172.16.1.2
!
interface Ethernet2
nameif dmz
security-level 50
ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2
!
interface Ethernet3
description LAN/STATE Failover Interface
!

access-list acl_in extended permit ip any any
access-list acl_out extended permit ip any any

failover
failover lan unit primary <--- The other unit, change this value to "secondary"
failover lan interface failover Ethernet3
failover lan enable
failover polltime unit 1 holdtime 3
failover polltime interface 3 holdtime 15
failover key cisco123456789
failover link failover Ethernet3
failover interface ip failover 1.1.1.1 255.255.255.252 standby 1.1.1.2

no nat-control

access-group acl_out in interface outside
access-group acl_in in interface inside

route outside 0.0.0.0 0.0.0.0 2.2.2.6

P/S: If you think this comment is useful, please do rate them nicely :-) and select the option “This Question is Answered”

Warm regards,
Ramraj Sivagnanam Sivajanam

shekhar · ‎07-31-2012

hi Ramraj,

Thks for ur reply,,,

If this is the case ,how can I terminate two separate links from the ISP on the ASA ??

Ramraj Sivagnanam Sivajanam · ‎07-31-2012

Hi Bro

You could either place 2 units (for redundancy purposes) of L3 Cisco switches on the outside interface of the Cisco FW (assuming both ISP links are provided in UTP cable form) or you could connect both the ISP link to 2 separate Cisco Routers and both these Cisco Routers connect to the outside interface of the Cisco FW, via L2 Cisco switches.

End of the day, you still need switches for both the Cisco FW to communicate with each other for failover purposes. No 2-ways about it.

P/S: If you think this comment is useful, please do rate them nicely :-) and select the option “This Question is Answered”

Warm regards,
Ramraj Sivagnanam Sivajanam

Karsten Iwen · ‎07-31-2012

And another way:

Use two different interfaces for you outside-connections. One will be primary, the other can only be used as backup.

shekhar · ‎07-31-2012

I suppose you guys are correct....

But my doubt came because in Juniper SRX firewall you can assign diffrent Ip address......

chekout this link :-

http://www.juniper.net/techpubs/software/junos-security/junos-security10.0/junos-security-swconfig-security/cc_deployment_scenarios.html and go in "Asymmetric Routing Chassis Cluster Scenario" section.

Isn't all the kinds of firewall behaves in a same way as far as failover is concerned ??

Karsten Iwen · ‎07-31-2012

On the ASA you need to activate the Security-Contexts (virtual firewalls) where one context connects to ISP1 and another context connects to ISP2. But with that deployment you are restricted to pure firewalling. No VPN, dynamic routing ...

Sent from Cisco Technical Support iPad App