cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1300
Views
10
Helpful
5
Replies

Forwarding traffic to secondary ASA

giridar
Level 1
Level 1

Hi All,

 

 Currently our internet traffic is routed through an ASA and we are planning to bring in a second one as a failover 

the routing is configured on a Layer 3 switch, how can we configure the switch to route the traffic to the secondary asa if the primary fails

 

thanks in advance 

1 Accepted Solution

Accepted Solutions

Thank you for the additional information telling us that you do plan to implement HA failover pair of ASA. And for telling us that a switch connects your local network to the ASA and that another switch connects the ASA to the ISP. This is pretty much classic implementation of HA failover on ASA.

 

You asked this question " how can we configure the switch to route the traffic to the secondary asa if the primary fails". The answer is quite simple: you do not change the routing of the switch at all. It still forwards traffic to its configured gateway. The way that HA failover on ASA works is that the original ASA is treated as the Primary/active ASA. It keeps the same IP addresses on its inside and on its outside interfaces. The new ASA is treated as the Secondary/standby ASA. You configure its inside interface and its outside interface with IP addresses in the subnet of the inside and outside interfaces. The ASAs keep track of the status of their peer ASA. If the Secondary detects a failure of the active ASA then the Secondary ASA transitions to the active role and adopts the IP addresses of the active ASA. So your switch inside keeps forwarding to the same gateway IP address. (and the ISP keeps forwarding to the same outside IP address).  When the original ASA comes back into service it will assume the role (and the IP addresses) of the standby ASA. The failover is pretty transparent to both your inside switch and the switch connecting to the ISP.

 

Here is a link to information about ASA HA failover. I hope you find it useful.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/ha_active_standby.pdf

 

HTH

 

Rick

HTH

Rick

View solution in original post

5 Replies 5

Dennis Mink
VIP Alumni
VIP Alumni

Have you actually set up the two asa s as HA? Or are you aiming to failover based on routing?

 

In wchich case. How do the asa s connect to the internet oug the outside interface?

Please remember to rate useful posts, by clicking on the stars below.

I agree with @Dennis Mink that we need more information about how you intend to implement the second ASA. The more frequent implementation is to configure the ASAs as a High Availability failover pair. But it is also possible to configure the second ASA as an independent device.

 

We also need some understanding of how each ASA will connect to the outside. A frequent implementation is that both ASAs connect to a switch which provides connectivity to a single ISP device. (this works very well for the HA failover implementation) But if the existing ASA connects directly to the outside, then there is a question of how the second ASA will connect. Will it connect to a different ISP device? (this works well if ASAs are independent and not part of HA failover)

 

HTH

 

Rick

HTH

Rick

thank you Dennis, it will be a HA and as Richard mentioned it is a common setup (ASA's connect to a switch which provides connectivity to a single ISP device)

Thank you for the additional information telling us that you do plan to implement HA failover pair of ASA. And for telling us that a switch connects your local network to the ASA and that another switch connects the ASA to the ISP. This is pretty much classic implementation of HA failover on ASA.

 

You asked this question " how can we configure the switch to route the traffic to the secondary asa if the primary fails". The answer is quite simple: you do not change the routing of the switch at all. It still forwards traffic to its configured gateway. The way that HA failover on ASA works is that the original ASA is treated as the Primary/active ASA. It keeps the same IP addresses on its inside and on its outside interfaces. The new ASA is treated as the Secondary/standby ASA. You configure its inside interface and its outside interface with IP addresses in the subnet of the inside and outside interfaces. The ASAs keep track of the status of their peer ASA. If the Secondary detects a failure of the active ASA then the Secondary ASA transitions to the active role and adopts the IP addresses of the active ASA. So your switch inside keeps forwarding to the same gateway IP address. (and the ISP keeps forwarding to the same outside IP address).  When the original ASA comes back into service it will assume the role (and the IP addresses) of the standby ASA. The failover is pretty transparent to both your inside switch and the switch connecting to the ISP.

 

Here is a link to information about ASA HA failover. I hope you find it useful.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/ha_active_standby.pdf

 

HTH

 

Rick

HTH

Rick

I am glad that our suggestions have been helpful. Thank you for marking this question as solved. This will make it easier for other participants in the community to identify discussions that have helpful information. This community is an excellent place to ask questions and to learn about networking. I hope to see you continue to be active in the community.

 

HTH

 

Rick

HTH

Rick
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: