Re: Same WAN IP on secondary ASA. Is this possible?

MARENGO78 · ‎08-17-2018

Hello Everyone,

I am configuring two ASAs in fail over mode but there's is a constrain. We only have one public IP. Will it be possible to configure the same WAN IP on both primary and secondary ASAs?

If the primary ASA fails, I plan on just moving the ISP cable over to the secondary. I know this is not ideal but I have to work with this for now.

I tried to add the IP on the secondary ASA but it does not show in the "show interfaces ip brief"

It does show under the show run int.

Thank you,

Karsten Iwen · ‎08-17-2018

In situations like these, you connect both ASA outside interfaces and the ISP-router to a switch. The outside-interface is configured without a standby-address. Failover will still work in this scenario.

MARENGO78 · ‎08-22-2018

Hello Karsten,

If I don't put a standby IP on the primary ASA, the secondary doesn't get an IP on its outside interface. My question is: How is the Secondary ASA going to know to forward traffic out to the internet without an IP address on its outside interface.

Thank you,

Karsten Iwen · ‎08-23-2018

The standby IP is only for sending monitoring-packets between the two ASAs. If the active unit fails, the standby unit will take over the configured IP-address and use it. Configuring it this way is a common situation when the ISP only assigns a /30 to the customer but the ASA has to operate in HA-mode.