06-12-2020 09:11 AM
We currently have two Cisco 5508x in HA mode, each with its own public address.
We are switching to a Metro Internet connection. For this, the ISP has issued just 1 WAN address (/30)
In order to keep our HA, the ISP recommended that we plug both ASA's into a switch connected to the single WAN. So, when one ASA physically fails the other will still be connected to the WAN.
My question is will is work? Can both ASA’s use the same Internet address? Are the ASA’s dependent on having two different addresses? Someone told me the ASA’s use the two different addresses to check on each other. Is this true?
Solved! Go to Solution.
06-15-2020 10:38 AM
If I am understanding your current architecture correctly each ASA has its own public IP and connects to the ISP. Unless you want to think about changing your architecture in the new connection each ASA will still need its own public IP and will need to connect to the ISP.
06-12-2020 12:11 PM
Yes it is true that the ASAs use 2 different addresses so they can check on each other.
No it will not work for ASA in HA failover configuration to both use the same IP address. For HA to work the subnet must have at least 3 usable IP addresses. So a /30 would not work.
06-12-2020 12:26 PM
The ISP gave me a /28 for Public addresses. Is there a way to use one of those even though I have one WAN.
06-12-2020 12:42 PM
It is a tempting thought that perhaps an address from the second address block might be used. But it would not solve your problem. When configuring the ASA for failover you configure the interface with 2 IP addresses (one for active and one for standby). The ASAs use these addresses to communicate with each other, to check on each other, and to determine if there is some problem and the standby should become active. If the two addresses are not in the same subnet then the ASAs will not talk to each other and failover would not work.
If we were talking about some other interface (perhaps a DMZ or something like that) you could just configure a single IP for the active device. But for the outside interface to participate in failover both interfaces must be able to talk to each other.
06-15-2020 04:15 AM
Would it be possible to use two of the /28 public addresses, one for each ASA, or does one (both?) of them need a direct connection to the Internet.
06-15-2020 10:38 AM
If I am understanding your current architecture correctly each ASA has its own public IP and connects to the ISP. Unless you want to think about changing your architecture in the new connection each ASA will still need its own public IP and will need to connect to the ISP.
07-09-2020 03:30 PM
I am glad that our suggestions have been helpful. Thank you for marking this question as solved. This will help other participants in the community to identify discussions which have helpful information.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide