you are right with your

Madura Malwatte · ‎04-18-2017

Hi All,

I am very confused about the config for the outside switches for active/standby asa with dual ISP connections. The image below is from the firewall and ips design CVD.

If the ASA's outside interfaces are in the private address range how does one on the internet access the services behind the firewall if the public routable IP is not on the firewalls? How would vpn access work? Or how would you NAT insides services to the public ip's?

Does anyone have a sample config for the outside switches?

Inside network----(IN)ASA(OUT)----Private_IP---Outside Switches---Public /30 IP---Internet.

Karsten Iwen · ‎04-19-2017

The private addresses are only examples here. Typically you configure your two outside interfaces with the public IPs that you got from your ISP.

Madura Malwatte · ‎04-19-2017

Thanks for replying. So in that case would it be like this:

- ASA primary would have 2 public IP's configured. there would not be any standby IP for each of the public IP's because the isp only provides 1 free public ip. I assume this would not affect failover as the standby ASA would get the same public IP used by the primary during failover?

- outside switches will be purely L2 for this traffic. Just trunking two vlans (one for each ISP)?

- would there be a duplication of the NAT configuration (one for each outside interface)?

- is there any good configuration examples which includes what the NAT config would look like for dual ISP and also outside switches?

Karsten Iwen · ‎04-19-2017

you are right with your assumptions. You don't need to have standby IPs, although the detection of failover conditions is limited. But that is probably not relevant in your scenario.

All NAT has to be duplicated for both interfaces and you need to have a backup default-route with higher AD configured to your secondary ISP.