How to configure Active\Active Cisco ASAs
Posted on 2011-09-28
We are looking to add a level of redundancy to our front end internet connection / VPN concentrator.
Our current front end firewall is an ASA 5510. Trouble is of course when we take it down for maintenance or any outage occurs we go hard down for an extended period. We have a second ASA 5510 here in the lab basically sitting idle.
What I would like to do is stack the pair and run them as active / active firewalls. (I've never been fond of active/passive and having equipment sitting there doing nothing)
My thought was to install both and load balance VPN tunnels across them.
ie tunnel A goes to ASA A, tunnel B goes to ASA B and then program them to fail over to each other.
Likewise use ASA A to host our website and use ASA B to manage the in house internet traffic and again fail over to each other.
We already have OSPF in place to handle the routing updates.
Has anyone done anything similar in house?
Any best practices? warnings? better ideas?