cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
694
Views
0
Helpful
7
Replies

Replication of ASA ACL and NAT?

william-nelson
Level 1
Level 1

I am attempting to setup our DR environments and the only thing escaping me at this moment is the best way to replicate ACL and NAT objects from one site to another.

Basically, we have two sites, both of which run external resources, so it is not the traditional Active/Passive DR and it doesn't even fall under the Active/Active either because the services at both locations are different. 

We have a MetroE between the sites, so that helps from a L1-L3 perspective, but my issue is being able to failover between the sites and have all of the failed sites external resources available. I know I can do this by manually keeping the objects updated, but I would like to automate the process more.

We are going to have BGP do the external routing with our portable ARIN /24, but after that it is a little more difficult. 

Options that I have looked into are ASA clustering and different contexts on the ASAs, but they each have their own limitations. 


If someone could guide me to any other suggestions, I am lost here.

7 Replies 7

pradypan
Cisco Employee
Cisco Employee

Hi William,

The only way to have automatic replication of configuration between the two ASA device is when they are in a failover pair. In the failover pair they will sync the configuration automatically.

If you are not running in a failover pair then in that case it will be a manual effort.

Hope this helps.

Regards

Pradyumna

Yes, I did forget to mention that each site has a pair of ASAs that are already in a failover pair and doing replication between them. 

I was afraid there was not an easy way of doing this.

EEM isn't really what I need because I need to be able to have a "primary" and "secondary" config on each device and then in a failover situation have the primary and secondary active. Otherwise, have just the primary active.

Hi-

Cisco Security Manager (CSM) will do what you are looking to do.

PSC

Paul, actually I have been looking at the Solarwinds version and trying to figure out with config templates if that will work for my scenario.

Does the CSM offer the ability to change the certain items in the DR site based on some logic?

Hi -

Yes to a certain extent.  What it really provides you is a master repository for changes and a change control process.  Once you create a policy that applies to multiple systems, you don't have to worry about them going out of sync.  It does require a bit of a change in your administration methods since everything is done via CSM instead of the local management of the devices (ASDM / SSH).

PSC

If you are running ASA version 9.2(1) or higher you could use EEM to copy the running-config from the primary site ASA to the DR site ASA running-config.  Time it to do a weekly transfer.

http://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/117883-config-eem-00.html

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

william-nelson
Level 1
Level 1

What do you guys think about the use of another context for the secondary config? I know I mentioned it wasn't ideal in the original post, but I am thinking about it more and am trying to see if I can work through the issues of it.

If I used another context with a different IP subnet from production, then when BGP re-routes traffic in a DR scenario, the secondary context should work, then I can use something like Solarwinds network configuration manager to keep the contexts up-to-date.

Thoughts?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: