Failover of ASA with VLAN

Hey all, I'm sure one of you ran into this. Basically, we double asa5520 with LANs on a dedicated, g0/3 port-based failover configuration. There is a direct connection between the two cable.





We need to move from the asa to another location, but at the same time, minimize downtime. one of the options is to move one of them (secondary/standby) to the new location and connect the failover interface dedicated to an access road to a VLAN dedicated. This vlan will be used temporarily for failover. in the meantime, he must cross a few switches where 802. 1 q tags are in place. Once the secondary/Eve is in place, we will then turn off primary/active. and directly connect the failover interface.





We can't move the two as there is some time of transport between the location of the old and the new.





Thank you very much!



-robert

Hi Robert,.

This is the right way to do. Failover - VLANs on switches may extend.

I got the following: asa5520 - cat6509 - fiber - cat6509 - asa5520

It works very well!

Best regards, Celio

Tags: Cisco Security

Similar Questions

  • ASA with different failover module IPS

    Hi all

    Is it possible to configure the failover of the ASA with different IPS module configuration because we have: ASA 5585-X with firepower PHC-10 and ASA 5585-X with IPS SSP-10

    Thank you

    N °

    Inventories of material (basic unit, memory and optional modules) must be the same in a pair of failover ASA.

  • 6509 uplink to ASA with pair of Vlan

    I have the following topology:

    6509---> ASA---> Internet.

    My 6509 have a JOINT.

    intrusion detection module 3 management access port - vlan 2

    3-port data module 1 intrusion detection allowed - vlan trunk 352,603,1352,1603

    I want to put the JOINT between 6509 and ASA.

    6509 have a vlan 603 where inside the ASA is connected and I have already created VLANs to briding with 603 1603, this way

    I put the cable inside the ASA to vlan 1603, before was connected on vlan 603 but when I changed switchport vlan

    SAA (603 to vlan 1603) my vlan 603 breaks down and I can't access the internet.

    VLAN 603 down because there is that no user not connected them but I thought that briding how JOINT 603 with 1603

    This vlan 603 will be again, but does not work.

    How can I configure the IDM to this Vlan?

    I guess the switch itself has a 603 interface vlan, and it is this 603 interface vlan that goes down.

    By default the JOINT-2 data ports are configured to exclude "autostate" which means that is the JOINT-2 port and the interface vlan switches are the only things on the vlan, then the switch will lower its interface. The switch does not include the JOINT-2 interface when you are looking for other ports in the vlan.

    There is a command:

    3-port data module 1 intrusion detection autostate include

    With this command the JOINT-2 port will now appear in the list of ports to monitor, and the switch must now implement its 603 interface vlan.

    You can see the list of available commands for the JOINT-2 here:

    http://www.Cisco.com/en/us/docs/security/IPS/7.0/Configuration/Guide/CLI/cli_idsm2.html#wp1032690

  • PIX 6.3 (4) failover strangeness with VLAN

    I have a failover pair 535 6.3 (4) running and have experienced strange things while he was trying to get the dynamic failover to work. We use the serial cable to failover and a GE dedicated to the traffic of State via a cable directly connected x. We have a mix of standard interfaces for non - VLAN'ed, but also a physical I / f including 10 ~ VLAN. We are well within the limits of i / f allowed on the PIX so that isn't a problem. Also the

    VLAN'ed i / f on the two firewalls connects via a 802. 1 q trunk on the same switch Procurve 9315. All the required them VLAN is configured as marked on the two ports on the switch.

    The problem we had was that all as-based interfaces on the VLAN and physics i / f associated with these virtual local networks were perpetually in the State (pending) and we had no stats in the status section of the command 'show fail', which implies to me that stateful failover did not in fact. Failover works and traffic passes regardless of which firewall is enabled.

    Based on things I've read that I concluded that the problem is probably that 'Hello' messages were not being seen on each VLAN. So I did a bunch of capture on the VLAN different i / f of the PIX expecting to see outgoing Hello in the local unit, but saw nothing. Then I had a thought that maybe they were sent out without a label on the physical I / f, so I made a capture on it and also got nothing else than to the Hellos coming out to the physical interface.

    What we did that fixed it was to add the VLAN physics to the list of allowed VLANS labeled on firewall connected switch ports. As if by magic the physics I / f to the Normal State, as did all the local VIRTUAL network interfaces, and we started to get statistics on the State of the output of the show fail command section.

    And yet a capture on any of the interfaces VLAN does still not show the Hellos, and a capture on the physical displays now the bidirectional Hello for the physical LAN. Weird.

    So my questions are:

    1 > why the VLAN interfaces are dependent on their physical I / f for failover. I was told that you need not have any IP or configured for physical integrity, nameif I / f it's just must be enabled for the VLAN I / fs to work.

    2 > how are the VLAN I / f passing Hellos to the other.

    I can include my config if that helps.

    Peter

    Peter,

    (1) why is a good question. AFAIK that is according to the doc (same link below)

    "When you set up failover for an interface VLAN, Hello packets are sent through the physical interface, so the physical interface must be configured with an ip address."

    (2) I don't think that they are:

    One of the guides

    http://www.Cisco.com/en/us/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a0080172786.html

    "Note that failover is supported with VIRTUAL local network interfaces. But the failover LAN interface command does not support VIRTUAL local network interfaces or failover link commands. "

    So basically it looks like helo packets are sent only on physical interfaces (dumped on any vlan you put them) and the VLAN will be "failover" If the pix, but if you had a failure in one vlan particular the pix would not notice it until the vlan the physical interface has been awarded to failed.

    Of course, it works in the equivalent level of the FWSM code - but FWSM never had the physical interfaces.

    The train 7.x supports subinterfaces, obviously.

    -Jason

    Please rate this message if it helps!

  • VMware Distributed Switch with VLAN

    Hi again,

    A lot of work with VLAN now.

    But just a quick Questions. Is there a documentation or HowTo Guides how to set up vSphare VMware Distributed Switch with several VLANS on a Switch GS724Tv4?

    But soon, I try to add a host or network, it is empty.

    This is probably an easy problem of VMware, but I try here first to see if someone has document guide HowTo so I can start with.

    Thank you

    Christian

    Never mind about this,

    I found the problem on my own, but perhaps a documentation would be great to have. But it's a good start to have the right license of VMware, before you start.

    * I was just out of luck when I thought *.

    / Christian

  • Protect and control the license for ASA with the power of fire

    I had 1 ASA 5515 initially delivered with the software cx, then made room for the software of firepower and got the virtual firesight for 2 devices and license of TAMAS tha L-5515, but this license was told only the URLs and malware license, I thought that this license was for all that since he has no other licenses in the data sheet and it's Reference with more features.

    How can I get the license protect and control now so I can add the asa with the firepower to firesight and apply to all licenses

    Thank you

    Hello

    L ASA5515-TAMAS = SKU license plans to "MALWARE" and "URLFilter" and legally gives the user to updates of the signature "PROTECT + CONTROL". It does not license "PROTECT + CONTROL". You need to buy "ASA5515-CTRL-LIC =" to license "PROTECT + CONTROL".

    Please discuss a case with CISCO GLO, they can help provide a CTRL license

    -DD

  • Cisco ASA with the power of fire vs Cisco IPS Appliance

    Hello

    Question: is there the functional differences between an ASA with the feature of firepower enabled and power of fire IPS appliances 'pure' (e.g. 7000 and 8000 series IPS Modules)?

    Thank you very much!

    Kind regards

    David

    Hello team,

    The same features except hardware bypass and another should trhougputs. Of course the flow rate will be high for hardwrae devices and it also has the ability to bypass equipment. Apart from that URL and all other filtering the same characteristics.

    Rate of good will if this post helps you.

    Concerning
    Jetsy

  • ASA with fire 5555 x Installation/Configuration/full features enablment

    Dear,

    I had a lot of confusion about the ASA with the power of fire all the new features, upgrade, changes made me lost.

    Can someone describes the steps to install the ASA with firepower and upgrade its image & package and the license application. (configuration of the box from scratch).

    What is the best practice for the installation of ASA with firepower in a network?

    TAMÁS is our license what are the features will be important for me, if I want to do a total security. And how about internet proxy I think of ending my TMG Web proxy and use this ASA. I want to use the devices to its full occupancy and all the features that I needed to be activated if necessary.

    How to deal with WLC and the wireless network (which is the best practice for ASA with the firepower and WLC

    Yes maybe that's a lot, but I think many inspiring answers will knock at least with redirection to another topic or some brilliant ideas.

    Kind regards

    Christel

    @mishaal-thabet

    There is a Quick Start Guide to ASA with module power of fire services here:

    http://www.Cisco.com/c/en/us/TD/docs/security/ASA/Quick_Start/SFR/firepo...

    In addition, to configure your policies of Management Center of firepower to make the most effective module, I recommend the Cisco Live presentation by 2015: "BRKSEC-2018 migration ASA IPS and CX to firepower." You don't have to worry about the title, it's a good overview for most use cases.

    It can be found here:

    https://www.ciscolive.com/online/connect/sessionDetail.WW?SESSION_ID=836...

    The WLC interact with the ASA directly but the placement of your controller and you use anchor and host controllers can play in your ASA interface design (i.e. comments in an area controllers demilitarized). Other than that, Wireless subnets are just part of the variable "$HOME_NET" located on the module of firepower.

    I hope this helps.

  • ASA with firepower and Licensing Service

    Hello

    If I buy an ASA with the power of Fire Service (e.g. 5516-X) should which licenses I buy?

    I understand that I need to order a license for the Service of firepower. E.g. IPS, URLS, and AMP.

    Should I order a license management FireSIGHT, too? The centre of mandatory FireSIGHT management? This license is necessary?

    Concerning

    You will need the license of control (CTRL). It is free and automatically included with any package of power of fire SKU (i.e. ASA5516-FPWR-K9).

    Then you must add the IPS, URLS or AMP (or combination of both) services in term 1, 3 or 5 years.

    FireSIGHT Management Center is not required for entry-level (5506, 5508 or 5516) models. It is optional on those you can use the entry firesight level integrated in ASDM for the model.

    For all other models, it is necessary. If you manage more than a simple ASA (even an HA pair) it is recommended even for the entry level models that you will be so power sync policies through them all.

  • VPN IPSec ASA with two ISP active

    Hi ALL!

    I have a question.

    So I have ASA with 9.2 (1) SW connected to ISP with active SLA.

    I need to configure redundant IPSec VPN via ISP2, while all other traffic must go through isps1. In case if one of the ISP goes down all including VPN traffic must be routed via ISP alive.

    I have configured SLA and it works.

    ciscoasa # display route performance
    Route 0.0.0.0 isps1 0.0.0.0 10.175.2.5 5 track 1
    Route isp2 0.0.0.0 0.0.0.0 10.175.3.5 10 track 2
    Route isp2 172.22.10.5 255.255.255.255 10.175.3.5 1 excerpt 2

    Here we can see if isps1 and ISP2 are RISING, all traffic passes through isps1, but traffic intended for the remote peer IPSec 172.22.10.5 passes by ISP2.

    This configuration works just at the moment when isps1 or isp2 is down or if a static route for 172.22.10.5 deleted. Where two Internet service providers are increasing to ASA does not send the next remote IPSec datagrams.

    ciscoasa # display running nat
    NAT (inside, isp2) source static obj-INSIDE_LAN obj-INSIDE_LAN destination static obj-REMOTE_LAN obj-REMOTE_LAN no-proxy-arp-search to itinerary
    NAT (inside isps1) source static obj-INSIDE_LAN obj-INSIDE_LAN destination static obj-REMOTE_LAN obj-REMOTE_LAN no-proxy-arp-search to itinerary

    Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    Crypto ipsec pmtu aging infinite - the security association
    card crypto cm_vpnc 10 correspondence address acl_vpn
    card crypto cm_vpnc 10 set pfs
    peer set card crypto cm_vpnc 10 172.22.10.5
    card crypto cm_vpnc 10 set transform-set ESP-AES-256-SHA ikev1
    86400 seconds, duration of life card crypto cm_vpnc 10 set - the security association
    card crypto cm_vpnc interface isps1
    cm_vpnc interface isp2 crypto card
    trustpool crypto ca policy
    isps1 enable ikev1 crypto
    isp2 enable ikev1 crypto
    IKEv1 crypto policy 1
    preshared authentication
    aes-256 encryption
    sha hash
    Group 2
    life 86400

    ciscoasa # show ip
    System of IP addresses:
    Subnet mask IP address name interface method
    Vlan1 in 192.168.2.1 255.255.255.0 CONFIG
    Isps1 Vlan2 10.175.2.10 255.255.255.0 CONFIG
    Isp2 Vlan3 10.175.3.10 255.255.255.0 CONFIG

    The main question why?

    Thank you in advance,

    Anton

    Hi anton,.

    If you check the log message on your ASA R301-IS , he's trying to build the tunnel VPN with both IP and it receives packets of asymmetrically your distance ciscoasa.

    TO avoid this asymmetrical connection, point your IP from peers as primary & secondary on your R301-EAST

    set peer 10.175.3.10 10.175.2.10

    Delete the track on your routing entries

    Route isp2 172.22.10.5 255.255.255.255 10.175.3.5

    This should work for you.

    Similalry lower your ISP 2, you should see VPN tunnel is mounted with isps1 one.

    HTH

    Sandy

  • ASA with A/A and three router ISP links

    Can someone help me, I have a problem I need to connect two ASAs with active and I have three routers to three Internet service providers, how do I optimize the gateway redundancy and load balancing.

    and I can use the router to ASA's private beach.

    Another Question is, do I really need host proxy server-based internet access.

    Please help me.

    Concerning

    One solution is to use the Protocol GLBP routers (OSPF in not available in A/A...).

    "GLBP offer deals on several routers (gateways) load balancing using a virtual IP address single and multiple virtual MAC. Each host is configured with the same virtual IP address, and all of the routers in the virtual routing group are involved in the transmission of packets. »

    GLBP group-load balancing [dependent on host: alternating | weighted]

    (see feature cisco IOS to IOS and hardware available browser.) .

    http://www.Cisco.com/en/us/products/ps6550/products_white_paper09186a00801541c8.shtml

    HTH.

    Roberto

  • ASA with two internet connections

    Hello

    I want to connect an ASA with two ISPS for internet traffic, one for the VPN S2S, there is a router VPN dedicatet on the second link.

    In case of failure of the first link, the second must be enabled.

    route outside 0.0.0.0 0.0.0.0 10.20.20.1 1 track 1route backup 0.0.0.0 0.0.0.0 10.20.30.1 254
    
route backup 192.168.0.0 255.255.0.0 10.20.30.1
    

    Is this configuration working??

    Hello

    You need to configure the 'als' monitor configuration to monitor some destination on the main IP address ISP for the ASA whether the connection works. Probably an IP address on the public network.

    SLA 1 monitor

    type echo protocol ipIcmpEcho outside interface

    NUM-packages

    timeout

    frequency

    SLA monitor Appendix 1 point of life to always start-time now

    You will also need a configuration related to 'track' of the order

    track 1 rtr 1 accessibility

    Route outside 0.0.0.0 0.0.0.0 10.20.20.1 track 1

    Backup route 0.0.0.0 0.0.0.0 10.20.30.1 254

    The above combined with the routes you mention should be enough about the delivery. Naturally for each remote VPN L2L network you will always need a specific static route on the SAA to the backup ISP device.

    Also you must naturally maintain the translations on the SAA. Seems that your ISP links have in mind a separate device that contains public IP addresses. So am I right in assuming you pass all traffic from the LAN links for links to PSI via the ASA without any type of NAT, and leave these routers from the private to the public NAT?

    -Jouni

  • Evaluate the NSX with VLAN

    Second question about the VLAN:

    Is there a reason that would prevent it from doing an assessment of NSX deployment on VLAN?

    We have a set C7000 enclosure with 16 blades G6 and 4 Flex-10 switches, which we removed from production. Before deploy us NSX "the right way", we would evaluate NSX on the old blades. I have no problem to create clusters of edge, calculation and Mgmt, but I couldn't do a deployment of best practices of NSX without leaf spine VLAN (unless the boss wants to invest in 4 HP more Flex-10 switches for evaluating!).

    My idea: create a VLAN "backbone" and 3 "leaf VLAN," all with MTU 1600 or better and start creating our documentation run-book for the NSX.

    THX in advance

    Yes, you can do a deployment with VLANS and it will work. You will be able to use Distributed firewall, Distributed routing (some design considerations apply here) and many other features. Of course you need to master them VLAN for the virtual machine to each host if you do not use an overlay.

    Nikhil

    / cc: NimishDesai. maxard66 rbudavari

  • Between Cisco ASA VPN tunnels with VLAN + hairpin.

    I have two Cisco ASA (5520 and 5505) both with version 9.1 (7) with Over VPN and Security Plus licenses. I try to understand all the internet a traffic tunnel strategy VLAN especially on the 5520 above the 5505 for further routing to the internet (such as a hair/u-turn hairpin). A few warnings:

    1. The 5505 has a dynamically assigned internet address.
    2. The 5505 has sometimes no device turned on behind her, bringing interfaces down to the inside (which can cause problems from site to site).
    3. The 5520 cannot be a client of ezvpn due to its current role as a server of webvpn (anyconnect).

    Let me know if I need to post my current config. Basically, I'm starting from scratch after several attempts.

    Thank you!

    1. The 5505 has a dynamically assigned internet address.

    You can use the following doc to set up the VPN and then this document to configure Hairping/U tuning

    2. the 5505 has sometimes no device turned on behind her, bringing interfaces down to the inside (which can cause problems from site to site).

    Make sure that the interface is connected to a switch so that it remains all the TIME.

    3. 5520 the may not be a ezvpn customer due to she has current as one role anyconnect webvpn ()) server.

    You can use dynamic VPN with normal static rather EZVPN tunnel.

    Kind regards
    Dinesh Moudgil

    PS Please rate helpful messages.

  • VPN between 2 offices with VLAN

    Hello

    We have a remote desktop that is connected to our network with a bridge, this bridge transport several laser VLAN as a trunk.

    One of the laser is now out of service and considerede that there really expensive we want to replace this with a virtual private network connection.

    In our headquarters we have a cluster of asa cisco in failover and now we have bought a new asa cisco for the branch.

    On remote desktop, we have several VLANs which must be connected with the VLANs to Headquarters, and we don't want to change the ip addressing.

    To continue, I need to connect 2 offices who, for now, was connected to Layer2 with bridge trunk wireless with a new vpn on cisco ASA, without having to change the address ip addresses to the remote desktop so that a pc in the remote office on vlan10 with address 10.0.0.10 should be able to contact a server at Headquarters to vlan10 with the IP 10.0.0.1.

    Is this possible scenario?

    Thank you

    Who is Ricardo?  ;-)

    Remote Desktop:
    vlan10 172.10.0.0/24
    vlan20 172.20.0.0/24
    vlan30 172.30.0.0/24

    Branches:
    vlan10 172.10.0.0/24
    vlan20 172.20.0.0/24
    vlan30 172.30.0.0/24

    How to solve the problem that overlap, is to configure the NAT through the tunnel.
    The idea is to NAT on both sides, so that the other think that the remote VIRTUAL LAN is a different subnet.

    That is to say
    Remote Desktop:
    vlan10 10.10.0.0/24
    vlan20 10.20.0.0/24
    vlan30 10.30.0.0/24

    Branches:
    vlan10 10.40.0.0/24
    vlan20 10.50.0.0/24
    vlan30 10.60.0.0/24

    In this way, you can have communication through the tunnel without problems that overlap.

    Federico.

Maybe you are looking for