Redundant connection with a single Cisco ASA firewall

When setting up Cisco ASA firewalls, I prefer to install them in pairs. A High Availability (HA) pair works very well to keep the environment available when one unit fails.

It’s not very often, but sometimes it makes sense to have a single firewall without a standby unit. When deploying this firewall, the choice needed to be made to dual home it to a pair of switches, or connect it to a single switch. The decision was made to connect it to the HA pair of switches. The switches can do a LACP connection across the two switches. (vPC, or MCT)

To do this, two ports on the ASA need to be joined with in an Etherchannel. This configuration is the same as configuring an etherchannel on a Cisco switch.

1. Port-channel interface, must have a unique number.
2. Apply the channel-group to each interface, all interfaces must have the same configuration on them.

Below is an example of the configuration

interface Port-channel1
description Access Switch Link
nameif outside
security-level 0
ip address

interface GigabitEthernet0/0
channel-group 1 mode on
no nameif
no security-level
no ip address
interface GigabitEthernet0/1
channel-group 1 mode on
no nameif
no security-level
no ip address

So, why do this?

1. The new environment needed to be secured with a firewall
2. Access to this environment was not business critical and only needed during business hours. (Single unit was chosen)
3. Why dual home it? Because it was available and easy to setup. As a Network Engineer, redundancy is always preferred even when the business says it’s not needed.

How has your experience been with Etherchannels running on Cisco ASA firewalls?
If you have an example of why to only have a single firewall, please share it!!

No account needed to comment!!! Find the “reply” button below and leave your comment!!

Leave a Reply