Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
885
Views
0
Helpful
3
Replies

ASA Failover Pair - Switch (HUB) Connections

nagel
Level 1
Level 1

‎01-29-2012 07:15 AM - edited ‎03-11-2019 03:20 PM

I am setting up a pair of 5520s in Failover configuration.  Previous to adding the Failover ASA - I had the physical coonects as follows :

Internet > Primary ASA > Packetshaper > Web Filter

I believe in order to make everything work in Failover mode I need to connect the Primary & Failover ASA to a switch and then feed that to the Packetshaper.

I have purchased an SG 300-10 Cisco small switch that I was wanting to put in place to accomplish this.  However I am not sure on how to configure the switch (which I assume needs to act as HUB)

Do I need to configure a VLAN on the switch and then plug both ASA Inside ports to the vlan along with the shaper?

Any assistance you can provide would be appreciated.

Labels:
0 Helpful
3 Replies 3

Marvin Rhoads
Hall of Fame
Hall of Fame

‎01-29-2012 09:10 AM

The SG 200-10 is fine for this purpose. It should act as a switch, with the inside ports for your Primary and Failover ASA, along with the Packetshaper, all on the same VLAN. You can use the default SG 200 configuration for this as it should have all ports belonging to the default VLAN 1 from the factory.

You may want to configure the switch ports as access mode (default is trunk) and set up a non-default IP address and credentials to manage the switch remotely. As noted in the Administration Guide, it has a default IP address of 192.168.1.254 and userid / password of cisco / cisco.

0 Helpful

nagel
Level 1
Level 1
In response to Marvin Rhoads

‎01-30-2012 05:52 AM

Thanks for response - is much appreciated.  Still have one question on setting up management access.  Currently our management Vlan is Native Vlan 1.  If I connect a VLAN 1 port back to my internal network - will I not in essence be permitting the PIX traffic to escape back to my internal network via Vlan 1 instead of just passing traffic from PIX to Shaper?

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to nagel

‎01-30-2012 06:59 AM

Well, traffic wouldn't 'escape' really but a better design would be to create a VLAN that is only assigned on the ports connecting the ASAs' inside interfaces and the Packetshaper. You would then need a separate VLAN if you wish to remotely manage the SG 200 switch.

However, your questions have led beyond the initial one about how to make it work and into your overal network design and operations approach.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card