09-29-2008 05:03 AM - edited 03-11-2019 06:50 AM
Hello Folks!!
I have two ASA 5520 Series, I want to implemented a DMZ three-homed with three ethernet interfaces and I want failover with this solution.
Is this possible with this device?.
What are the connections between the differents switch with SPT enabled to redundancy?.
Thanks in advance!
Solved! Go to Solution.
09-30-2008 09:40 AM
Try this one. It shouldn't require an account I don't think.
09-29-2008 08:31 AM
Assuming you have the proper licenses on each device, this is possible.
You will need a total of 4 interfaces to enable failover: inside, outside, DMZ, and fail-link.
Each firewall interface is a L3 host port so the device does not participate in or have any knowledge of STP. Each port on the switch side should be in "switchport host" with cdp disabled, etc. Try to think of the firewall as a "server".
Each interface on the firewall will need a primary and standby IP enabled. Ideally you will want the fail-link cabled via x-over if the firewalls are co-located.
The configuration examples section for ASAs has the rest of the commands you will need to complete the config.
Hope that helps.
09-30-2008 12:57 AM
09-30-2008 07:32 AM
09-30-2008 08:10 AM
Very Thanks Matt
Your diagram is very explanatory.
My last dude... If the Primary/Active ASA fail, then the secondary ASA take posession of role of Primary. But How could I do that the different IP's of my ISP for each ASA will be transparents for the configuration of the IPSec tunnels on the remotes side?.
Thanks again!!
09-30-2008 08:39 AM
When the primary/active fails the secondary/standby assumes the secondary/active state. The secondary device re-IPs itself with the primary's IP addresses and "impersonates" the dead firewall. Of course, that vastly oversimplifies the actual process but from the ISP and server's perspective the outside IP address of the active firewall never changes.
As long as it is a graceful failover the connection states should be maintained during a failover event. I personally haven't had to support any nailed-up ipsec tunnels but I assume they would remain connected without any intervention.
09-30-2008 09:03 AM
Hi Matt,
In short, you want say me that I can/must setup the secondary device with the same configuration that the primary device?
the public IPs of both of them are the same?
Thanks again
09-30-2008 09:10 AM
The secondary firewall doesn't really have its own config. Once you enable failover and establish IP connectivity between the firewalls the primary writes its config to the flash of the secondary automatically. To create a failover secondary firewall you only need to cable up a blank ASA, add a couple failover commands, and then primary sees and syncs it.
Here is a sample config that explains this all in great detail:
09-30-2008 09:19 AM
Sorry, I cannot to enter at this area. Would you mind send me by email?.
Thanks.
09-30-2008 09:40 AM
Try this one. It shouldn't require an account I don't think.
09-30-2008 10:54 AM
Matt, Very Thanks for all!!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide