ASAs in active redundancy

fahim · ‎10-19-2007

Is it possible to connect two ASAs in active active manner as shown in the attached diagram? Can I assign same subnet addresses to two interfaces on an ASA?

Alternatively, does the current ASA code allow the same VLAN ID to be used across two interfaces?

What I mean is, on the ASA can we use an SVI (VLAN interface) instead of a physical interface and then assign two or more physical ports to the 'inside' VLAN and connect each port back to the core/distribution layer, I was wondering if this is technically feasible?

Pls advise. I had posted this in general but doesn't seem to get the due audience so am taking the liberty of posting it again here!!

andrea.meconi · ‎10-20-2007

I don't understand well your post.

Can you set your ASA in transparent mode?

If yes, you can define a bridge group your two interfaces, one inside and one outside, on the same subnet. But you cannot use more than two interfaces.

Active/active failover is available only into multi mode.

fahim · ‎10-22-2007

All I wanted to ask was that the connectivity between ASA 5540s in the attached design diagram (each ASA seems to be multihomed to switches) and connected to one router at the enterprise edge, practially doable?

This design has been provided to us by a consultant who insists that this can be done but according to my knowledge, we cannot assign same subnet IPs to two interfaces on a Firewall.

Yes...as you suggested, I can use Active/Active Failover design but that design will not look like this.

Am I correct in my understanding!!