cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
726
Views
0
Helpful
5
Replies

Replicating an ASA rule from primary to secondary using ASDM

Eric Washington
Level 1
Level 1

Hello guys!

Tomorrow I will be creating a rule that needs to be applied to both of our ASAs. Is there a way within ASDM to push that rule onto the other ASA? Or do I just log into the other ASA and create the same rule?

Thanks in advance!

5 Replies 5

sokakkar
Cisco Employee
Cisco Employee

Hi Eric,

Are these firewalls in stateful failover setup? If yes, you don't need to make the change on second ASA, just make the change on active unit (check using 'show failover' command) and it will automatically replicate to standby unit.

If not, setup stateful failover as follows:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml

-

Sourav

In your case it would be Lan based failover.

-

Sourav

Stateful vs. stateless refers to the standby unit keeping track of the active connections throught the active unit so that end user impact is minimized in the event of a failover.

In either scheme configurations are automatically written from the active to standby unit.

File operations (AyyConnect client software images, system and ASDM images, 3rd party certificates, VPN and DAP profiles etc.) are not replicated and need to be manually copied.

There is an HA pair which I am aware that any changes made to the active unit will replicate to the standby unit.

But we also have a DR ASA in another state which is what I'm referring to. I believe that I manually need to create the firewall acess rule on the DR site's ASA, but I just wanted confirmation.

Thank you guys for your input!

You're welcome.

Yes, a non-HA ASA would need to have the rule created separately. If you're using ASDM on the primary site, I'd suggest turning on the option to preview CLI commands. In the window that pops up when you apply, copy the commands being sent and then enter them on the DR site ASA via CLI.

The other option is to invest in Cisco Security Manager (CSM) which allows one to build configurations and policies for deployments across multiple sites and devices. You can do similar things with other configuration management tools but CSM is best suited for Cisco ASAs.

Please rate helpful posts.

Review Cisco Networking for a $25 gift card