Solved: Interface Redundant and sub Interface's - Single ASA 5525X

Tyler Durden · ‎09-19-2017

Hi All

When setting up Cisco ASA firewalls, we prefer to install them in pairs. A High Availability (HA) pair is our usual deployment and works well for our particular solution model. Our current customer has forced us down the route of a single firewall and a switchstack of 2x 2960’s "without" a standby firewall. Our single firewall needs to be connected to both switch’s for redundancy even though we only have one firewall. I appreciate this is not ideal and our common practice but I have to work with what I have and come up with a viable solution.

At present I only have 2x Gig links from the firewall to the switch stack but need to pass 3x VLAN’s across them to control access across the subnets. Normally this would be achieved by the following configuration (If I had access to 2 Firewalls)

interface Redundant1

member-interface GigabitEthernet0/1

member-interface GigabitEthernet0/2

nameif VLAN_Redundant_Interface

security-level 50

no ip address

!

interface Redundant1.77

description VLAN 77 Example

vlan 77

nameif VLAN_77

security-level 50

ip address 192.168.77.1 255.255.255.0

!

interface Redundant1.21

description VLAN 21 - Example

vlan 21

nameif VLAN_21

security-level 50

ip address 192.168.21.1 255.255.255.0

!

interface Redundant1.31

description VLAN 31 - Example

vlan 31

nameif VLAN_31

security-level 50

ip address 192.168.31.1 255.255.255.0

I currently don’t have two firewalls so cant create “interface Redundant” as far as I know and am looking for a way to pass the 3 VLANs I have with only the 2x GIG links from my single firewall.

Hope this makes some sense and I know it’s not best practice but at present nobody is willing to put there hand in their pocket and pay for the additional firewall.

If it helps I can post an images but don't have one to hand just now

Peter Koltl · ‎09-20-2017

Create 3 subinterfaces on the Port-channel

interface Port-channel1
 no nameif
 no security-level
 no ip address
int Po1.5
 vlan 5
int Po1.6
 vlan 6
int Po1.7
 vlan 7

View solution in original post

Spooster IT Services · ‎09-19-2017

Hi Lee-Barrell,

You can configure Redundant link on single ASA. You do not need ASA pair to configure Redundant link. A logical redundant interface pairs an active and a standby physical interface. When the active interface fails, the standby interface becomes active and starts passing traffic. You can configure a redundant interface to increase the ASA reliability. Redundant link and ASA failover pair are two difrent concepts. This feature is separate from device-level failover, but you can configure redundant interfaces as well as failover if desired. You can configure up to eight redundant interface pairs.

Spooster IT Services Team

Tyler Durden · ‎09-19-2017

Ok thats reassuring so I can pass all my VLANs via my two Gigabit links, use sub interface's and set it up as redundant interface pair

Peter Koltl · ‎09-19-2017

Just use a port-channel.

Tyler Durden · ‎09-20-2017

Peter Kolti

I didn't think I could use a port channel as I only have 2 phisical conections and 3 VLANs to pass to the ASA?

Peter Koltl · ‎09-20-2017

Create 3 subinterfaces on the Port-channel

interface Port-channel1
 no nameif
 no security-level
 no ip address
int Po1.5
 vlan 5
int Po1.6
 vlan 6
int Po1.7
 vlan 7