05-06-2013 09:08 AM - edited 03-11-2019 06:39 PM
Hello guys!
Tomorrow I will be creating a rule that needs to be applied to both of our ASAs. Is there a way within ASDM to push that rule onto the other ASA? Or do I just log into the other ASA and create the same rule?
Thanks in advance!
05-06-2013 09:16 AM
Hi Eric,
Are these firewalls in stateful failover setup? If yes, you don't need to make the change on second ASA, just make the change on active unit (check using 'show failover' command) and it will automatically replicate to standby unit.
If not, setup stateful failover as follows:
-
Sourav
05-06-2013 09:17 AM
In your case it would be Lan based failover.
-
Sourav
05-06-2013 02:08 PM
Stateful vs. stateless refers to the standby unit keeping track of the active connections throught the active unit so that end user impact is minimized in the event of a failover.
In either scheme configurations are automatically written from the active to standby unit.
File operations (AyyConnect client software images, system and ASDM images, 3rd party certificates, VPN and DAP profiles etc.) are not replicated and need to be manually copied.
05-07-2013 08:13 AM
There is an HA pair which I am aware that any changes made to the active unit will replicate to the standby unit.
But we also have a DR ASA in another state which is what I'm referring to. I believe that I manually need to create the firewall acess rule on the DR site's ASA, but I just wanted confirmation.
Thank you guys for your input!
05-07-2013 08:40 AM
You're welcome.
Yes, a non-HA ASA would need to have the rule created separately. If you're using ASDM on the primary site, I'd suggest turning on the option to preview CLI commands. In the window that pops up when you apply, copy the commands being sent and then enter them on the DR site ASA via CLI.
The other option is to invest in Cisco Security Manager (CSM) which allows one to build configurations and policies for deployments across multiple sites and devices. You can do similar things with other configuration management tools but CSM is best suited for Cisco ASAs.
Please rate helpful posts.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide