You only need to configure failover and enable/no shut the interfaces on both devices remain all config will be replicate from primary to standby automatically.

Make sure OS version should be same on both ASA's.

Following is the link hving full information regarding failover. I recommend you to go through the link first.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/general/asa_91_general_config/ha_failover.html

If this was helpful, please give it a thumbs up

Thank you so much dons!

Pls i have a challenge as regards how connection of the 2nd ASA will look like,

Existing ASA is connected on external interface to ISP on 45.xx.xx.21 with RJ45 Network cable and its internal interfaces are connected to Gigabit ports on the 2960 cisco switch while all the servers are connected to Fast Ethernet interfaces on the same switch.

Now, Do we require to buy this exact next IP 45.XX.XX.22 or another one in the same subnet with 45.xx.xx.21 from the same ISP. Also, do we require another RJ45 Network cable to the second ASA so that it will be two network link coming from the same ISP and terminate on each of the ASAs.

Pls remember there is site to site VPN already configured on the existing ASA with IP address 45.xx.xx.21 to the third party systems.

Hi Bashiru,

You need to move ISP cable on the switch and then connect external interface of both ASA's on the switch. There is no need to purchase another IP address from ISP. If one ASA will fail then the connectivity to the ISP will be through second ASA because the ISP link is connected on switch.

        Please find the attachment in which it is explained how ASA's external interface and ISP will be connected.

If this was helpful, please give it a thumbs up

Spooster Thanks for your swift response and the diagram.

If ISP cable is terminated on the switch, Existing external ASA IP is 45.xx.xx.21, what will now be the standby IP of the second ASA External interface if we do not buy another IP. I know i can use local IP for the LAN fail-over link between the two ASAs.

Also, if we put the Port link from ISP and two external interfaces of both ASA in the same VLAN, Already, i have two separate VLANs on the two internal interfaces of the existing ASA on the connecting switch such that it is Production VLAN and Test environment VLAN where servers are connected. What will be the relationship between this VLAN and new edge switch VLAN.

Thanks bro

If you don't purchase another IP then there will be no IP address on the external interface of second ASA. As such there is no need to configure IP address on the external interface of second ASA. When failover will occur from first ASA to second ASA 45.xx.xx.21 IP address will move to the second ASA.

Existing VLANs production and test will be for servers. You need to configure one more vlan that will provide connectivity of ASA's external interface to the ISP.

Thanks so much for the explanation.

Connectivity between Lan Failover link and External Interface of both ASAs is clear now, But how will the Internal interface of both ASA connection will look like?

Below is part of the summary for the configuration, pls correct me if am wrong:

- On Existing ASA, there is no need to configure standby IP on the External interface so also on the internal interface.

- On the Existing ASA, Configure LAN fail-over IP on the an interface say 0/5 with standby ip and fail-over key

- On second ASA, Configure LAN fail-over IP on the an interface say 0/5 with standby ip and fail-over key and connect the interface to port 0/5 of existing ASA.

Reboot the standby ASA, when it comes up then save configuration on primary ASA and all other existing configuration will be replicated on the standby ASA.

Can someone guide me on how to get and implement security plus license for both active/stanby ASA 5512-x. Existing ASA has base license and i expect another ASA to be purchased to have also base license.

For the management purpose of standby ASA, you must have to configure standby IP address on the internal interface.

You have to follow the steps below:

1) Install security plus license on both ASA's. Check the output of show version to ensure that security plus license got installed.
2) Connect failover cable between both ASA's
3) Configure failover configuration on both ASA's
4) After this standby ASA automatically synchronize configuration with the active ASA.

For security plus license you need to contact Cisco.
ASA5512-SEC-PL is the part number of security license for 5512-x ASA.

Thank bro,

As regards the internal interface, on the existing ASA, Production has local IP 172.15.15.97 on interface 0/2 and TEST is on 172.15.15.254 on interface 0/1.

will i configure 172.15.15.98 on interface 0/2 and 172.15.15.253 on interface 0/1 as standby for both Production and Test on the STANDBY ASA together with their respective active ASA IP  and connect it to switch that connect all the servers?

Yes, you can configure the above mentioned IP addresses, but keep sure that interfaces must be connnected in the correct VLAN.

As there must be different vlan for both production and test networks. So connect the cables from second ASA interface 0/2 in production vlan and 0/1 in test vlan.

Thanks so much for taking your time to read and respond to my challenge. I really appreciate your kind gesture. However, i can now forward the proposal to the management for the devices procurement and license.

However, i use to SSH to the existing ASA via the External interface IP, How will i be able to access the standby ASA remotely.

Thank you all

If you want to access standby ASA directly through WAN then you need one separate IP address for external interface of standby ASA.

Otherwise you can configure port redirection for the IP address of switch. First of all access switch through internet and then access standby ASA from switch by using its internal IP address.

Thanks so much!

Please mark your question as answered if you got all the answers and rate if this is helpful.