Re: ISP & Failover Configs

AJPujol · ‎01-16-2023

Hello there! First of, thanks in advance for the help!

My scenario is the following:

-I have ONE ISP provider, one Cisco ASA 5525 (Rack 1) one L2 Switch (Rack 1) and:

- One ASA 5525 (Rack 2), one L2 switch (Rack 2)

These two racks are inter connected via data center interrack (actually, the hall is in the middle) and my simple question would be:

Since i heard there is this "failover" configuration that can be applied to ASA's , is it possible for me to actually configure ASA1 as the primary device and ASA2 as a "mirror" device, knowing that i have only one ISP cord located at Rack 1?

The final scenario would be: If ASA1 fails, ASA2 takes place, using internet connectivity coming from Rack 1

Would "failover" work? Do i need VLAN management on FWs and SWs ? What would be the best and simplest scenario ? Since i've never deployed this kind of solution, i wanted to ask the experts!

Thanks a LOT for your time!

Georg Pauwen · ‎01-17-2023

Hello,

the active/standby failover you have in mind is definitely possible, actually pretty standard, and fairly easy to configure. The link below has a straight forward setup explanation:

https://www.networkstraining.com/cisco-asa-active-standby-configuration/

AJPujol · ‎01-17-2023

hello Georg!

I was checking the link you sent me, it seems ok but my question would be: do i need a specific VLAN config on SW1 and SW2 ? Or do i just plug in the ISP cord on SW1 and then, from SW1 i use another cord to outside 0/0 on my ASA1 ?

Current gi0/0 on ASA1 shows as "native"

Will i be able to create the FO link between those two ASA's even knowing that there's a hall between RACK1 and RACK2 ? (they are interconnected via inter-rack, but that's the only inter connection we have between RACK1 and RACK2)

Sorry if my questions are too dumb or basic, like i said on my post, this is my first time trying out this

balaji.bandi · ‎01-17-2023

If the ISP terminated only RACK1 and you do not have Layer 2 extended to RACK2 the failover will not be effective.

Both ASA should have connection visibility to ISP connection, that can only possible if you introuduce another Layer2 switch, so ASA 1 and 2 can connect to ISP (that is outside)

Inside should be same case.

here is the config active/standby :

https://www.balajibandi.com/?s=ASA+&paged=4

@Georg Pauwen - posted with Link have diagram that help you.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

AJPujol · ‎01-17-2023

Hello!

RACK1 has: ONE ASA, ONE L2 SW

RACK2 has: ONE ASA, ONE L2 SW

both these racks are interconnected via inter rack cable

ISP cable is located inside RACK1

Can i still make it work ?

Thank u!

balaji.bandi · ‎01-17-2023

it works - but you are not provided some inputs here on how these are connected

how is ASA outside and inside interface connected to this Layer 2 switch?

its about when the ASA1 in RACK1 Fails, how do you extend that ISP connection to ASA Two in Rack 2 ?

is the L2 Swtch RACK1 and RACK2 Stacked ?

is this Layer 2 switch only inside ports of ASA .

or you inside and outside connected to 2 ASA different VLAN ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

AJPujol · ‎01-18-2023

Hello! thanks for your reply!

This is how it goes:

ASA1: outside 0/0 : connected directly to the ISP cord

inside 0/1: connected directly to the L2 Switch (RACK1)

(inside 0/1 actually is logically: inside 0/1.5 , inside 0/1.10 and 0/1.15 - vlan5, vlan10, vlan15, for 3 /24 networks)

(ASA1 acts as a Router)

From L2 Switch#1 we have an inter rack that connects to L2 Switch#2, located inside the RACK2 (there's a hall in between)

So RACK2 has:

ASA2 (future Standby for FO)

L2Switch#2

How do we "give" ISP connectivity to ASA2 in case ASA1 fails? That's whats really bothering me...

Please tell me if you need additional information! And thank you!