How to do nat at active/active asa

Similar Messages

• Asa in active/active vpn solution licensing question

  Hello All
  I have a customer with the following requirements:
  1) A Cisco VPN Solution that will be support SSL VPN and Cisco Client VPN - The  solution will be a failover configuration running in an active-active set up.  The solution offered will be fully supported (i.e. it will not go into End of  Life or and lower level of support etc) by Cisco for the next 5 Years.
  a. We  would expect the devices to be similar to the ASA 5520 Appliance with  SW,HA,$GE+1FE,£DES/AES (Including ASA 5500 Advanced Endpoint ASS)
  2) User  licenses for the above - Please quote for both the following
  a. 500 appropriate SSL VPN User Licenses
  b. 250  appropriate SSL VPN User Licenses
  I am quoting them for the 500 ssl vpn bundle
  ASA5520-SSL500-K9 and for the
  ASA5520-BUN-K9.
  Is it right that in active/active  software 8.3 and above that the 500 ssl vpn licenses will be shared between the 2 asa's or will I need to have 250 licenses on each asa.
  Also I have read that in active/active I cannot use shared licenses, is this relevant in a vpn solution?
  http://www.cisco.com/en/US/docs/security/asa/asa84/license/license_management/license_86.html#wp2003381
  Url above has this “The  backup server mechanism is separate from, but compatible with,  failover.
  Shared  licenses are supported only in single context mode, so Active/Active failover is  not supported.”
  Also “Failover  Guidelines
  •Shared licenses are not supported in Active/Active mode. See the "Failover  and Shared Licenses" section for more  information.
  I also need to purchase the
  ASA-ADV-END-SEC and
  ASA-AC-M-5520 (any connect mobile) as the vpn client is eos/eol.
  Do I need to buy this for both asa's or can they share them in active/active mode.
  Thanks in advance.
  Feisal

  Hi Vibhor and thanks for the quick reply. We will be using version 9.3. I was aware that the ASA does not support PBR but I thought with the new code you could do some policy nat that could help influence the outbound flow?
  So in this case we have 2x ISPs and 2x public address space, one from each ISP. How is the NAT and routing handled by the ASA in this design?
  Can I not identify the guest subnet (192.168.0.0/22) and NAT this to a public address from ISP1 and also identify the corp subnets (10.x.x.x)  and NAT them to ISP2?
  My understanding (which is probably wrong) is that the NAT will select the egress interface rather than the routing table, so guest will be sent via ISP1 since the SVI interface of the ASA that connects to this ISP1 has an IP address from the same public address space..?
  Is that incorrect?
  Many thanks
  Rays

• How to tell if Active/active or Active/Standby mode is configured?

  Folks:
  I am still learning the output of my running config, but how do I tell if my firewall is set to Actve/Active or Active/Standby mode?
  In addition, how do I tell if it uses regular or stateful failover mode?
  Thank you

  I wanted to provide this as well, since I found it and it also helped me answering my question.
  This output shows Active/Active failover output.
  **Note** it says PIX; however, I beleive it will be the same output for ASA.
  PIX1(config-subif)#show failover
  Failover On
  Cable status: N/A - LAN-based failover enabled
  Failover unit Primary
  Failover LAN Interface: LANFailover Ethernet3 (up)
  Unit Poll frequency 15 seconds, holdtime 45 seconds
  Interface Poll frequency 5 seconds, holdtime 25 seconds
  Interface Policy 1
  Monitored Interfaces 4 of 250 maximum
  Version: Ours 7.2(2), Mate 7.2(2)
  Group 1 last failover at: 06:12:45 UTC Apr 16 2007
  Group 2 last failover at: 06:12:43 UTC Apr 16 2007
    This host:    Primary
    Group 1       State:          Active
                  Active time:    359610 (sec)
    Group 2       State:          Standby Ready
                  Active time:    3165 (sec)
                    context1 Interface inside (192.168.1.1): Normal
                    context1 Interface outside (172.16.1.1): Normal
                    context2 Interface inside (192.168.2.2): Normal
                    context2 Interface outside (172.16.2.2): Normal
    Other host:   Secondary
    Group 1       State:          Standby Ready
                  Active time:    0 (sec)
    Group 2       State:          Active
                  Active time:    3900 (sec)
                    context1 Interface inside (192.168.1.2): Normal
                    context1 Interface outside (172.16.1.2): Normal
                    context2 Interface inside (192.168.2.1): Normal
                    context2 Interface outside (172.16.2.1): Normal

• ASA Active/Active Failover with Redundant Guest Anchors

  Does anyone know how an ASA and a guest anchor 5508 will interact if I setup an Active/Active failover pair with physical interface redundancy?  I see from documentation that I can create a logical group in the ASA to bond physical interfaces together, but it doesn't describe what protocol is being used to manage that bundle.  Do I assume etherchannel?  If I were to create this scenario, can I run the 5508 in LAG mode?
  The current failover configuration example is for PIX, and old code at that.  I'm referencing an ASA/PIX guide ISBN:1-58705-819-7 beginning on page 531.
  Regards,
  Scott

  In addition to what you have, you should add to each unit the global configuration command "failover".
  We generally don't manually configure the MAC addresses in single context mode since the ASA ill automatically assign virtual MAC addresses and manage their moving to the newly active unit in the event of a failover event. Reference.

• How to configure active active Configuration

  hI  , 
  i am looking for a active active solution design   with the below desing  .
  2 cisco asa  in  Site 1    in active /Standby  mode 
  1  cisco asa  in Site 2 
  Both the sites are connected on the private line  .
  running all services from site 1 and  only  runnign specific service from site 2    , from site 2  how make  only some applications   hosted  on that site  ,

  Hello,
  Well, based on your other question, this cannot be possible as again you will need to have a way to determine wheter Site A is up or site B is up.
  Routing protocols looks like the way to go

• Active/Active ASA in GNS3?????

  Hi,
  How can I run ACTIVE/ACTIVE firewall in GNS3??
  I tried in google and FB groups but didnt get answer that works.
  So,I did finally multimode option in ASA but then I couldnt config IP addresses on interfaces!!!!
  Thanks in advance.
  Bye,

  Hello Anand,
  It should work, I have done it
  Make sure you have the licenses to run it,
  Regards
  Remember to rate all of the helpful posts.
  For this community that's as important as a thanks.

• ASA Active/Active Configuration

  Dear All,
  In configuring Active/Active mode of ASA, most examples are stating using
  2 customers for Active/Active. If I only get 1 customer with 4 interfaces as
  following:
  1) Outside
  2) Inside
  3) DMZ
  4) VPN
  Can I still use the Active/Active mode?
  If so, then how to allocate the interfaces to the 2 failover groups? Let
  assume:
  Failover group 1: Outside and DMZ
  Failover group 2: VPN and Inside
  That means ASA_A is primary of Group1, while ASA_B is primary of Group2. If
  so, is the traffic between Outside and Inside has problem? Since they are
  crossing the 2 failover group on the 2 ASA.
  Please correct me and my assumption. A sample configuration would be much appreciate.
  Thanks in advance.
  Br,
  Sam

  Thank you for the reply Jennifer.
  I was reffering to the following document:
  http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/failover.html#wp1091405
  Failure Event
  Policy
  Active Action
  Standby Action
  Notes
  Failover link failed during operation
  No failover
  Mark failover interface as failed
  Mark failover interface as failed
  You should restore the failover link as soon as possible because the unit cannot fail over to the standby unit while the failover link is down.
  Stateful Failover link failed
  No failover
  No action
  No action
  State information becomes out of date, and sessions are terminated if a failover occurs.
  I think I should rephrase question 2) If I have two seperate links for Failover and Stateful failover, will that fix my problem?
  How can I configure seperate Failover and Stateful failover links? If I understand correctly, they are more than just redundant links.
  Sorry I didn't accurately phrase my original post.
  Thank you

• ASA CX / PRSM Active/Active Failover?

  Hi everyone.
  I've spent my last 2 days trying to find something on this matter, but I can't find anything conclusive about it.
  I'm trying to find if a 2 ASAs+CX in Active/Active configuration is supported and how to do it.
  On one side, on the PRSM configuration guide for 9.2, it says "Active-Standby is the only supported high availability configuration", but I don't understand if it's just for adding devices to PRSM or that an Active/Active configuration is not supported by the CX module.
  On the other hand, this forum discussion says that they are using Active/Active with CX.
  So, I need to know if it will work. I know that if I use Active/Active I should use contexts, which some are Active on one ASA and others are active on the other one.  I would assume that the CX module configuration should be the same for both ASAs as to support all the networks policies, but I want to know if this will work (I don't want to tell the customer that it'll work and then be stuck with an unsupported and non-working configuration).
  Any advice on this? Guides maybe?
  Thanks in advance.

  Yes, it can be done. Off-box PRSM manages an ASA context like a "separate" ASA. That's when it's managing the ASA configuration itself - distinct from managing the CX module features.
  Note however that there is an unresolved bug with CX modules and HA ASA pairs: https://tools.cisco.com/bugsearch/bug/CSCud54665
  The other thing to remember - as you had alluded to - is that the CX configuration is a common one despite there being multiple contexts (with potentially differing security policies with respect to the web filtering and IPS functions they want from the CX) on the box.

• How can I print ONLY the active document?

  Whenever I go to File/Print the darn PSE 9 program sends all of the working files in the bin to the printer. I've searched online for 2 hours now looking for an answer.
  I like to work with having several to many files in the 'bin' and prefer to only print the active file I'm currently working on without having to close the 'working files' before I can print. How can I print ONLY the active document or file in the project bin? Please help, I've upgraded from PSE 3 to PSE 9 and really like the updated features, but this one pain in the neck default is getting the best of me.

  Thanks for your help, that works nicely. It is good to have control of the printer again.

• For some reason, I cannot change my desktop background no matter how many times I delete the "active" folder.  It's as if it's locked.  Any ideas how I can fix it?

  For some reason, I cannot change my desktop background no matter how many times I delete the "active" folder.  It's as if it's locked.  Any ideas how I can fix it?

  Yes it sounds like you have a corrupted preference file.
  The setting you make in individual programs get saved to a Preference file in your Users/Library/Preferences folder.
  All you have to do is drag out the old file to the desktop, reboot and load the program and the preference file gets rebuilt without your preferences which you reset.
  For your case I beleive the preference file is
  com.apple.desktop.plist

• How can we achive active/active cluster setup with Oracle

  Hi Experts,
  How can we achieve active/active database setup with oracle WITHOUT USING RAC.. As far as I know it's impossible (unless I'm wrong)..
  We are using Oracle 11.2.0.1 64bit on Windows 2008 server. We deployed Oracle FailSafe but that's more of an active/passive solution based on a windows cluster.
  The other solution we were thinking about is to use DataGuard and replication.. two servers.. the oracle instance running on one server generating logs, and the other server receive the logs and apply them to the physical standby db.. Still, this is not a real active/active setup.
  So, is it possible to run 2 servers in an active/active cluster and have the oracle database in an active/active setup or have the instance running on multiple nodes (at the same time)?
  Thanks

  Let me give you a brief explanation of what the situation is and you can be the judge..
  My client have four databases with the smallest one being 20GB and the biggest around the 35gb (SGA 750mb to 1.4gb (Tiny by DB standards) and probably on a normal day, you can run all four of them on a decent desktop).. The DBs are used to keep track of people information. Through out the year, the databases are almost sitting idle, and by idle I mean, the odd update here and there, the odd report..etc. No hard real processing of any sort. Two days of the year (end of year) we have all the operators consolidating records and what's not and they will be pounding away entering data and updating the tables - with hourly reports that goes to 3rd parties. The client expects a 99.99 up time and availability during those 2 days.
  Now, tell me, How can I justify using RAC and spending hundreds of thousands of dollars in licensing and what ever extra costs introduced by the complexity of the environment for the above scenario knowing that I don't have any real use for RAC for 363 days of the year; and we MIGHT need it for 2 days of the year? This is the dilemma we're facing.
  Thanks
  Edited by: rsar001 on Sep 3, 2010 9:42 AM

• I had the developer preview for IOS 6 on my phone, and just got a message telling me that my operating system is no longer active. How do I get my phone activated again?

  I had the developer preview for IOS 6 on my phone, and just got a message telling me that my operating system is no longer active. How do I get my phone activated again?
  I had the developer preview installed. Never had to update to the release version of the OS. Now, the preview has expired, and I cannot use my phone because my iTunes reads my OS as being current, but my iPhone cannot active. Any ideas on how to fix this issue?

  If I Google for Michael Superczynski, first match tells "Michael Superczynski's Profile : Apple Support Communities". It in fact does a lot of work there even if not paid.
  And yes we do not have disagreement about "official apple developers". Problem is that Apple screwed our devices because we are "official apple developers" and did effort to stop us getting proper help. I unbricked my ipad and iphone thanks to unofficial help. Thank you who wrote this unofficial help and "no thanks" for apple for ruining my access to my devices. My mistake was assuming that "update" button on my devices works. It did not because it always told "Your device has latest IOS6 installed" until it bricked yesterday.
  If Apple does not want to listen us, continue do delete post, blame us installing your software and yes we stop buying your devices and developing for them.
    Tonu

• How to get the list of active devices in current wifi network?

  Hi All,
  I am going to a start a new Network based app. So please any one give me an idea on the below question.
  How to get the list of active devices in current wifi network?

  Nope I want the log-in user to retrieve its Group where he is belong. I have this following code
  strUsername = Request.getParameter("username").toLowerCase().trim()+"@dev.test.com.ph";
  strPassword = Request.getParameter("password").toLowerCase().trim();
  Hashtable env = new Hashtable();
  env.put(Context.INITIAL_CONTEXT_FACTORY, INITCTX);
  env.put(Context.PROVIDER_URL, MY_HOST);
  env.put(Context.SECURITY_AUTHENTICATION, "simple");
  env.put(Context.SECURITY_PRINCIPAL,strUsername);
  env.put(Context.SECURITY_CREDENTIALS, strPassword);
  // enable tracing
  env.put("com.sun.naming.ldap.trace.ber", System.err);
  // Create the initial context
  DirContext initCtx = new InitialDirContext(env);
  // Get the target context
  DirContext targetCtx = (DirContext)initCtx.lookup("");
  SearchControls constraints = new SearchControls();
  constraints.setSearchScope(SearchControls.SUBTREE_SCOPE);
  // Perform the search on the target context
  NamingEnumeration enum = targetCtx.search("","(userPrincipalName="+strUsername+")",constraints);
  javax.naming.directory.Attributes attrs;
  NameClassPair item;
  String[] attrIds = new String[]{"MemberOf"};
  // For each answer found, get its "Groups" attribute
  // If relative, resolve it relative to the target context
  // If not relative, resolve it relative to the initial context
  while (enum.hasMore()) {
  item = (NameClassPair)enum.next();
  Out.println(item);
  attrs = targetCtx.getAttributes(item.getName(), attrIds);
  Out.println(attrs + "<br>");
       initCtx.close();
  It returns all this string :
  {memberof=memberOf: CN=CMCanadaRD,OU=Groups / Teams,DC=dev,DC=test,DC=com,DC=ph, CN=iMngrCanadaRW,OU=Groups / Teams,DC=dev,DC=test,DC=com,DC=ph, CN=Domain Users,CN=Users,DC=dev,DC=test,DC=com,DC=ph, CN=Backup Operators,CN=Builtin,DC=dev,DC=test,DC=com,DC=ph, CN=Administrators,CN=Builtin,DC=dev,DC=test,DC=com,DC=ph}
  How can i retrieve the Group named CMCanadaRW and CMCanadaRD on the Attribute?
  Thanks

• How to save HR data in Active Directory using ABAP i.e thru LDAP Connector

  Hi All,
         Can any one please help me out how
         to save HR data in Active directory
         using LDAP Connector ?             
         Please help ASAP as it is very urgent .
  Thanks
  Jitendra

  There are 100 of such scripts are there online.
  here are few tips and codes. you will get more.  
  https://gallery.technet.microsoft.com/scriptcenter/Feeding-data-to-Active-0227d15c
  http://blogs.technet.com/b/heyscriptingguy/archive/2012/10/31/use-powershell-to-modify-existing-user-accounts-in-active-directory.aspx
  http://powershell.org/wp/forums/topic/ad-import-csv-update-attributes-script/
  Please mark this as answer if it helps

• How to save hr data in Active directory  using abap

  Hi all
  can any one please help me out how to save hr data in Active directory using LDAP connector
  please help as this is very urgent requirement
  thanks in advance
  Thanks
  Chanti

  What form do you have the user's name in ?
  ANTIPODES\alberteString searchFilter = "(&(objectClass=user)(samAccountName=alberte))";[email protected] searchFilter = "(&(objectClass=user)(userPrincipalName=[email protected]))";Albert EinsteinString searchFilter = (&(objectClass=user)(givenName=Albert)(sn=Einstein))";or using Ambiguous Name Resolution (anr)String searchFilter = "(&(objectClass=user)(anr=Albert Einstein))";or it's even clever enough to useString searchFilter = "(&(objectClass=user)(anr=Einstein Albert))";