From: Sheahan, John (John.Sheahan@priceline.com)
Date: Tue Mar 28 2006 - 16:06:54 GMT-3
In my opinion and from what I have been told by our Cisco reps, it is
not insecure to configure it this way. In fact, it would not be
considered insecure to run one VLAN on a switch as the external VLAN and
one VLAN on the same switch as the INTERNAL VLAN.
My only other observation is that you are only using one switch on the
external side and only have one connection to your ISP....not really
sure why you would want to burn two ASA's (one in active and one in
standby mode) when the rest of your design is full of single points of
failure?
john
-----Original Message-----
From: Stefan Grey [mailto:examplebrain@hotmail.com]
Sent: Tuesday, March 28, 2006 2:00 PM
To: Sheahan, John; ccielab@groupstudy.com
Subject: RE: ASA failover
Ok, another question. Is it very insecure to have a Switch on the
clients
perimeter??
What would you say if I put the Switch on the perimeter. From the
provider I
have on ethernet (ADSL modem) connected to the switch. Two ASA are
connected
in this switch and between them is configured failover Active standby.
Is it insecure?? What do you think.... Have heared critique about such
design and never heared that the switch could be on the clients
perimeter
but.... don't know, understand why could it be bad indeed :( what do you
think??
>From: "Sheahan, John" <John.Sheahan@priceline.com>
>Reply-To: "Sheahan, John" <John.Sheahan@priceline.com>
>To: "Stefan Grey" <examplebrain@hotmail.com>, <ccielab@groupstudy.com>
>Subject: RE: ASA failover
>Date: Tue, 28 Mar 2006 12:21:17 -0500
>
>Yes. Here is the quote from the Cisco's site:
>
>http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_70/co
n
>fig/failover.htm#wp1051178
>
>
>Interface Monitoring
>You can monitor up to 250 interfaces divided between all contexts. You
>should monitor important interfaces, for example, you might configure
>one context to monitor a shared interface (because the interface is
>shared, all contexts benefit from the monitoring).
>
>When a unit does not receive hello messages on a monitored interface,
it
>runs the following tests:
>
>1. Link Up/Down test-A test of the interface status. If the Link
Up/Down
>test indicates that the interface is operational, then the security
>appliance performs network tests. The purpose of these tests is to
>generate network traffic to determine which (if either) unit has
failed.
>At the start of each test, each unit clears its received packet count
>for its interfaces. At the conclusion of each test, each unit looks to
>see if it has received any traffic. If it has, the interface is
>considered operational. If one unit receives traffic for a test and the
>other unit does not, the unit that received no traffic is considered
>failed. If neither unit has received traffic, then the next test is
>used.
>
>2. Network Activity test-A received network activity test. The unit
>counts all received packets for up to 5 seconds. If any packets are
>received at any time during this interval, the interface is considered
>operational and testing stops. If no traffic is received, the ARP test
>begins.
>
>3. ARP test-A reading of the unit ARP cache for the 2 most recently
>acquired entries. One at a time, the unit sends ARP requests to these
>machines, attempting to stimulate network traffic. After each request,
>the unit counts all received traffic for up to 5 seconds. If traffic is
>received, the interface is considered operational. If no traffic is
>received, an ARP request is sent to the next machine. If at the end of
>the list no traffic has been received, the ping test begins.
>
>4. Broadcast Ping test-A ping test that consists of sending out a
>broadcast ping request. The unit then counts all received packets for
up
>to 5 seconds. If any packets are received at any time during this
>interval, the interface is considered operational and testing stops.
>
>If all network tests fail for an interface, but this interface on the
>other unit continues to successfully pass traffic, then the interface
is
>considered to be failed. If the threshold for failed interfaces is met,
>then a failover occurs. If the other unit interface also fails all the
>network tests, then both interfaces go into the "Unknown" state and do
>not count towards the failover limit.
>
>An interface becomes operational again if it receives any traffic. A
>failed security appliance returns to standby mode if the interface
>failure threshold is no longer met.
>
>
>
>-----------------------------------------------------------------------
-
>--------
>
>Note If a failed unit does not recover and you believe it should not be
>failed, you can reset the state by entering the failover reset command.
>If the failover condition persists, however, the unit will fail again.
>
>
>-----------------------------------------------------------------------
-
>--------
>
>-----Original Message-----
>From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
>Stefan Grey
>Sent: Tuesday, March 28, 2006 12:00 PM
>To: ccielab@groupstudy.com
>Subject: ASA failover
>
>Hi,
>Does ASA support failover of multiple interfaces??
>Say ASA1 and ASA2 are connected by multiple interfaces to the 3
routers.
>
>ASA1 is active and is connected to the 3 routers. If it fails than ASA2
>will
>be active and its 3 connections to this 3 routers will become active???
>
>I just couldn't find it anywhere :(
>
>_________________________________________________________________
>Customise your home page with RSS feeds at MSN Ireland!
>http://ie.msn.com/
>
>_______________________________________________________________________
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html
>
>_______________________________________________________________________
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Sat Apr 01 2006 - 10:07:40 GMT-3