Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
758
Views
0
Helpful
1
Replies

ASA design for DMZ and failover

tonyjordan
Level 1
Level 1

‎09-16-2011 04:22 AM - edited ‎03-11-2019 02:25 PM

Hi everyone,

I got a pair of ASA f/w's which are going to be in active/stanby configuration and the low security interfaces will connect to 2 seperate switches configured with separate vlan for each interface from the f/w.

This allows for redundant connectivitybut is there any issues from a security point of view in using the switches for statefull failover as well?

The typical precautions will be done such as adding a key for the failover config and ensuring the ports on only a vlan with svi. All other layer 2 mitigations configs would be configured also.

Cheers

Tony

Labels:
0 Helpful
1 Reply 1

Kureli Sankar
Cisco Employee
Cisco Employee

‎09-24-2011 08:55 PM

I don't see any problem but in most cases usually there are two separate switches. One for the inside or trusted interfaces and one for the un trusted outside interface. Does this answer your question?

-KS

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card