09-19-2017 01:27 PM - edited 02-21-2020 06:20 AM
Hi All
When setting up Cisco ASA firewalls, we prefer to install them in pairs. A High Availability (HA) pair is our usual deployment and works well for our particular solution model. Our current customer has forced us down the route of a single firewall and a switchstack of 2x 2960’s "without" a standby firewall. Our single firewall needs to be connected to both switch’s for redundancy even though we only have one firewall. I appreciate this is not ideal and our common practice but I have to work with what I have and come up with a viable solution.
At present I only have 2x Gig links from the firewall to the switch stack but need to pass 3x VLAN’s across them to control access across the subnets. Normally this would be achieved by the following configuration (If I had access to 2 Firewalls)
interface Redundant1
member-interface GigabitEthernet0/1
member-interface GigabitEthernet0/2
nameif VLAN_Redundant_Interface
security-level 50
no ip address
!
interface Redundant1.77
description VLAN 77 Example
vlan 77
nameif VLAN_77
security-level 50
ip address 192.168.77.1 255.255.255.0
!
interface Redundant1.21
description VLAN 21 - Example
vlan 21
nameif VLAN_21
security-level 50
ip address 192.168.21.1 255.255.255.0
!
interface Redundant1.31
description VLAN 31 - Example
vlan 31
nameif VLAN_31
security-level 50
ip address 192.168.31.1 255.255.255.0
I currently don’t have two firewalls so cant create “interface Redundant” as far as I know and am looking for a way to pass the 3 VLANs I have with only the 2x GIG links from my single firewall.
Hope this makes some sense and I know it’s not best practice but at present nobody is willing to put there hand in their pocket and pay for the additional firewall.
If it helps I can post an images but don't have one to hand just now
Solved! Go to Solution.
09-20-2017 01:05 AM
Create 3 subinterfaces on the Port-channel
interface Port-channel1 no nameif no security-level no ip address int Po1.5 vlan 5 int Po1.6 vlan 6 int Po1.7 vlan 7
09-19-2017 02:54 PM
Hi Lee-Barrell,
You can configure Redundant link on single ASA. You do not need ASA pair to configure Redundant link. A logical redundant interface pairs an active and a standby physical interface. When the active interface fails, the standby interface becomes active and starts passing traffic. You can configure a redundant interface to increase the ASA reliability. Redundant link and ASA failover pair are two difrent concepts. This feature is separate from device-level failover, but you can configure redundant interfaces as well as failover if desired. You can configure up to eight redundant interface pairs.
09-19-2017 03:36 PM
Ok thats reassuring so I can pass all my VLANs via my two Gigabit links, use sub interface's and set it up as redundant interface pair
09-19-2017 11:09 PM
Just use a port-channel.
09-20-2017 12:44 AM
Peter Kolti
I didn't think I could use a port channel as I only have 2 phisical conections and 3 VLANs to pass to the ASA?
09-20-2017 01:05 AM
Create 3 subinterfaces on the Port-channel
interface Port-channel1 no nameif no security-level no ip address int Po1.5 vlan 5 int Po1.6 vlan 6 int Po1.7 vlan 7
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide