What is CISCO ASA
CISCO ASA (Adaptive Security Appliance) is a hardware firewall. It runs on a separate device and does not consume resources of the servers it protects.
Software firewalls — iptables, nftables, ufw — also filter traffic, but run on the same machine as your applications. Under high load, this is noticeable. ASA is separate hardware: the load from traffic processing stays on it, while servers focus on their tasks.
ASA capabilities:
Stateful inspection — tracks the state of TCP connections, passing only legitimate response packets. Simple packet filtering doesn't do this: each packet is evaluated individually. Stateful inspection knows that a connection was opened and will automatically pass return traffic.
Access Control Lists (ACL) — rules based on IP addresses, protocols and ports. Allow only what's needed; everything else is dropped.
VPN — IPsec and SSL/TLS support. An encrypted channel between the office and servers, between multiple data centers, or for remote employee access.
Address translation (NAT/PAT) — internal servers operate behind a single public IP. The external world doesn't see the network topology.
IPS module integration — real-time attack detection and blocking based on signatures and behavioral analysis.
When ASA is justified
Multiple servers that need to be isolated from each other. Database, application, load balancer — each segment with its own access rules, without the possibility of lateral movement when one node is compromised.
Compliance requirements. PCI DSS, SOC 2, ISO 27001 — many require hardware network segmentation. A software firewall often doesn't count as a sufficient measure.
Traffic audit without load on primary servers. ASA logs everything that passes through it. For incident investigation — a complete picture at the network level.
Centralized security point. Instead of configuring rules on each server separately — a single policy on ASA for the entire infrastructure.
For a single server without specific requirements, ASA is overkill. A properly configured nftables or ufw is sufficient in most cases.
What is Failover IP
Failover IP is an IP address that isn't permanently tied to one server. It can be switched to another server — quickly, without changing DNS, without waiting for record updates.
A regular IP address belongs to a specific server. If the server goes down — the address is unavailable. To redirect traffic to a backup server, you need to change DNS. That means minutes or hours for resolver caches to update depending on TTL.
Failover IP switches at the provider's network level. DNS doesn't change. Traffic starts going to the other server within seconds. Already-established TCP connections are dropped — this is normal for an emergency switchover, but new connections immediately go to the backup server.
Use cases
Hot standby. The primary server is running, the backup is on standby with current data (database replication, file synchronization). On failure: switch Failover IP to the backup, users restore connections and continue working.
Zero-downtime migration. Spin up a new server, transfer data, verify everything works. Then switch Failover IP to the new server. Users notice nothing, the address doesn't change.
Testing. Spin up a test server, route some traffic to it via Failover IP, evaluate behavior under real load. Instantly revert if needed.
Planned maintenance. Switch traffic to a backup server, perform maintenance on the primary without downtime for users.
Failover IP vs. other approaches
Static backup IP — simply a second address on the server. Clients need to know it in advance and switch themselves. Without automation, this is manual work every time there's an outage.
DNS failover — switching via DNS record changes. Works, but depends on TTL. Even with a 60-second TTL, some resolvers cache longer. Not sufficient for critical services.
BGP — a different level of tasks. BGP is needed for your own IP address blocks and multihoming between multiple providers. Failover IP works within a single provider's network without needing to set up a BGP session.
Failover IP is a simpler tool than BGP, with no ASN or PI address requirements. For redundancy tasks within a single provider, it's sufficient.
Automatic or manual switching
By default, Failover IP is switched manually through the control panel or by request to support. Automatic switching requires additional setup: monitoring checks the primary server's availability (ping, HTTP check, TCP check) and automatically switches the IP to the backup if unavailable.
Setting up automatic switching requires:
- External monitoring accessible from multiple points simultaneously (to exclude false positives)
- API access for Failover IP management
- Failure detection logic and a switching script
Details — clarify with support when setting up.
How to get CISCO ASA or Failover IP
Both tools are available as add-ons to a dedicated server. To connect — write to support: support@the.hosting or Telegram @thehosting_sale. Specify the task: which server, what exactly is needed — ASA or Failover IP, approximate traffic volume or network topology.
Frequently asked questions
Can CISCO ASA be used with a single server? Technically — yes. Economically — only with compliance requirements or specific security tasks. For a single server without special requirements, a software firewall performs better in terms of cost-to-result ratio.
Is Failover IP the same as Floating IP? Essentially — yes, different providers name this feature differently: Failover IP, Floating IP, Moving IP. The concept is the same: an address that can be reassigned between servers without changing DNS.
How many servers can be linked to one Failover IP? Failover IP is assigned to one server at any given time. Switching happens between servers as needed — not simultaneously to multiple machines.
Does Failover IP work with Windows Server? Yes. Failover IP doesn't depend on the server's operating system — switching happens at the provider's network level. From the server's perspective, it's just a regular IP address.
Can Failover IP be used for Anycast? No. Anycast is announcing one IP from multiple geographically distributed servers simultaneously. That's a job for BGP. Failover IP works differently: the address is assigned to only one server at any given time.
To connect CISCO ASA or Failover IP on a THE.Hosting dedicated server — write to support support@the.hosting or Telegram @thehosting_sale.