cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

4747
Views
5
Helpful
8
Replies
Highlighted
Beginner

Redundant inside interfaces on ASA 5505

My customer is running an ASA5505 with 8.3 code.

The have a somewhat flaky proxy between their inside LAN and the firewall.  I'd like to have a configuration as follows:

LAN   > Proxy > VLAN 1 (eth0/2) on ASA

and

LAN > VLAN 1 (eth0/3) on ASA

So that in the event of Proxy failure (let's just say it loses power) the eth0/3 interface will kick in.

This appears to be easily configured according to the documentation:

"The following example creates two redundant interfaces:

hostname(config)# interface redundant 1

hostname(config-if)# member-interface gigabitethernet 0/0

hostname(config-if)# member-interface gigabitethernet 0/1

hostname(config-if)# interface redundant 2

hostname(config-if)# member-interface gigabitethernet 0/2

hostname(config-if)# member-interface gigabitethernet 0/3"

But these commands don't seem to be available on a 5505.

Any ideas on how this could be done with a 5505?

Best regards,

Tom Sutherland

Everyone's tags (2)
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Contributor

Re: Redundant inside interfaces on ASA 5505

Tom, check this link:

http://www.cisco.com/en/US/partner/docs/security/asa/asa83/command/reference/i3.html#wp1911697

For redundant interfaces (not available for models with a built-in switch):

interface redundant number

no interface redundant number

That is what tells that interface redundant is not supported. I guess you should look for a different option.

Regarding STP the ASA 5505 does not participate so you have to be careful.

I hope this helps.

View solution in original post

8 REPLIES 8
Highlighted
Contributor

Re: Redundant inside interfaces on ASA 5505

remember that the ASA5505 have 8 switch interfaces. You configure interface VLANs and assign the necessary switch ports to the desired VLAN. You can set two interfaces assigned to a specific VLAN. This VLAN will be configured with an interface VLAN and with its IP. You will be able to do the same thing as interface redundant with the two L2 interfaces assigned to the VLAN.

I hope this helps.

Highlighted
Beginner

Re: Redundant inside interfaces on ASA 5505

Thanks, but I think I'm still missing something.  See below - I've got two physical interfaces on the same VLAN (eth0/2 and eth0/3):

ASA(config-if)# show run int

!

interface Vlan1

nameif inside

security-level 100

ip address 10.10.0.0 255.255.0.0

!

interface Vlan2

description Charter Internet Connection

nameif outside

security-level 0

ip address x.x.x.x 255.255.255.224

!

interface Vlan3

description Old Internet Connection

nameif outside2

security-level 0

ip address y.y.y.y 255.255.255.0

!

interface Ethernet0/0

description Connected to ISP A

switchport access vlan 2

!

interface Ethernet0/1

description Connected to ISP B

switchport access vlan 3

!            

interface Ethernet0/2

description Connected to LAN

!            

interface Ethernet0/3

description Connected to LAN

!

ASA(config)# interface redundant 1

                               ^

ERROR: % Invalid input detected at '^' marker.

Highlighted
Contributor

Re: Redundant inside interfaces on ASA 5505

the command interface redundant is not supported. But with interface redundant you basically will have two interfaces configured exactly the same with two cables going to another device or devices. Here you don'y have the interfac redundant command but with your current config you will be able to do the same. Just connect cables to the two ports already configured.

Highlighted
Beginner

Re: Redundant inside interfaces on ASA 5505

Hmm, that offends my intuition    Will I not have to worry about spanning tree loops?  How will the clients on the LAN/ASA know which interface to use?

I do, however, get the gist of you comment.  Can you point to any document that states that this command is unsupported on the 5505?  My customer is looking at the 8.3 manual and it doesn't say anywhere that this won't work for them. :/

Highlighted
Contributor

Re: Redundant inside interfaces on ASA 5505

You are right Tom, I don't see in the documentation that it is not supported. I have my ASA 5505 on version 8.0 with Sec Plus and the command doesn't show.

I am not sure if the documentation is bad. Let me do more research.

Highlighted
Contributor

Re: Redundant inside interfaces on ASA 5505

Tom, check this link:

http://www.cisco.com/en/US/partner/docs/security/asa/asa83/command/reference/i3.html#wp1911697

For redundant interfaces (not available for models with a built-in switch):

interface redundant number

no interface redundant number

That is what tells that interface redundant is not supported. I guess you should look for a different option.

Regarding STP the ASA 5505 does not participate so you have to be careful.

I hope this helps.

View solution in original post

Highlighted
Beginner

Re: Redundant inside interfaces on ASA 5505

Perfect - thanks so much.

Highlighted
Enthusiast

Re: Redundant inside interfaces on ASA 5505

Hello all,

 

I hate to revive an old thread, but it seems this conversation was right on track with a solution I am trying to research.

 

We have two ASA5505's for 3rd Party VPN connections.  One ASA is for one vendor, the other ASA is for another vendor.  Currently on each 3 interfaces are used.  One goes to our DMZ, a switchport in access vlan 20.  Another goes to our ISP1, a switchport in access vlan 66, and finally the third interface goes to our ISP2, a switchport in access vlan 68.  Should one of the external ISP's fail, IP SLA on both ends (us and the vendors side) switch the IPSEC tunnel to the alternate external route.  This takes care of external redundancy as each ISP is terminated on a different core switch.

The issue is internal redundancy.  I am terminating that DMZ (local side) into our 1st core switch.  I'd LIKE to terminate another interface into our 2nd core switch for redundancy.  That way if we ever do a code upgrade on a core switch stack, everything we connect through multi-chassis link aggregation, or redundant links will still have network access.  Sure, we could do this manually by pre-configuring a port on the 2nd core switch and just swing the cables over prior do doing a switch software update.  However I like things to be automatic.  Though it would most likely be us causing a switch to go down for code upgrades,  there is also that chance of hardware failures that happen who knows when.

 

The switches have STP on, so I take it that the switch would just put one of the ports into a blocking state?  Or can the local interface on the ASA5505 be an 802.3ad lacp trunk?  That way I could terminate it into an MLAG between both core switch stacks.

 

Any advice is appreciated, thank you!