The session about firewall design and deployment didn’t reveal a lot of new things about the Cisco ASA appliance or FWSM module. The only new thing for me was the possibility to configure a redundant interface for a Cisco ASA appliance. The screen shot below shows the cabling scheme for an implementation with and without interface redundancy.
This interface redundancy makes it possible to connect a ASA to two different physical switches. When the active switch would crash, the second switch would become the active switch.
Important here is to notice that this configuration doesn’t provide load-balancing across two links. The configuration is only for link redundancy.
To configure interface redundancy you can use the configuration snippet shown below.
interface Redundant1
member-interface GigabitEthernet0/2
member-interface GigabitEthernet0/1
no nameif
no security-levelno ip address
!
interface Redundant1.4
vlan 4
nameif inside
security-level 100
ip address 172.16.10.1 255.255.255.0
!
interface Redundant1.10vlan 10
nameif outside
security-level 0
ip address 172.16.50.10 255.255.255.0
The configuration of interface redundancy has some caveats as listed below:
During the session the different modes for the firewalls have been discussed. Normally we only use the Routed Mode, but there are more modes like described below:
Firewall virtualization using multiple context has some caveats. We, Ictivity consultants, already noticed these caveats during firewall implementations. Firewall virtualization has the following caveats:
Especially not supporting VPN services (site-to-site VPN, remote access VPN and SSL VPN) is mostly the most used reason for not using multiple context implementation for the firewall.