cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2035
Views
15
Helpful
5
Replies

asa outside interface assigning ip

bluesea2010
Level 5
Level 5

Hi,

 

I have the below simple topology.   I have only two public IPs from isp, One assigned on the CE router interface.
So one remaining for ASA outside interface. In that case, how can I assign a standby IP address  like below 

 

ASA1(config)# interface gi0/1
ASA1(config-if)# nameif OUTSIDE
ASA1(config-if)# ip address 192.168.2.254 255.255.255.0 standby 192.168.2.253

 

Or can I assign without a standby IP address like the one below 

 

ASA1(config)# interface gi0/1
ASA1(config-if)# nameif OUTSIDE
ASA1(config-if)# ip address 5.5.5.2 255.255.255.0

 

What are the pros and cons without a standby IP address?

 

Thanks

 

 

 

 

 

5 Replies 5

@bluesea2010 

You don't have to assign a secondary IP address to an interface, you just cannot monitor for failover if you don't.

 

If you only have 1 IP address free to assign to the ASA's outside interface, then you don't have much choice. Ensure you assign a secondary IP address to the inside interfaces and monitor for failover.

 

HTH

there is no attachment for topology 

In my opinion there really are no "pro's" to not having a standby IP.  As already mentioned, you will not be able to monitor the interface for a failover situation.  Also, you will not be able to access the secondary ASA through the interface without the standby IP.  Ofcourse, it is not a best practice to have management access to the device on the outside interface, but there might be situations where this could be required.

an advantage of having the standby IP is that if the failover link fails, the ASA will be able to send hello packets out the data interfaces to verify if the active ASA has actually failed or if it is just the failover link that is down.

--
Please remember to select a correct answer and rate helpful posts

Hi,

 

an advantage of having the standby IP is that if the failover link fails, the ASA will be able to send hello packets out the data interfaces to verify if the active ASA has actually failed or if it is just the failover link that is down.

 

What is the benefit of the above, I mean the situation when ASA understands     only failover link failed  ?

 

Second question in An active /standby  HA scenario  if I want to change  configuration (1) to (2) , can I change straightaway ?

(1)

ASA1(config)# interface gi0/1
ASA1(config-if)# nameif OUTSIDE
ASA1(config-if)# ip address 5.5.5.2 255.255.255.0

(2)

ASA1(config)# interface gi0/1
ASA1(config-if)# nameif OUTSIDE
ASA1(config-if)# ip address 5.5.5.1 255.255.255.0 standby 5.5.5.2

 

Thanks

What is the benefit of the above, I mean the situation when ASA understands     only failover link failed  ?

If the failover link fails but the standby ASA has no way to check if this is a link failure or if the primary ASA is actually down you will have a split-brain situation where both ASAs will become active and this will cause other connectivity issues.

 

Second question in An active /standby  HA scenario  if I want to change  configuration (1) to (2) , can I change straightaway ?

You can change it straight away, but I would not recommend doing it the way you suggested.  Or at least, it would depend how the setup towards your ISP is, i.e. which IP they are using.  if 5.5.5.1 is free I would suggest setting that as the standby IP as this will not cause any outage.  changing the primary IP might cause outage.

ASA1(config)# interface gi0/1
ASA1(config-if)# nameif OUTSIDE
ASA1(config-if)# ip address 5.5.5.2 255.255.255.0 standby 5.5.5.1

--
Please remember to select a correct answer and rate helpful posts
Review Cisco Networking for a $25 gift card