Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
810
Views
0
Helpful
1
Replies

Need some help with the implementation design of asa 5510's

bezerker04
Level 1
Level 1

‎11-30-2006 09:40 PM - edited ‎03-11-2019 02:03 AM

Essentially, I currently use linux firewalls for clients. It's a simplistic (but poor) design. There is a primary and a secondary. They each have 2 interfaces on them. The public side has 2 ips. One is the ip we manage the server on , and the other is the external address we route through. This external address moves between the pri and sec, depending on which is the active one in case we have to fail over. So to recap, we have 1 ip that does not move, and 1 ip that does move (within the same netblock.) So for a pri-sec combo, 3 IP's used on the public side.

We have a similar setup on the internal side. 1 Ip that stays on each (For failover info) and then the gateway for the netblock we're firewalling. (again, 3 ips used. With one ip moving between the 2 depending on which is active.)

We're implementing some ASA's for clients as well (For various reasons.) The problem i'm running into is trying to set these up in a similar configuration to our current firewalls. I have 2 netblocks. I have a pair i'd like to set up in a failover configuration.

I can do away with the 3 internal interfaces and just have 1 IP (the gateway for the client machines) on an inside interface and fail that back and forth since I can use another interface for the failover.. ) but my problem comes with the public (outside) side of the asa's. The public interfaces on the linux firewalls are what we use for general management. And the external IP that moves between the pri and sec is what we route the client netblocks through. I can't seem to find a way to make a setup like this work, so I'm coming here for some advice. :)

With 2 netblocks, I need to be able to set up a failover configuration (preferably stateful), but still be able to access both asa's remotely independent of whichever is active. This is probably extremely simplistic, but at this hour of night, my brain is fried.

Thank you in advance. I know the above is ill thought out and chaotic.

Labels:
0 Helpful
1 Reply 1

sachinraja
Level 9
Level 9

‎12-06-2006 05:06 PM

Hello

you cannot have secondary IP addresses configured on the ASA interfaces, like the linux firewalls or the routers... You can probably manage the ASA through the outside segment on the same IP as the outside interface through SSH, https etc, or do the following:

1) ASA firewalls do support VLANs. you can actually trunk the port between the router and the firewall and configure 2 seperate VLANs , 1 for management and 1 for failover with 2 seperate IP subnets.. u also need to configure dot1q encapsulation on ur router and configure sub-interfaces....

2) when u seperate these subnets through VLANs , they are logically seperated DMZ zones, so the security is even more enhanced on your management VLAN.

For information on configuring VLAN on your ASA, please refer to:

http://cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a0080450b7d.html

Hope this helps.. all the best... rate replies if found useful..

Raj

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card