How to configure Active\Active Cisco ASAs

Posted on 2011-09-28
Medium Priority
Last Modified: 2012-06-27
We are looking to add a level of redundancy to our front end internet connection / VPN concentrator.

Our current front end firewall is an ASA 5510. Trouble is of course when we take it down for maintenance or any outage occurs we go hard down for an extended period. We have a second ASA 5510 here in the lab basically sitting idle.

What I would like to do is stack the pair and run them as active / active firewalls. (I've never been fond of active/passive and having equipment sitting there doing nothing)

My thought was to install both and load balance VPN tunnels across them.

ie tunnel A goes to ASA A, tunnel B goes to ASA B and then program them to fail over to each other.
Likewise use ASA A to host our website and use ASA B to manage the in house internet traffic and again fail over to each other.

We already have OSPF in place to handle the routing updates.

Has anyone done anything similar in house?

Any best practices? warnings? better ideas?
Question by:PerimeterIT
  • 2
LVL 18

Expert Comment

ID: 36719674
Active / active requires multi-context mode, which cannot terminate VPNs.  You would have to pass encrypted traffic through and terminate the VPNs on another device on the inside.

I know this isn't really an opinion forum but regarding your comment about active / standby, I've always been fine with that. I understand the argument that, as you put it, you have equipment sitting there doing nothing, but active / standby is a much easier configuration, and every customer I've ever talked to has always said that in a failure scenario, they still wanted the same level of service as before the failure.  Which, to me, means you have to size the firewalls so if only a single one is available it can still handle the full throughput load.  The only benefit I see with active / active is increased throughput, but only if you're also willing to accept somewhat reduced service in a failure situation.  My personal opinion is active / active was a checkbox Cisco needed to be able to figure out a way to do because Juniper was already able to and without that capability they were losing deals.  My $.02....

Author Comment

ID: 36719932
I've always been of the opinion that the two words network admins don't want to hear in the same sentence is "Load Balance" because it never works quite right...

In our companies case our C levels are pushing us to build DR into our infrastructure. But of course $ is always a problem. By building active/active its easier to push it across the line as you can show that you get improved performance out of the equipment rather than it just sitting there.

My take on it is instead of using both ASAs for each service, why not spoof active/active by splitting active/passive roles across both devices?

So ASA A becomes the default gateway for users and ASA B becomes the termination point for our websites. Both devices have different external IPs. Then use OSPF to fail over the routes between the devices.

As for the VPNs, has anyone gotten multi-homing to work on the ASA platform?

What I mean is if I set half our VPNs to terminate of ASA A and the other half on ASA B.

Is there a way I could program the routing so that would it fail over some or all of the tunnels to the other ASA in case of failure?
LVL 18

Accepted Solution

jmeggers earned 2000 total points
ID: 36938244
Basically, what you're describing is how active/active works on the ASA.  You run two contexts on each ASA and one ASA is active for one context, but passive for the other.  I don't know of any way to spoof that architecture.

As for your VPN question, the ASA won't let you terminate VPNs in multi-context mode, so you could try two separate VPN tunnels, one to each ASA.  But I suspect that would only help you if you can figure out a way to use both ASAs on the same set of LANs and not run into state problems.

Bottom line, I don't see a way of accomplishing what you're suggesting.

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

587 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question