How to configure a pa-500 with 2 inputs

Reply
Not applicable

How to configure a pa-500 with 2 inputs

I have a PA-500 running as a web proxy, The connection from the inside is a ASA-5512 (required), except that I have 2 5512's running in active-standby failover mode. How do I connect both 5512's into the PA500 so that if a failover happens the traffic from the back 5512 is scanned?

L7 Applicator

Re: How to configure a pa-500 with 2 inputs

Depending on the requirements on the network after your pa500, you could use v-wires for both asa's or connect them to two layer two interfaces and create a corresponting vlan interface.

Not applicable

Re: How to configure a pa-500 with 2 inputs

After the 500 is the external connection. So  both vwires would be in the trust zone?

L7 Applicator

Re: How to configure a pa-500 with 2 inputs

External Connection to a router or a first a switch and then the next router?

Not applicable

Re: How to configure a pa-500 with 2 inputs

A router

L7 Applicator

Re: How to configure a pa-500 with 2 inputs

In this case I think connecting the asa's to two layer 2 interfaces would be the best solution.and then between the pa500 and the router a layer3 interface. so then you could configure both layer two links in the same (trust)-zone and the untrust one for the external link to the router

Highlighted
Not applicable

Re: How to configure a pa-500 with 2 inputs

Actually I was wrong the current ASA's go into a L2 switch which then connects to the Core router, so would I just create a second virtual wire and connect the standby asa and another connection to the L2 switch.Capture1.JPG

Not applicable

Re: How to configure a pa-500 with 2 inputs

Capture2.JPG

L7 Applicator

Re: How to configure a pa-500 with 2 inputs

With a layer 2 switch there both possibilities would work. I would still reccommend to use the pa500 as layer 3 device between the asa's and the external network. But this is only my personal opinion because I like to have the control over the traffic flow by routing rather than traffic passing transparently (for the asa point of view) to the next router.

L7 Applicator

Re: How to configure a pa-500 with 2 inputs

like this, yes. this way you can now create zone based firewallrules and they would be the same for both asa.

Now depending on if there is traffic needed between the interfaces of the asa (in order to make HA on them work), you also have to allow this traffic i think.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!