10-27-2023 07:56 AM
Not sure it this is the right location for this question but here we go ...
I'm trying to replace 2 transparent ASA's in ACT/STDBY with 2 Palo's in the same setup vwire ACT/PAS. Current setup is the asa's are connected to 2 vpn servers in ACT/PAS config, the asa’s have a 3 interface BVI (2 inside interfaces one to each vpn server and 1 outside interface to upstream switch). The vpn servers built ipsec vpn tunnels THROUGH the asa’s to the other endpoint everything works fine. What I did but didn’t work fully was build 2 PAs in HA, for the 2 inside interfaces I put them into an AE grp and then put both the outside and AE interfaces into the same vwire instance this setup did not work as expected. Any assistance would be great .. tks
10-27-2023 06:28 PM
Hi @Wayne_Fealy ,
From reading your post, it sounds like you have 3 interfaces in transparent mode. A VWire is for mapping interfaces1-to-1.
You want to create 3 x L2 interfaces, and put them into the same VLAN. Put the interfaces in L2 zones, inside and outside (or you could do 3 zones to limit intrazone traffic between the 2 VPN servers). Then your security policy rules will follow naturally.
Thank will work.
Thanks,
Tom
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
