Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1632
Views
0
Helpful
7
Replies

Redundant Inside Link to ASA Firewall

KyleHB
Level 1
Level 1

‎07-24-2018 02:40 AM - edited ‎03-08-2019 03:43 PM

Hi,

 

I have a scenario where we have 2 Cisco 5516 Firewalls that are configured as Active/Standby mode. Here is a simple topology below:

 

2.PNG

Now my issue is, I would like to have my Inside link to be redundant. Meaning if for example, If I unplug the cable from L3 to the Primary ASA, the link should still be up as there is another cable connecting to my Standby ASA. Now I am not sure what type of configuration should I do in my L3 and in my Inside interface in the ASA. 

 

interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 1.1.1.1 255.255.255.0
!
interface GigabitEthernet0/1
nameif outside2
security-level 0
ip address 2.2.2.2 255.255.255.0 
!
interface GigabitEthernet0/2
nameif inside
security-level 100
ip address 100.100.100.1 255.255.255.0
!
interface GigabitEthernet0/3
description LAN Failover Interface
!
interface GigabitEthernet0/4
description STATE Failover Interface

Here is the current configuration in my ASA. The 1.1.1.1 and 2.2.2.2 is just an example of Public IP.

 

 

Thanks in advance!

 

 

Labels:
0 Helpful
7 Replies 7

Karsten Iwen
VIP
VIP

‎07-24-2018 03:25 AM

That's not how Failover on the ASA works. Just connect two links from each ASA to the Switch and configure them as Etherchannel.

0 Helpful

KyleHB
Level 1
Level 1
In response to Karsten Iwen

‎07-24-2018 07:28 PM

Hi Karsten,

 

Thanks for the reply. I'm pretty sure my Failover in ASA works. The only problem I am encountering is having a redundant INSIDE link.

 

I've tried configuring 2 interfaces in my L3 switch as etherchannel, like so:

conf t

int range G1/0/23-24

channel-protocol lacp

channel-group 10 mode active

switchport mode access

switchport access vlan 100

 

interface port-channel 10

channel-protocol lacp

channel-group 10 mode active

switchport mode access

switchport access vlan 100

 

in ASA/primary:

G0/0

no nameif

no security level

no ip address

channel-group 1 mode active

 

interface port-channel 1 

lacp max-bundle 8

nameif inside

security-level 100

ip address <inside IP address> <inside subnet mask>

 

wr

wr standby

 

Now I assume that my configuration on the ASA primary will be replicated on my ASA secondary. Meaning both G0/0 on both ASA are now part of the etherchannel. For testing I've tried connecting both my inside from L3 to ASA primary/secondary. 

 

The problem is, I am unable to pass thru the internet if both the INSIDE link is up up state. It only works if one of the INSIDE interface is down.

 

 

Thanks!

0 Helpful

Karsten Iwen
VIP
VIP
In response to KyleHB

‎07-25-2018 12:05 AM

That's what I mean with that A/S-Failover does not work that way. The L3-Switch has either two separate links to the ASAs, or you have two channels, one channel to the primary ASA and one channel to the secondary ASA. But with A/S you can not have one channel that goes to both ASAs.

0 Helpful

Julio E. Moisa
VIP Alumni
VIP Alumni

‎07-24-2018 04:41 AM - edited ‎07-25-2018 05:11 AM

Hi

Im not really sure if i am understanding the question, but you could have 2 links connected from the switch to the firewall (2 or + links from switch to primary firewall and other 2 or + links from switch to the backup firewall) under the same nameif "INSIDE" through redundant interfaces, for example:

 

FIREWALL

 

interface redundant 1

nameif INSIDE

security-level 100

ip address 10.10.10.1 255.255.255.0

no shutdown

member-interface <example g0/0>

member-interface <example g0/1>

 

interface g0/0

<no configuration, no ip address>

redundant-interface 1

 

interface g0/1

<no configuration, no ip address>

redundant-interface 1

 

 

SWITCH

 

vlan 100

name P2P-TO-FW

 

interface range g1/0/23-24

switchport access vlan 100

switchport mode access 

no shutdown

 

interface vlan 100

ip address 10.0.0.2 255.255.255.0

no shutdown

 

Hope it is useful

:-)

 

 




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<
0 Helpful

KyleHB
Level 1
Level 1
In response to Julio E. Moisa

‎07-24-2018 07:34 PM

Hi Julio,

 

Thanks for the reply!

 

by my understanding on your configuration, I would need to dedicate 2 ports on my Primary ASA to configure redundancy, right?

 

How about my Secondary ASA? My goal is that, when my connection from L3 switch to Primary ASA goes down, the link going from my L3 to Secondary ASA should come up. So 1 port from L3 switch is connected to Primary ASA and the other to the Secondary ASA.

 

Regards,

KyleHB

0 Helpful

blake.macisaac1
Level 1
Level 1
In response to KyleHB

‎07-24-2018 10:51 PM

Why not just use a dedicated interface on each Asa and configure them as the management interfaces? That way if one FW goes down it automatically fails to the second one with the standby mgmt interface?
0 Helpful

Julio E. Moisa
VIP Alumni
VIP Alumni
In response to KyleHB

‎07-25-2018 05:18 AM

Hi

That should work if you have the firewall configured as cluster like active - standby, the idea is both switch should have the same configuration so the cluster will be seen like one firewall from the switch perspective.  From the firewall cluster you should have the same next hop IP to the switch and vice versa.

 

The link could be useful: http://itadminguide.com/setup-cisco-asa-high-availability-activestandby-failover/

 

Hope it is useful

:-)




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card