cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1853
Views
0
Helpful
14
Replies

asa setup

Shibu1978
Level 1
Level 1

Hi All,

I have the attached setup in the network. all the ASA interfaces are being used for data traffic even management used ( not for management purpose). also we have a AIP-SSM-20 placed in asa 5510 which is configured and working fine.

Drawing2.jpg

Right now we are planning to have one more ASA for redundancy purpose. We are planning to replace 5510 with 5520. so we will be having two 5520 with one AIP-SSM-20.

Pl clarrify the below

1) ASA 5520 has only 4 interface and a management interface.--------------------------In this scenario if i assign all the interface with the above setup i am now left with no interface to configure failover and stateful.......how do i configure failover & stateful? what would be the best way to acheive this with ASA 5520?

2) What would be the best way to connect both ASA 5520 with 4503-1 & 2 for redundancy?

Thanks for your time and help

1 Accepted Solution

Accepted Solutions

Hi,

You will need one interface on the ASAs for the Failover link.

The Statefull failover link can be on

  • A separate physical interface
  • Same interface as the actual Failover link
  • A regular data interface (which is the situation that the Cisco document you linked tells to avoid)

Personally I have always used the same interface as the actual Failover interface. The ASAs have either been directly connected in the same datacenter or connected with fiber/ethernet between 2 different datacenters through some other devices.

You can Google for ASA 8.2 configuration guide (etc.) to find a PDF document that should have most if not all the information you need to configure Failover. I also suggest getting the Command Reference for the same software if you need to check the command format and some basic guidelines in using the command in question.

- Jouni

View solution in original post

14 Replies 14

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

If I'm not mistaken for failover to work you will need indentical hardware on the ASA. I would presume that this means addiotional modules also. Better confirm this though.

To my understanding since you are moving from ASA5510 to ASA5520 you will get GigabitEthernet ports to use instead of FastEthernet. You could always just combine some of your current interfaces to be on the same physical interface as a subinterface (Trunk). I presume the 4503 side also has GigabitEthernet ports available?

In a typical scenario each ASA would be connected to their own core device and directly connected to eachother for failover. I guess the both ASAs would be connected to the 4506-1

- Jouni

If I'm not mistaken for failover to work you will need indentical hardware on the ASA. I would presume that this means addiotional modules also. Better confirm this though.

I am not looking for failover on AIP SSM-20 module as we are not adding SSM module in secondary ASA.

To my understanding since you are moving from ASA5510 to ASA5520 you will get GigabitEthernet ports to use instead of FastEthernet. You could always just combine some of your current interfaces to be on the same physical interface as a subinterface (Trunk). I presume the 4503 side also has GigabitEthernet ports available?

Thanks for the info... Do u have any supporting docs or sample configs

In a typical scenario each ASA would be connected to their own core device and directly connected to eachother for failover. I guess the both ASAs would be connected to the 4506-1

I have noticed above note from Cisco.  as per cisco each ASA would be connected to their own Core is not recommended. pl see it

Thanks

Hi,

Regarding the module. What I meant was that to my understanding when configuring a ASA failover pair, the devices need to be indentical when it comes to the hardware. I guess mainly this just means same ASA model and same RAM setup but from what I understand this would also mean extra modules for ASA models. I will have to check that.

Regarding connecting the ASAs. I think the Cisco document refers to the actual failover (LAN) interface. It shows that you should keep the failover separate from the links where the actual Data is transmitted. As I said I'd rather connect the Failover interfaces directly and keep them separate from rest of the actual network as the Cisco document shows (the way this is done ofcourse depends on the location of the devices (same space or separate datacenters)

- Jouni

Hi,

Heres information from Cisco ASA 8.4 configuration guide regarding Failover Hardware requirements

Hardware Requirements

The two units in a failover configuration must be the same model, have the same number and types of

interfaces, the same SSMs installed (if any), and the same RAM installed.

- Jouni

Hi,

Thanks

So failover/stateful interface should be connected each other directl and rest all are connections to their own Core SW.

We are planning to have either 7/2(3) or 8.2(5) on the ASA 5520.   I think we need to purchase one more SSM--20 in order to make Failover between ASA 5520.

Hi,

You will need one interface on the ASAs for the Failover link.

The Statefull failover link can be on

  • A separate physical interface
  • Same interface as the actual Failover link
  • A regular data interface (which is the situation that the Cisco document you linked tells to avoid)

Personally I have always used the same interface as the actual Failover interface. The ASAs have either been directly connected in the same datacenter or connected with fiber/ethernet between 2 different datacenters through some other devices.

You can Google for ASA 8.2 configuration guide (etc.) to find a PDF document that should have most if not all the information you need to configure Failover. I also suggest getting the Command Reference for the same software if you need to check the command format and some basic guidelines in using the command in question.

- Jouni

Thanks

Will refer 8.2 documentation and do it.

Hi,

Can we do failover between AIP-ssm-20 also? 

Do u we need to configure different IPs on AIP-ssm-20? will the signature replicate each other ?

What would be the best way to have both  AIP-ssm-20 in asa 5520?

Thanks

Hi,

I dont' really know about that.

I got the impression from earlier discussions on these forums that the ASA modules don't really have a failover between them. That it would be up to the admin to keep them both at indentical configurations so that when the actual ASA failover happens there is no differences in the configurations/operations of the device/module.

But you should probably wait for a confirmation from someone who knows better. I haven't really used any other modules on the ASAs other than the 4GigabitEthernet port module which only bring more physical ports to the ASA.

- Jouni

Yes, Jouni is absolutely correct. The AIP module doesn't have failover between them, they are acting as an independant module. Hence they would need to have different IP Address on each module, and signature won't replicate, so you would need to update the signature on both modules independantly.

Thanks both ..really appreciated.

In the meanwhile i have couple of other questions.

1) Since i have to migrate all the configuration to the new ASA 5520 units....I am wondering is there a possible way to copy the entire configurations including certificates from ASA 5510 to 5520....

Nat

Ipsec-tunnels

certificates ( ssl vpn authentication certificate from geotrust) e.t.c

Is there any way i can copy the entire configurations from 5510 to 5520  including the above?

thanks for your response

Yes, you can use ASDM to backup the whole config, including the certificates.

From ASDM --> Tools --> Backup Configurations.

Here is what you can backup:

Thanks for the response.

I dont see backup configurations option in the ASDM.  i am having ASDM 5.2 with 7.2(3). .is there any other way to get it ?

So as you said it is possible to copy and paste the entire configuration from 5510 to 5520..is it right ?

that backup and restore feature from ASDM is only available from ASDM version 6.1 that supports ASA version 8.0.

Seems like you are using earlier version which doesn't support that feature.

You can copy and paste the configuration, but make sure that you don't copy and paste the encrypted password. If you have VPN configured, normally the pre-shared key is not displayed.

I would suggest that you copy the configuration section by section, not just copy the entire config and paste it. You can save a copy of the config to a tftp server in a text file, so at least you have a whole config.

To export the certificate, you can use the command: crypto ca export

To import the certificate, you can use the command: crypto ca import certificate

Review Cisco Networking for a $25 gift card