Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
852
Views
0
Helpful
5
Replies

ASA failover pair

Daniel Espley
Level 1
Level 1

‎01-14-2013 01:58 PM - edited ‎03-11-2019 05:46 PM

Hi,

I have exisitng setup of router > ASA > unmanaged switch > LAN.  I want to setup 2nd ASA as failover with crossover cable but im stuck on how to 'share' the internet connection with the 2nd ASA.  Am i correct to think that both ASA's would need to connect to the switch (not the router) and have the router connection going into port of the switch?  therefore i would need to change to a managed switch to configure port for router 'outside', then configure two ports to connect to 'inside' ports of ASA's? 

Thanks

Labels:
0 Helpful
5 Replies 5

Jouni Forss
VIP Alumni
VIP Alumni

‎01-14-2013 02:20 PM

Hi,

Ideally with ASA Failover you would have a ISP Router infront of the ASA which would provide you with a small public subnet so you would have IP address for both ASAs. The ASAs should also be able to see eachother on L2 so they can keep monitoring eachother for the Failover

Same goes for every LAN,DMZ, etc interface on the ASA. There needs to be a L2 connection between each ASA interface for the Failover polling between the ASAs to work.

- Jouni

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to Jouni Forss

‎01-14-2013 02:22 PM

And as you say,

You could do a setup where you use your local switch to provide both the "outside" and "inside" connection and in "outside" case then connect the switch to the actual ISP router. And yes you would need to have a managed switch with which you could separate the "outside" and "inside" of ASA (and any other interface) from eachother with different Vlans.

- Jouni

0 Helpful

Daniel Espley
Level 1
Level 1
In response to Jouni Forss

‎01-14-2013 02:34 PM

hi - but if you have the ASA in front of the router then how does the 2nd ASA pick up the internet connection from the router if the 1st ASA goes down?  Surely the router has to go into switch port then both ASA's go into ports also, i.e. the ASA's are not directly connected to the router.

thanks

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to Daniel Espley

‎01-14-2013 02:42 PM

Hi,

Well for example in a situation where the user has 2 ASAs in Failover but only has 1 Internet connection the setup with Cisco devices could be the following

  • Internet connection provided with C800 series router which has a 4 Port Switch module
  • Router has a small public subnet (/29) in its Vlan1 interface
  • Both ASAs outside interface is connect to the Switch module of the C800 series router
  • ASAs inside interfaces are connected to LAN switch(es)

The idea of the ASA failover is that as soon as the the Primary ASA fails the Secondary ASA will aquire the IP addresses used by the Primary unit and everything goes on as usual.

Ofcourse IF your router doesnt have the option to connect 2 ASAs and cant provide L2 connection between these 2 links then you will need to use some other device like the switch you mentioned.

  • ASAs would be connected to 2 ports on the Switch which are assigned to some "outside" Vlan
  • One additional port on the switch would be assigned to the same "outside" Vlan and that port would be physically connected to the ISP Router.

- Jouni

0 Helpful

Daniel Espley
Level 1
Level 1
In response to Jouni Forss

‎01-14-2013 02:50 PM

Hi - thanks for reply, this is what I was hoping for.  I have cisco 881 router so will check.

Thanks

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card