Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
762
Views
0
Helpful
4
Replies

Setting up active and standby firewalls

Andy White
Level 3
Level 3

‎10-15-2011 01:19 PM - edited ‎03-11-2019 02:38 PM

Hello,  I have a 5510 ASA and have been given another an told to make them active and standby.  Can anyone suggest how I do this?    Basically the active one is working great but the second one has no config on it apart from the default one, but is the same firmware level.  I guess I need a crossover cable, and what happens with the inside and outside interfaces, would they need to go into a vlan on a switch, one inside vlan where the 2 firewalls inside interface go into and another vlan for the outside?  Otherwise if it failsover to the standby ASA the inside and outside interfaces wouldn't work.  Thanks  Many thanks

Labels:
0 Helpful
4 Replies 4

Jon Marshall
Hall of Fame
Hall of Fame

‎10-15-2011 02:20 PM

Andy

Basically you have outlined what needs doing.

Cisco recommend not using a crossover cable but to use a switch for the failover connection(s). It doesn't have to be a dedicated switch, it could be the switch you have your ASA interfaces on for example.

You would need a vlan on both sides as you say because the common eg. outside on both firewalls)  interfaces need to be in the same L2 vlan. Usually you assign an IP address per interface for the standby as well although sometimes an IP for the outside interface is not available as you don't have a spare public IP. But if you have one then probably best to use it as the interface can then be monitored.

See this doc for full details (including monitoring) of failover config -

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ha_active_standby.html

Jon

0 Helpful

Andy White
Level 3
Level 3
In response to Jon Marshall

‎10-15-2011 03:05 PM

Thanks Jon.  I did read a few examples and they all seem to link the ASA direct using a crossover and not a switch for the failover, I guess it would still work just fine?  Would you just stick the 2 ASA's into a single vlan that nothing else can access so they can just poll each other?

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to Andy White

‎10-15-2011 04:05 PM

Hello Andy,

You are right, using a crossover cable it is going to work fine, cisco recommends to use a switch for troubleshooting purposes.

In order for a failover to work they would need to have the same configuration, so to make this configuration more accurate it would be great if both ASAs have their interfaces on the same broadcast domain ( Outside with outside, inside with inside and of couse the failover interface wich is the ones they are going to use to send the replications and the keeps alive.

Hope this helps,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to Andy White

‎10-15-2011 04:10 PM

Andy

Just to add to Julio's post, yes i would make the vlans for the outside and inside interfaces dedicated for the firewalls and not have any client devices in those vlans.

Note the inside vlan will just have the ASA inside interfaces and the switchports you connect the ASA interfaces to.

The outside vlan will just have the outside interfaces and upstream routers in it.

The failover vlan (if you don't use the crossover cable) should only have the 2 ASA interfaces in it.

Jon

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card