06-14-2012 02:08 PM - edited 02-21-2020 04:40 AM
Hi,
I had a similar discussion/thread going on but I got answers and now I have a different question on a same issue. I am trying to configure Active/Standby, Ethet Cable modele , No switch in between two ASAs.
attached is what I have gathered from teh Cisco documnet on this method but its some how confusng in which teh config sample says "PIX" as hostname!?
ALso I was wondering if someone could please help me with a sample configuration CLI with so I cna see how it is done using private IP addresses as lisyted in teh documet attached.
Regards,
Masood
06-15-2012 02:36 AM
Yes, you can either use crossover cable or connect the failover port to the switch as long as they are in the same subnet.
Hostname is PIX as the ASA configuration is legacy from PIX, so it continues to use PIX as the hostname. Hostname is configurable so you can just change it to something else you like.
Here is a sample configuration for Active/Standby failover for your reference:
Hope that helps.
06-27-2012 12:14 PM
Its simple... You can have the Pix/ASA connected directly for active/standby...
In the ASA primary i.e. which you decide as primary ..... You have to confgure the required configurations and keep it ready....
For an example in primary ASA the below commands is must for active standby to work.
interface GigabitEthernet0/3
description LAN/STATE Failover Interface
speed [100/1000]
duplex full
no shut
!
failover
failover lan unit primary
failover lan interface failover GigabitEthernet0/3
failover link failover GigabitEthernet0/3
failover interface ip failover 192.168.0.1 255.255.255.252 standby 192.168.0.2
!
In secondary ASA you can have the below commands alone configured.... after configuration of the primary ASA connect the primary ASA gig 0/3 to Sec ASA gig 0/3.... dats it all the configurations will get replicated to the standby asa and failover will start working....
failover lan interface failover GigabitEthernet0/3
failover interface ip failover 192.168.0.1 255.255.255.252 standby 192.168.0.2
failover link failover GigabitEthernet0/3
failover lan unit secondary
failover
06-27-2012 12:25 PM
Thank you so much Karthikeyan Natarajan.
in this configuration, 192.168.1.2 and .1 will be applied under the actual physical interfaces gi 0/3 on the primary and the secondary ASAs?
I guess, I am trying to see if those interfaces gi 0/3 on both devices need IPs or just these same IPs are used as Interface IP and as failover IP?
Please advise,
Regards,
Masood
06-27-2012 12:32 PM
Both the devices it should be the same IP's on the interface.... one will be the primary and other one will be the secondary......
Once failover starts working..... if you check the configuration both the firewalls will have the same configs replicated from active to standby..... in the sh runn there will be only one diff..... failover unit shows primary for active and secondary for the standby.....
active firewall uses the 1st ip (primary) and 2nd ip will be used by the standby.....
Please make sure both firewalls have the similar connectivity to the downstream and upstream... both should have the same count inetrafces configured in normal scenario....
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide