Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
963
Views
3
Helpful
5
Replies

Active/Standby Failover on Single ADSL Connection

Go to solution
thomas.busse
Level 1
Level 1

‎12-27-2012 04:35 AM - edited ‎03-11-2019 05:41 PM

Hello everyone,

is it possible to run a firewall cluster over an ADSL internet connection with a single IP address? My thoughts say, that it is not possible and that it would be neccesary to place a router before the two firewalls and work with a transfernetwork between the ASAs and the Router ?

Does anybody have experience about AnyConnect Phone VPN and the Cisco CUCM Server? Do the phones use the ASA certificate to identify the WAN IP address of the Firewall or should the solution with a transfernetwork work for that?

Thanks in advice

Kind regards,

Thomas

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎12-27-2012 08:31 AM

Hello Thomas,

You could run a failover cluster and then just monitor the internal side and do not monitor the external side ( ofcourse that will not be recommended as if by any chance you have a problem with the outside interface failover will not happen as you are not monitoring due to the fact you are not exchanging hello packets because you only have 1 Ip,

Here is the phone VPN link:

https://supportforums.cisco.com/docs/DOC-9124

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

5 Replies 5

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎12-27-2012 08:31 AM

Hello Thomas,

You could run a failover cluster and then just monitor the internal side and do not monitor the external side ( ofcourse that will not be recommended as if by any chance you have a problem with the outside interface failover will not happen as you are not monitoring due to the fact you are not exchanging hello packets because you only have 1 Ip,

Here is the phone VPN link:

https://supportforums.cisco.com/docs/DOC-9124

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Go to solution
thomas.busse
Level 1
Level 1
In response to Julio Carvajal

‎12-27-2012 11:38 PM

Hello Julio,

thank you for your reply.

I think we will go for the solution with the transfernetwork between ASA and ISP-Router.


As far as I understood, the ASA certificate is used for the SSL handshake to authenticate the peers and the configuration file on the CUCM Server holds all the additional information like IP Adresses and Group-URLs, etc.

Thank you for the link to the phone VPN thread, I was wondering, if the SSL Premium license is mandatory or if for testing purposes the phone VPN should also work with the two included premium licenses of the security plus license plus the phone vpn license, maybe do you have any experience about that?

Regards,

Thomas

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to thomas.busse

‎12-28-2012 09:29 AM

Hello Thomas,

If you are running a higher version than 8.3.1 you will not need to have the same license on both units as they will share their existing license ( so the active unit can use them)

You will need to use both of the licenses as the link says,

Regards,

Remember to rate all of the helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
Peter Koltl
Level 7
Level 7
In response to Julio Carvajal

‎12-31-2012 11:38 AM

You can't use a cluster with PPPoE or DHCP

If you access the ADSL modem via Ethernet (fixed IP) you can have a cluster but you should NOT add a standby address to the outside interface (i. e. standby member will not have an outside address).

0 Helpful

Go to solution
thomas.busse
Level 1
Level 1
In response to Julio Carvajal

‎01-01-2013 11:54 PM

Hello Julio & Peter,

first of all, happy new year :-)

And we have ordered all the needed licenses, thank you for your help!

Regards,

Thomas

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card