Active Standby Configuration of Cisco Transparent ASA

Fail over requires 2 dedicated connections between 2 firewalls, one to replicate configurations and the other one to sync real time connection information. This post explains how it can be done in transparent mode firewall. Fail over configurations are almost identical in routed mode too.

If you want to know about the transparent mode operation of a Cisco ASA, please go here.

Assuming all other configuration works fine,

Starting from ASA-1,

Make it a transparent firewall..
ciscoasa(config)# firewall transparent 

Create a BVI..
ciscoasa(config)# interface bVI 1
ciscoasa(config-if)# ip address 192.168.10.1 255.255.255.0 standby 192.168.10.2

Assigning bridge group to 2 interfaces..
ciscoasa(config-if)# int e2
ciscoasa(config-if)# nameif INSIDE
ciscoasa(config-if)# bridge-group 1 

ciscoasa(config-if)# int e3
ciscoasa(config-if)# nameif OUTSIDE
ciscoasa(config-if)# bridge-group 1

Configure the configuration replicating link..
ciscoasa(config)# failover lan interface LAN_FAIL eth0
ciscoasa(config)# failover interface ip LAN_FAIL 10.1.1.1 255.255.255.252 standby 10.1.1.2

Configure the real time connections syncing link..
ciscoasa(config)# failover link STATEFUL_FAIL eth1
ciscoasa(config)# failover interface ip STATEFUL_FAIL 10.2.2.1 255.255.255.252 standby 10.2.2.2

Make ASA-1 the primary..
ciscoasa(config)# failover lan unit primary

Display the primary state in hostname..
ciscoasa(config)# prompt hostname priority state

Activate the failing over..
ciscoasa(config)# failover

Configuring the ASA-2 as the secondary link,

ciscoasa(config)# failover lan interface LAN_FAIL eth0
ciscoasa(config)# failover interface ip LAN_FAIL 10.1.1.1 255.255.255.252 standby 10.1.1.2
ciscoasa(config)# failover lan unit secondary
ciscoasa(config)# failover

Following commands can verify the configuration..