Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2032
Views
0
Helpful
6
Replies

One WAN Connection, Two HA ASA's

Go to solution
haggittmark@tm-america.com
Level 1
Level 1

‎06-12-2020 09:11 AM

We currently have two Cisco 5508x in HA mode, each with its own public address.
We are switching to a Metro Internet connection. For this, the ISP has issued just 1 WAN address (/30)
In order to keep our HA, the ISP recommended that we plug both ASA's into a switch connected to the single WAN. So, when one ASA physically fails the other will still be connected to the WAN.
My question is will is work? Can both ASA’s use the same Internet address? Are the ASA’s dependent on having two different addresses? Someone told me the ASA’s use the two different addresses to check on each other. Is this true?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to haggittmark@tm-america.com

‎06-15-2020 10:38 AM

If I am understanding your current architecture correctly each ASA has its own public IP and connects to the ISP. Unless you want to think about changing your architecture in the new connection each ASA will still need its own public IP and will need to connect to the ISP.

HTH

Rick

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎06-12-2020 12:11 PM

Yes it is true that the ASAs use 2 different addresses so they can check on each other.

No it will not work for ASA in HA failover configuration to both use the same IP address. For HA to work the subnet must have at least 3 usable IP addresses. So a /30 would not work. 

HTH

Rick
0 Helpful

Go to solution
haggittmark@tm-america.com
Level 1
Level 1
In response to Richard Burts

‎06-12-2020 12:26 PM

The ISP gave me a /28 for Public addresses. Is there a way to use one of those even though I have one WAN.

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to haggittmark@tm-america.com

‎06-12-2020 12:42 PM

It is a tempting thought that perhaps an address from the second address block might be used. But it would not solve your problem. When configuring the ASA for failover you configure the interface with 2 IP addresses (one for active and one for standby). The ASAs use these addresses to communicate with each other, to check on each other, and to determine if there is some problem and the standby should become active. If the two addresses are not in the same subnet then the ASAs will not talk to each other and failover would not work.

 

If we were talking about some other interface (perhaps a DMZ or something like that) you could just configure a single IP for the active device. But for the outside interface to participate in failover both interfaces must be able to talk to each other.

HTH

Rick
0 Helpful

Go to solution
haggittmark@tm-america.com
Level 1
Level 1
In response to Richard Burts

‎06-15-2020 04:15 AM

Would it be possible to use two of the /28 public addresses, one for each ASA, or does one (both?) of them need a direct connection to the Internet.

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to haggittmark@tm-america.com

‎06-15-2020 10:38 AM

If I am understanding your current architecture correctly each ASA has its own public IP and connects to the ISP. Unless you want to think about changing your architecture in the new connection each ASA will still need its own public IP and will need to connect to the ISP.

HTH

Rick
0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Richard Burts

‎07-09-2020 03:30 PM

I am glad that our suggestions have been helpful. Thank you for marking this question as solved. This will help other participants in the community to identify discussions which have helpful information. 

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents