Security: Physical interface redundancy

ASA/PIX, High Availability, Security 1 Minute

Suppose there’s a physical cable from your pix/asa to a switchport at a vlan fails, you cannot afford down time due to link failure.

You can consider using interface redundancy. Firewall interface redundancy can include up to 8 physical interfaces. Physical interfaces that are member of redundant link will have all its security parameters wiped out. A redundant interface is a logical interface, at any one time ONLY one active physical interface is active the rest are standby. Security parameters can be defined in redundant interface but not physical interfaces.

Here’s how it’s done:

Step1:

pix-1(config)# int redundant 1

Create a logical redundant interface, the number is arbitrary from 1 – 8.

Step2:

pix-1(config-if)# member-interface e1
INFO: security-level and IP address are cleared on Ethernet1.
pix-1(config-if)# member-interface e2
INFO: security-level and IP address are cleared on Ethernet2.

Take note at the INFO, pix/asa warned you that everything would be cleared on those physical interfaces once they joined a redundant interface. The sequence of which interface joins the redundant link is important, for this example ethernet1 being the first configured as member will be the active interface.

Step3:

pix-1(config-if)# no shut

Turn on the redundant interface.

Note: Turning redundant interface does not turn on the member interfaces. Check this output:

pix-1(config-if)# sh int ip brief
Interface                  IP-Address      OK? Method Status                Protocol
Ethernet0                  unassigned      YES unset  administratively down up
Ethernet1                  unassigned      YES unset  administratively down up
Ethernet2                  unassigned      YES unset  administratively down down
Ethernet3                  unassigned      YES unset  administratively down down
Ethernet4                  unassigned      YES unset  administratively down down
Ethernet5                  unassigned      YES unset  administratively down down
Redundant1                 unassigned      YES unset  down                  down
Virtual254                 unassigned      YES unset  up                    up

 

You need to turn on individual member interfaces manually. Like this:

pix-1(config-if)# int e1
pix-1(config-if)# no shut
pix-1(config-if)# int e2
pix-1(config-if)# no shut

Step4:

pix-1(config)# int redundant 1
pix-1(config-if)# nameif inside
INFO: Security level for “inside” set to 100 by default.

pix-1(config-if)# ip address 192.168.100.1 255.255.255.0

Put all your ip and security parameters to redundant interface.

Advertisement

Published by cyruslab

Published

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s