07-31-2012 05:04 AM - edited 03-11-2019 04:36 PM
Hi Guys,
I am new to cisco Asa firewall ,, so spare me if i will ask basic doubts ..
if I want to configure ASA in Active / standby mode , then their interfaces should be in same subnet Ip.
Now , say for e.g for DMZ & inside zone I am using common subnet on both ASA.
lets say :- for DMZ 192.168.1.1/24 for primary ASA & 192.168.1.2/24 for secondary ASA
for inside 172.16.1.1/24 for primary ASA & 172.16.1.2/24 for scondary ASA.
Can I use different subnet for outside interfaces ,,lets say 1.1.1.1/24 for primary ASA & 2.2.2.2/24 for secondary ASA.???
07-31-2012 05:22 AM
Hi Bro
In ACTIVE/STANDBY mode, both IP Addresses MUST be in the same network address. No 2-ways about it. Here's a sample for your kind reference;
!
hostname HQPIXFW1
!
interface Ethernet0
nameif outside
security-level 50
ip address 2.2.2.1 255.255.255.248 standby 2.2.2.2
!
interface Ethernet1
nameif inside
security-level 50
ip address 172.16.1.1 255.255.255.0 standby 172.16.1.2
!
interface Ethernet2
nameif dmz
security-level 50
ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2
!
interface Ethernet3
description LAN/STATE Failover Interface
!
access-list acl_in extended permit ip any any
access-list acl_out extended permit ip any any
failover
failover lan unit primary <--- The other unit, change this value to "secondary"
failover lan interface failover Ethernet3
failover lan enable
failover polltime unit 1 holdtime 3
failover polltime interface 3 holdtime 15
failover key cisco123456789
failover link failover Ethernet3
failover interface ip failover 1.1.1.1 255.255.255.252 standby 1.1.1.2
no nat-control
access-group acl_out in interface outside
access-group acl_in in interface inside
route outside 0.0.0.0 0.0.0.0 2.2.2.6
P/S: If you think this comment is useful, please do rate them nicely :-) and select the option “This Question is Answered”
07-31-2012 05:26 AM
hi Ramraj,
Thks for ur reply,,,
If this is the case ,how can I terminate two separate links from the ISP on the ASA ??
07-31-2012 06:26 AM
Hi Bro
You could either place 2 units (for redundancy purposes) of L3 Cisco switches on the outside interface of the Cisco FW (assuming both ISP links are provided in UTP cable form) or you could connect both the ISP link to 2 separate Cisco Routers and both these Cisco Routers connect to the outside interface of the Cisco FW, via L2 Cisco switches.
End of the day, you still need switches for both the Cisco FW to communicate with each other for failover purposes. No 2-ways about it.
P/S: If you think this comment is useful, please do rate them nicely :-) and select the option “This Question is Answered”
07-31-2012 06:37 AM
And another way:
Use two different interfaces for you outside-connections. One will be primary, the other can only be used as backup.
07-31-2012 06:48 AM
I suppose you guys are correct....
But my doubt came because in Juniper SRX firewall you can assign diffrent Ip address......
chekout this link :-
http://www.juniper.net/techpubs/software/junos-security/junos-security10.0/junos-security-swconfig-security/cc_deployment_scenarios.html and go in "Asymmetric Routing Chassis Cluster Scenario" section.
Isn't all the kinds of firewall behaves in a same way as far as failover is concerned ??
07-31-2012 08:39 AM
On the ASA you need to activate the Security-Contexts (virtual firewalls) where one context connects to ISP1 and another context connects to ISP2. But with that deployment you are restricted to pure firewalling. No VPN, dynamic routing ...
Sent from Cisco Technical Support iPad App
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide