12-27-2012 04:35 AM - edited 03-11-2019 05:41 PM
Hello everyone,
is it possible to run a firewall cluster over an ADSL internet connection with a single IP address? My thoughts say, that it is not possible and that it would be neccesary to place a router before the two firewalls and work with a transfernetwork between the ASAs and the Router ?
Does anybody have experience about AnyConnect Phone VPN and the Cisco CUCM Server? Do the phones use the ASA certificate to identify the WAN IP address of the Firewall or should the solution with a transfernetwork work for that?
Thanks in advice
Kind regards,
Thomas
Solved! Go to Solution.
12-27-2012 08:31 AM
Hello Thomas,
You could run a failover cluster and then just monitor the internal side and do not monitor the external side ( ofcourse that will not be recommended as if by any chance you have a problem with the outside interface failover will not happen as you are not monitoring due to the fact you are not exchanging hello packets because you only have 1 Ip,
Here is the phone VPN link:
https://supportforums.cisco.com/docs/DOC-9124
Regards,
Julio
12-27-2012 08:31 AM
Hello Thomas,
You could run a failover cluster and then just monitor the internal side and do not monitor the external side ( ofcourse that will not be recommended as if by any chance you have a problem with the outside interface failover will not happen as you are not monitoring due to the fact you are not exchanging hello packets because you only have 1 Ip,
Here is the phone VPN link:
https://supportforums.cisco.com/docs/DOC-9124
Regards,
Julio
12-27-2012 11:38 PM
Hello Julio,
thank you for your reply.
I think we will go for the solution with the transfernetwork between ASA and ISP-Router.
As far as I understood, the ASA certificate is used for the SSL handshake to authenticate the peers and the configuration file on the CUCM Server holds all the additional information like IP Adresses and Group-URLs, etc.
Thank you for the link to the phone VPN thread, I was wondering, if the SSL Premium license is mandatory or if for testing purposes the phone VPN should also work with the two included premium licenses of the security plus license plus the phone vpn license, maybe do you have any experience about that?
Regards,
Thomas
12-28-2012 09:29 AM
Hello Thomas,
If you are running a higher version than 8.3.1 you will not need to have the same license on both units as they will share their existing license ( so the active unit can use them)
You will need to use both of the licenses as the link says,
Regards,
Remember to rate all of the helpful posts
12-31-2012 11:38 AM
You can't use a cluster with PPPoE or DHCP
If you access the ADSL modem via Ethernet (fixed IP) you can have a cluster but you should NOT add a standby address to the outside interface (i. e. standby member will not have an outside address).
01-01-2013 11:54 PM
Hello Julio & Peter,
first of all, happy new year :-)
And we have ordered all the needed licenses, thank you for your help!
Regards,
Thomas
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide