topic You don't need the upstream in Network Security

Connecting Cisco ASA to 2 internet lines - best practice

craig5258 — Tue, 12 Mar 2019 08:53:02 GMT

Hi,

We have a primary SIP trunk for internet with a backup EFM circuit. Both lines terminate in a seperate ISP-managed router. The customer-side interfaces of both routers need to be connected on the same physical segment for HSRP failover (i.e. the outside interface of the ASA, the HSRP interface and the inside interface of the 2 ISP routers are all on the same subnet).

I've currently got a 1Gig mini-switch sitting between the ISP routers and the ASA but I don't like having this additional point of failure and potential bottleneck.

Is there a better way to do it? Can an ASA support direct connection to the ISP routers and have 2 interfaces on the same subnet?

Thanks in advance.

You can also configure it the

Karsten Iwen — Fri, 03 Feb 2017 16:21:14 GMT

You can also configure it the following way:

two mini-switches connected to each orher
Connect Router1 to switch1
Connect Router2 to switch2
connect two ASA interfaces, one to each switch.
combine both interfaces to a redundant interface

Or if you are really brave, you can upgrade to ASA version 9.7(1) and combine two interfaces into one bridge-group and connect both routers directly to the ASA.

Instead of using redundant

Marius Gunnerud — Fri, 03 Feb 2017 19:26:55 GMT

Instead of using redundant interfaces, you could stack the switches, and then create a portchannel between the ASA and the stack(one link to each switch). Then also cable one router into one switch and the other router into the second switch.

Please remember to select a correct answer and rate helpful posts

Mini-switch with stacking?

Karsten Iwen — Fri, 03 Feb 2017 19:38:44 GMT

Mini-switch with stacking? Don't think so ... 😉

overlooked the mini switch :

Marius Gunnerud — Fri, 03 Feb 2017 21:39:56 GMT

overlooked the mini switch :-s

Please remember to select a correct answer and rate helpful posts

Thanks for the reply.

craig5258 — Mon, 06 Feb 2017 08:13:13 GMT

Thanks for the reply.

I wasn't aware of interface redundancy on ASAs but it's on my radar now - thanks. It would only help in this case if you could link the redudnancy/failover to an IP SLA or similar so that if the SIP trunk failed upstream, the ASA interface would flip over. Otherwise, it would only failover if the inside interface of router1 went down - which is less likely.

I did read something about bridging groups - they sit behind a bridged virtual interface don't they? I thought that was my answer until I realised my ASA doesn't support them. So, I'll investigate the upgrade to 9.7(1). I've got a spare firewall so I can do some testing.

Thanks again.

You don't need the upstream

Karsten Iwen — Mon, 06 Feb 2017 08:28:08 GMT

You don't need the upstream tracking here. That is done automatically by the ISP-routers. The redundant interfaces help with failures of ASA interfaces or the outside switch.

And yes, you bundle physical interfaces in the same bridge-group and configure all parameters (nameif, ip, sec-level) on the bvi. An example is shown in the config guide for the 5506-default config.

Sorry - I missed the bit

craig5258 — Mon, 06 Feb 2017 08:41:34 GMT

Sorry - I missed the bit about connecting the mini-switches to each other. I was thinking that the ASA interface failover would need to mirror the HSRP failover. So, yes - this would do the job without any software upgrades. Thanks.

I'll check out the BVI config though - I'd be interested to see it working.