Cisc ASA 5550

mamir01mamir01 Registered Users Posts: 3 ■□□□□□□□□□
Hello All,

I need some help please and I hope you guys/gals can help.

We're about to deploy and IPSEC solution using two Cisco ASA 5550 and RSA appliance for one time password using secure key fob.

We want to be able to deploy the two firewalls in different locations for resilience communicating with the RSA appliance on the RADIUS ports.

Questions are:

1) I need to add these ASA's as a VPN cluster does this configuration require any form of failover to be setup

2) Do I need to configure a active/passive or active/active failover

3) Can the VPN clustered firewalls reside at different locations

Has anyone configured the ASA's to be clustered and if so have you also setup them up for failover at the same time having the firewalls at two sites. ASA 1 sits at Site A and ASA 2 sits at Site B.

I appreciate all the help I can get from the members. Many thanks.

Regards,

Amir

Comments

  • Panzer919Panzer919 Member Posts: 462
    This would need to be posted in the CCSP section.
    Cisco Brat Blog

    I think “very senior” gets stuck in there because the last six yahoos that applied for the position couldn’t tell a packet from a Snickers bar.

    Luck is where opportunity and proper planning meet

    I have not failed. I've just found 10,000 ways that won't work.
    Thomas A. Edison
  • mikearamamikearama Member Posts: 749
    mamir01 wrote: »
    1) I need to add these ASA's as a VPN cluster does this configuration require any form of failover to be setup

    2) Do I need to configure a active/passive or active/active failover

    3) Can the VPN clustered firewalls reside at different locations

    1) Yes, "clustering" ASA's requires failover. ASA's use lan-based (via a switch is recommended) connections to pass stateful failover traffic. We dedicate interface g0/0 on all our ASA pairs for failover.

    2) Active/Active is only available if you're using contexts. Our external ASA's are not contexted, so they're Active/Passive. Our internal use contexts, so Active/Active is possible. BTW, if you use contexts, you lose the ability to use VPN's, so I have to assume you're not going with contexts, which means Active/Passive is all you get. Stateful failover, mind you, but that's as good as it gets.

    3) Never heard of this... can't find any documentation to say one way or the other. The only concern is the polltime of the ASA's. The default is every second... so once per second, each ASA sends a "hello" across the failover link. The holdtime defaults to 15 seconds, so if 15 seconds go by without a received "hello", swithovers happen. If the lapse is because of a network issue between the ASA's and not a true outage, dual-active situations arise. I promise you that what you describe will never be considered "best practice", but as long as you have a high-speed WAN (ie, mpls) between your sites, you might be okay.

    Mike
    There are only 10 kinds of people... those who understand binary, and those that don't.

    CCIE Studies: Written passed: Jan 21/12 Lab Prep: Hours reading: 385. Hours labbing: 110

    Taking a time-out to add the CCVP. Capitalizing on a current IPT pilot project.
  • chrisonechrisone Senior Member Member Posts: 2,206 ■■■■■■■■■□
    As mentioned above

    1. Yes you will need to setup failover

    2. Same as above poster

    3. I dont believe this is possible as you can either set this up with a cable for the fail over management between both ASA connected directly or via the LAN on a VLAN between switches.

    Unless you have some point-to-point direct connection or Dark fiber running between the two building were you can attach that VLAN it may be possible, as the ASA's are only looking to connect to each other in a point to point manner via a direct cable or from being on the same "ISOLATED" VLAN. I say isolated because you do not want to hook this up with any other hosts on the VLAN.

    I would call cisco if you have a smartnet with any ASA and just ask them if your design is possible.
    Certs: CISSP, OSCP, CRTP, eCTHPv2, eCPPT, eCIR, LFCS, CEH, AZ-900, VHL:Advanced+, Retired Cisco CCNP/SP/DP
    2021 Goals
    Courses: eLearnSecurity - PTXv2 (complete), SANS 699: Purple Team Tactics (completed), PentesterLabs Pro (ongoing)
    Certs: eCPTXv2, AZ-500, SC-200 (fail 1st attempt), EnCE, Splunk Core Power User
  • mamir01mamir01 Registered Users Posts: 3 ■□□□□□□□□□
    Thanks a lot guys for your help?

    I was told by another forum that you can't have VPN cluster on an active/passive failover design. Now the situation is this we do run MPLA on our WAN and the two buildings where the firewalls will be situated run a 1gb fibre link and the failover design will be LAN based with possibly stageful failover so hopefully no downtime for the VPN user as these asa's will only be used for IPSec with rya secured authentication manager.

    Cluster will keep at least one VPN firewall active in the event of a failure. Does this make sense. Thanks again guys for your valuable contribution.

    Regards,

    Amir
  • ilcram19-2ilcram19-2 Banned Posts: 436
    throw them away ASA are CRAP get some ISR routers
  • creamy_stewcreamy_stew Member Posts: 406 ■■■□□□□□□□
    ilcram19-2 wrote: »
    throw them away ASA are CRAP get some ISR routers

    Which ISR would you suggest competes with an ASA 5550 performance-wise?

    edit: I love the ISRs. The ASAs are great too but, IMHO, if you really want a firewall - get a Juniper/Netscreen/Fortigate
    Itchy... Tasty!
    [X] DCICN
    [X] IINS

    [ ] CCDA
    [ ] DCICT
Sign In or Register to comment.