How to configure a pa-500 with 2 inputs

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

How to configure a pa-500 with 2 inputs

Not applicable

I have a PA-500 running as a web proxy, The connection from the inside is a ASA-5512 (required), except that I have 2 5512's running in active-standby failover mode. How do I connect both 5512's into the PA500 so that if a failover happens the traffic from the back 5512 is scanned?

10 REPLIES 10

L7 Applicator

Depending on the requirements on the network after your pa500, you could use v-wires for both asa's or connect them to two layer two interfaces and create a corresponting vlan interface.

Not applicable

After the 500 is the external connection. So  both vwires would be in the trust zone?

External Connection to a router or a first a switch and then the next router?

Not applicable

A router

In this case I think connecting the asa's to two layer 2 interfaces would be the best solution.and then between the pa500 and the router a layer3 interface. so then you could configure both layer two links in the same (trust)-zone and the untrust one for the external link to the router

Not applicable

Actually I was wrong the current ASA's go into a L2 switch which then connects to the Core router, so would I just create a second virtual wire and connect the standby asa and another connection to the L2 switch.Capture1.JPG

Not applicable

Capture2.JPG

With a layer 2 switch there both possibilities would work. I would still reccommend to use the pa500 as layer 3 device between the asa's and the external network. But this is only my personal opinion because I like to have the control over the traffic flow by routing rather than traffic passing transparently (for the asa point of view) to the next router.

like this, yes. this way you can now create zone based firewallrules and they would be the same for both asa.

Now depending on if there is traffic needed between the interfaces of the asa (in order to make HA on them work), you also have to allow this traffic i think.

No because the 2 ASA's have a connection between them for HA, I just didnt show it on the diagram.  Thanks I will update this after I implement and let everyone know if it worked or not.

  • 5519 Views
  • 10 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!