05-23-2017 08:08 AM - edited 03-12-2019 02:24 AM
Hi Proffs,
Currently, i have Cisco ASA 5512-x as edge device having external link to a single ISP, connected to cisco 2960 switch internally and behind the switch are production servers. There is a three site to site VPN link from the servers's nated public IP to other third party system.
Now, we want to get another Cisco ASA 5512-x and a switch for redundancy purpose. How do i configure the existing firewall as ACTIVE and new firewall as STANDYBY such that if an active ASA goes down, then standby will automatically pick and how will the connection look like, also with the switch.
Your professional ideas are welcome please.
Thanks
05-23-2017 08:34 AM
Hi Bashiru,
You need to connect one cable from ASA to ASA and do the following configuration to configure Active/Standby failover.
On first ASA:
interface Ethernetx/x
description Failover Interface
no shut
!
failover lan unit primary
failover lan interface LANFailover Ethernetx/x
failover interface ip LANFailover 10.254.254.1 255.255.255.0 standby 10.254.254.2
failover link stateful Ethernetx/x
failover
On second ASA:
interface Ethernetx/x
description Failover Interface
no shut
!
failover lan unit secondary
failover lan interface LANFailover Ethernetx/x
failover interface ip LANFailover 10.254.254.1 255.255.255.0 standby 10.254.254.2
failover link stateful Ethernetx/x
failover
You need security plus license for configuring failover.
05-23-2017 08:55 AM
You only need to configure failover and enable/no shut the interfaces on both devices remain all config will be replicate from primary to standby automatically.
Make sure OS version should be same on both ASA's.
Following is the link hving full information regarding failover. I recommend you to go through the link first.
http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/general/asa_91_general_config/ha_failover.html
If this was helpful, please give it a thumbs up
05-24-2017 02:10 AM
Thank you so much dons!
Pls i have a challenge as regards how connection of the 2nd ASA will look like,
Existing ASA is connected on external interface to ISP on 45.xx.xx.21 with RJ45 Network cable and its internal interfaces are connected to Gigabit ports on the 2960 cisco switch while all the servers are connected to Fast Ethernet interfaces on the same switch.
Now, Do we require to buy this exact next IP 45.XX.XX.22 or another one in the same subnet with 45.xx.xx.21 from the same ISP. Also, do we require another RJ45 Network cable to the second ASA so that it will be two network link coming from the same ISP and terminate on each of the ASAs.
Pls remember there is site to site VPN already configured on the existing ASA with IP address 45.xx.xx.21 to the third party systems.
05-24-2017 02:45 AM
Hi Bashiru,
You need to move ISP cable on the switch and then connect external interface of both ASA's on the switch. There is no need to purchase another IP address from ISP. If one ASA will fail then the connectivity to the ISP will be through second ASA because the ISP link is connected on switch.
Please find the attachment in which it is explained how ASA's external interface and ISP will be connected.
If this was helpful, please give it a thumbs up
05-24-2017 03:46 AM
Spooster Thanks for your swift response and the diagram.
If ISP cable is terminated on the switch, Existing external ASA IP is 45.xx.xx.21, what will now be the standby IP of the second ASA External interface if we do not buy another IP. I know i can use local IP for the LAN fail-over link between the two ASAs.
Also, if we put the Port link from ISP and two external interfaces of both ASA in the same VLAN, Already, i have two separate VLANs on the two internal interfaces of the existing ASA on the connecting switch such that it is Production VLAN and Test environment VLAN where servers are connected. What will be the relationship between this VLAN and new edge switch VLAN.
Thanks bro
05-24-2017 03:55 AM
If you don't purchase another IP then there will be no IP address on the external interface of second ASA. As such there is no need to configure IP address on the external interface of second ASA. When failover will occur from first ASA to second ASA 45.xx.xx.21 IP address will move to the second ASA.
Existing VLANs production and test will be for servers. You need to configure one more vlan that will provide connectivity of ASA's external interface to the ISP.
05-24-2017 05:23 AM
Thanks so much for the explanation.
Connectivity between Lan Failover link and External Interface of both ASAs is clear now, But how will the Internal interface of both ASA connection will look like?
Below is part of the summary for the configuration, pls correct me if am wrong:
- On Existing ASA, there is no need to configure standby IP on the External interface so also on the internal interface.
- On the Existing ASA, Configure LAN fail-over IP on the an interface say 0/5 with standby ip and fail-over key
- On second ASA, Configure LAN fail-over IP on the an interface say 0/5 with standby ip and fail-over key and connect the interface to port 0/5 of existing ASA.
Reboot the standby ASA, when it comes up then save configuration on primary ASA and all other existing configuration will be replicated on the standby ASA.
Can someone guide me on how to get and implement security plus license for both active/stanby ASA 5512-x. Existing ASA has base license and i expect another ASA to be purchased to have also base license.
05-24-2017 05:24 AM
For the management purpose of standby ASA, you must have to configure standby IP address on the internal interface.
You have to follow the steps below:
1) Install security plus license on both ASA's. Check the output of show version to ensure that security plus license got installed.
2) Connect failover cable between both ASA's
3) Configure failover configuration on both ASA's
4) After this standby ASA automatically synchronize configuration with the active ASA.
For security plus license you need to contact Cisco.
ASA5512-SEC-PL is the part number of security license for 5512-x ASA.
05-24-2017 05:46 AM
Thank bro,
As regards the internal interface, on the existing ASA, Production has local IP 172.15.15.97 on interface 0/2 and TEST is on 172.15.15.254 on interface 0/1.
will i configure 172.15.15.98 on interface 0/2 and 172.15.15.253 on interface 0/1 as standby for both Production and Test on the STANDBY ASA together with their respective active ASA IP and connect it to switch that connect all the servers?
05-24-2017 07:11 AM
Yes, you can configure the above mentioned IP addresses, but keep sure that interfaces must be connnected in the correct VLAN.
As there must be different vlan for both production and test networks. So connect the cables from second ASA interface 0/2 in production vlan and 0/1 in test vlan.
05-24-2017 07:58 AM
Thanks so much for taking your time to read and respond to my challenge. I really appreciate your kind gesture. However, i can now forward the proposal to the management for the devices procurement and license.
However, i use to SSH to the existing ASA via the External interface IP, How will i be able to access the standby ASA remotely.
Thank you all
05-24-2017 08:03 AM
If you want to access standby ASA directly through WAN then you need one separate IP address for external interface of standby ASA.
Otherwise you can configure port redirection for the IP address of switch. First of all access switch through internet and then access standby ASA from switch by using its internal IP address.
05-24-2017 08:34 AM
Thanks so much!
05-24-2017 08:38 AM
Please mark your question as answered if you got all the answers and rate if this is helpful.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide