Hi

I agree with Reza, I have implemented that scenario many times and works perfectly. Attached you will see a basic scheme. Basically the cluster will be seen as 1 firewall one gateway for the Internal network.

Hope it is useful

:-)

What about inbound traffic.  At the moment i have at the NAT address at the Firewall on site A (for inbound servers on the dmz).  If they have to get to site B instead how do i do the NAT

Also if site A firewall is offline that means the dmz and servers are offline.  So how do i land on the servers in Site B dmz?

Hi,

Configuring the ASA as a cluster should make the devices logically act as one device. So, when one firewall fails all the config including NAT will be on the other firewall and so it should take over traffic forwarding inbound and outbound.

Also if site A firewall is offline that means the dmz and servers are offline.  So how do i land on the servers in Site B dmz?

You would have to connect the DMZ switch to both firewalls.

HTH

That is correct, basically the standby firewall will be a mirror of the primary firewall, once the primary firewall fails the standby will have the same configuration like the primary.

As Reza mentioned, you should have the DMZ switches connected to both firewall. 

So i have a server in one dmz with a gateway of 192.168.180.1 but if that firewall goes offline the other firewall has a gateway of 192.168.180.199 - How will it route?

i already tried a multi context cluster and it worked for about an hour and fell over. Not sure why but seemed to have sync problems.  i dont think clustering cisco firewalls works.

i just need a single default gateway of 192.168.180.x on my dmzs i think but not sure how to do this - maybe two layer 3 switches and HSRP?

any advice is welcome - i have 1000 users so i need to get it right next time.  not sure i trust clustering 

Hi

For example, the primary firewall will be configured with the IP 192.168.180.1 so the other firewall will have the same IP 192.168.180.1 basically when you have a cluster of firewalls in active-standby, the secondary firewall (standby) creates an exact copy from the primary firewall (active)

The secondary firewall will have the same configuration like the primary firewall. 

This is a little example:

http://www.cioby.ro/2016/07/11/configuring-cisco-asa-active-standby-failover/

:-)

I have attached a cisco router to each dmz switch and am using IP SLA to poll the dmz interface of each cisco asa and also upstream to both internet facing IP's.  I have that working.  I have setup HSRP on each router.

interface FastEthernet0/0

ip address 192.168.180.5 255.255.255.0

standby 1 ip 192.168.180.6

standby 1 priority 110

standby 1 preempt

standby 2 ip 192.168.180.8

standby 2 preempt

i have a default route to cisco asa site a

interface FastEthernet0/0

ip address 192.168.180.4 255.255.255.0

standby 1 ip 192.168.180.6

standby 1 priority 110

standby 1 preempt

standby 2 ip 192.168.180.8

standby 2 priority 110

standby 2 preempt

i have a default route to cisco asa site b 

Q.  What do you think?