When setting up Cisco ASA firewalls, we prefer to install them in pairs. A High Availability (HA) pair is our usual deployment and works well for our particular solution model. Our current customer has forced us down the route of a single firewall and a switchstack of 2x 2960’s "without" a standby firewall. Our single firewall needs to be connected to both switch’s for redundancy even though we only have one firewall. I appreciate this is not ideal and our common practice but I have to work with what I have and come up with a viable solution.
At present I only have 2x Gig links from the firewall to the switch stack but need to pass 3x VLAN’s across them to control access across the subnets. Normally this would be achieved by the following configuration (If I had access to 2 Firewalls)
no ip address
description VLAN 77 Example
ip address 192.168.77.1 255.255.255.0
description VLAN 21 - Example
ip address 192.168.21.1 255.255.255.0
description VLAN 31 - Example
ip address 192.168.31.1 255.255.255.0
I currently don’t have two firewalls so cant create “interface Redundant” as far as I know and am looking for a way to pass the 3 VLANs I have with only the 2x GIG links from my single firewall.
Hope this makes some sense and I know it’s not best practice but at present nobody is willing to put there hand in their pocket and pay for the additional firewall.
If it helps I can post an images but don't have one to hand just now
Solved! Go to Solution.
You can configure Redundant link on single ASA. You do not need ASA pair to configure Redundant link. A logical redundant interface pairs an active and a standby physical interface. When the active interface fails, the standby interface becomes active and starts passing traffic. You can configure a redundant interface to increase the ASA reliability. Redundant link and ASA failover pair are two difrent concepts. This feature is separate from device-level failover, but you can configure redundant interfaces as well as failover if desired. You can configure up to eight redundant interface pairs.
Ok thats reassuring so I can pass all my VLANs via my two Gigabit links, use sub interface's and set it up as redundant interface pair
I didn't think I could use a port channel as I only have 2 phisical conections and 3 VLANs to pass to the ASA?