ASA Failover Pair Question
I am looking to implement a ASA 5510 failover pair with a Cisco 2960 switch behind the firewalls. From looking at a Cisco tutorial, it appears the LAN based failover, is actually a ethernet cable directly connected from an interface on the primary to a physical interface on the secondary? Is this correct? I am assuming I can set up a trunk port between the switch and the active inside interface of the firewall to support multiple subnets?
ASKER
I do have the security plus license, I understand I will need a link to each firewall, its just that I have (5) subnets on the LAN and I wanted to verify I could route those subnets across a single trunk link to each firewall.
ASKER
I also have another question. When I do a show ver on both the boxes I have the This device has a "Security Plus license" Am I able to configure either unit as the primary then?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Yes, this is correct - it's called a heartbeat cable.
>> I am assuming I can set up a trunk port between the switch and the active inside interface of the
>> firewall to support multiple subnets?
Not exactly. Assuming from your statement that you have only one switch, you can set up two uplink ports, one from each firewall to the switch, so that there are two paths from the firewalls into your inside network - one on each firewall. Otherwise, if the 'active' firewall fails your switch link is down.
Also, the ASA base license does NOT support VLAN trunking, so if you want to enable this feature you'll need to purchase the Security Plus license.