This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

How to configure a pa-500 with 2 inputs

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

How to configure a pa-500 with 2 inputs

jtribble
Not applicable

‎07-31-2015 11:06 AM

I have a PA-500 running as a web proxy, The connection from the inside is a ASA-5512 (required), except that I have 2 5512's running in active-standby failover mode. How do I connect both 5512's into the PA500 so that if a failover happens the traffic from the back 5512 is scanned?

Labels:
0 Likes Likes
10 REPLIES 10

Remo
L7 Applicator

‎07-31-2015 12:00 PM

Depending on the requirements on the network after your pa500, you could use v-wires for both asa's or connect them to two layer two interfaces and create a corresponting vlan interface.

0 Likes Likes

jtribble
Not applicable

‎07-31-2015 12:03 PM

After the 500 is the external connection. So  both vwires would be in the trust zone?

0 Likes Likes

Remo
L7 Applicator
In response to jtribble

‎07-31-2015 12:15 PM

External Connection to a router or a first a switch and then the next router?

0 Likes Likes

jtribble
Not applicable

‎07-31-2015 12:19 PM

A router

0 Likes Likes

Remo
L7 Applicator
In response to jtribble

‎07-31-2015 12:30 PM

In this case I think connecting the asa's to two layer 2 interfaces would be the best solution.and then between the pa500 and the router a layer3 interface. so then you could configure both layer two links in the same (trust)-zone and the untrust one for the external link to the router

jtribble
Not applicable

‎07-31-2015 12:32 PM

Actually I was wrong the current ASA's go into a L2 switch which then connects to the Core router, so would I just create a second virtual wire and connect the standby asa and another connection to the L2 switch.Capture1.JPG

0 Likes Likes

jtribble
Not applicable

‎07-31-2015 12:39 PM

Capture2.JPG

0 Likes Likes

Remo
L7 Applicator
In response to jtribble

‎07-31-2015 12:52 PM

With a layer 2 switch there both possibilities would work. I would still reccommend to use the pa500 as layer 3 device between the asa's and the external network. But this is only my personal opinion because I like to have the control over the traffic flow by routing rather than traffic passing transparently (for the asa point of view) to the next router.

0 Likes Likes

Remo
L7 Applicator
In response to jtribble

‎07-31-2015 12:56 PM

like this, yes. this way you can now create zone based firewallrules and they would be the same for both asa.

Now depending on if there is traffic needed between the interfaces of the asa (in order to make HA on them work), you also have to allow this traffic i think.

0 Likes Likes

jtribble
Not applicable
In response to Remo

‎07-31-2015 01:00 PM

No because the 2 ASA's have a connection between them for HA, I just didnt show it on the diagram.  Thanks I will update this after I implement and let everyone know if it worked or not.

0 Likes Likes
  • 5994 Views
  • 10 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks