Apr 01

Redundant connection with a single Cisco ASA firewall

When setting up Cisco ASA firewalls, I prefer to install them in pairs. A High Availability (HA) pair works very well to keep the environment available when one unit fails.

It’s not very often, but sometimes it makes sense to have a single firewall without a standby unit. When deploying this firewall, the choice needed to be made to dual home it to a pair of switches, or connect it to a single switch. The decision was made to connect it to the HA pair of switches. The switches can do a LACP connection across the two switches. (vPC, or MCT)

To do this, two ports on the ASA need to be joined with in an Etherchannel. This configuration is the same as configuring an etherchannel on a Cisco switch.

1. Port-channel interface, must have a unique number.
2. Apply the channel-group to each interface, all interfaces must have the same configuration on them.

Below is an example of the configuration

interface Port-channel1
description Access Switch Link
nameif outside
security-level 0
ip address

interface GigabitEthernet0/0
channel-group 1 mode on
no nameif
no security-level
no ip address
interface GigabitEthernet0/1
channel-group 1 mode on
no nameif
no security-level
no ip address

So, why do this?

1. The new environment needed to be secured with a firewall
2. Access to this environment was not business critical and only needed during business hours. (Single unit was chosen)
3. Why dual home it? Because it was available and easy to setup. As a Network Engineer, redundancy is always preferred even when the business says it’s not needed.

How has your experience been with Etherchannels running on Cisco ASA firewalls?
If you have an example of why to only have a single firewall, please share it!!

No account needed to comment!!! Find the “reply” button below and leave your comment!!

Jan 14

Configure NAT on a Cisco ASA with more then 1 inside interface

Normally when I setup a Public to Private NAT on a Cisco ASA firewall (Version 8.3+) I have one outside interface and one inside interface. Recently, I was asked to setup a Public to Private mapping on two internal interface. The NAT had been setup for a while, then the systems team wanted to add another function to communicate to the same outside IP address, but from another DMZ on the firewall.

At first, I went to the existing object group and issued the nat statement with the new DMZ interface name. Once I did this, it removed the existing NAT statement. After some digging, I figured out that I need an object for each NAT statement. Below I have an example of the configuration that is needed to have NAT on two different internal interfaces.

Outside Public IP =
Inside Private IP =

object network snat-
nat (outside,DMZ-1) static

object network snat-
nat (outside,DMZ-2) static

As you can see, the two objects use the same public and private IPs. The key is to have different names on the object. Once you do this you will have two similar lines in the xlate table, one for each internal interface.