https://community.cisco.com/t5/network-security/single-firewall-with-2-core-switches/m-p/1853520#M489380 <HTML><HEAD></HEAD><BODY><P>Is ASA5520 on Failover mode as well?</P><P>Or you have two separate interfaces are connected to Active-Switch and Standby-Switch on different security level ?</P></BODY></HTML> Thu, 05 Jan 2012 20:43:37 GMT rizwanr74 2012-01-05T20:43:37Z https://community.cisco.com/t5/network-security/single-firewall-with-2-core-switches/m-p/1853519#M489379 <P><STRONG style="font-size: 12pt; "><TT><SPAN style="color: #3a3935;">Hi All</SPAN></TT></STRONG></P><P></P><P></P><P><STRONG style="font-size: 12pt; "> <TT><SPAN style="color: #3a3935;">Following is my requirement. Two different WAN links get connected to</SPAN></TT></STRONG></P><P></P><P></P><P><STRONG style="font-size: 12pt; "> <TT><SPAN style="color: #3a3935;">the firewall via two routers.(Different ip subnets).I need to get this</SPAN></TT></STRONG></P><P></P><P></P><P><STRONG style="font-size: 12pt; "> <TT><SPAN style="color: #3a3935;">two wan streams seperatly to the core switches.Core switches sits</SPAN></TT></STRONG></P><P></P><P></P><P><STRONG style="font-size: 12pt; "> <TT><SPAN style="color: #3a3935;">Active/Stanby senario.If the Active&nbsp; core goes down Stndby Core will</SPAN></TT></STRONG></P><P></P><P></P><P><STRONG style="font-size: 12pt; "> <TT><SPAN style="color: #3a3935;">have take over the traffic. Pls advice my design is correct ,if not</SPAN></TT></STRONG></P><P></P><P></P><P><STRONG style="font-size: 12pt; "> <TT><SPAN style="color: #3a3935;">sugest what do i need to change. ASA is 5520.Pls help me to find</SPAN></TT></STRONG></P><P></P><P></P><P><STRONG style="font-size: 12pt; "> <TT><SPAN style="color: #3a3935;">suitable sample configuration for this senario</SPAN></TT></STRONG></P><P></P><P></P><P></P><P><STRONG style="font-size: 12pt; "> <TT><SPAN style="color: #3a3935;">Thanks</SPAN></TT></STRONG></P> Mon, 11 Mar 2019 22:10:20 GMT https://community.cisco.com/t5/network-security/single-firewall-with-2-core-switches/m-p/1853519#M489379 Kantha Wijesekara 2019-03-11T22:10:20Z https://community.cisco.com/t5/network-security/single-firewall-with-2-core-switches/m-p/1853520#M489380 <HTML><HEAD></HEAD><BODY><P>Is ASA5520 on Failover mode as well?</P><P>Or you have two separate interfaces are connected to Active-Switch and Standby-Switch on different security level ?</P></BODY></HTML> Thu, 05 Jan 2012 20:43:37 GMT https://community.cisco.com/t5/network-security/single-firewall-with-2-core-switches/m-p/1853520#M489380 rizwanr74 2012-01-05T20:43:37Z https://community.cisco.com/t5/network-security/single-firewall-with-2-core-switches/m-p/1853521#M489381 <HTML><HEAD></HEAD><BODY><P>Hi&nbsp; <A _jive_internal="true" class="active_link" href="https://community.cisco.com/people/rizwanr74" id="jive-3544109774310404165244">rizwanr74,</A></P><P>Thanks for the urgent reply, The ASA&nbsp; not in failover mode. Yes ,ASA should have two seperate interfaces are connected to both core switches.(Sorry its not seen on the diagram) </P><P>Kawi</P><P></P><P></P><DIV> </DIV></BODY></HTML> Fri, 06 Jan 2012 03:29:51 GMT https://community.cisco.com/t5/network-security/single-firewall-with-2-core-switches/m-p/1853521#M489381 Kantha Wijesekara 2012-01-06T03:29:51Z https://community.cisco.com/t5/network-security/single-firewall-with-2-core-switches/m-p/1853522#M489382 <HTML><HEAD></HEAD><BODY><P>Hi guys,</P><P></P><P> Pls help................</P></BODY></HTML> Mon, 09 Jan 2012 05:10:40 GMT https://community.cisco.com/t5/network-security/single-firewall-with-2-core-switches/m-p/1853522#M489382 Kantha Wijesekara 2012-01-09T05:10:40Z https://community.cisco.com/t5/network-security/single-firewall-with-2-core-switches/m-p/1853523#M489383 <HTML><HEAD></HEAD><BODY><P>Hello Kantha,</P><P></P><P>On the WAN side I do not see any issues as you will send all internet traffic over one router and then the connections to the other Sites via another router. PBR is not supported on the ASA but you will be able to accomplish this particular scenario</P><P></P><P>Now on the LAN side , the ASA 5520 needs to have each interface attached to a differnet subnet, in this case you will have two interface going to 2 different switches on the same subnet witch you cannot do it. I think what you could do is to have redundant interfaces.</P><P>Here is one example:</P><P><A href="http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ref_examples.html#wp1009432" style="background-color: #f7fafb; border-collapse: collapse; font-size: 12px; list-style-type: none; outline-style: none; color: #2f6681; font-family: Arial, verdana, sans-serif;">http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ref_examples.html#wp1009432</A></P><P></P><P></P><P>Please rate if this helps.</P><P></P><P>Julio</P></BODY></HTML> Mon, 09 Jan 2012 05:51:58 GMT https://community.cisco.com/t5/network-security/single-firewall-with-2-core-switches/m-p/1853523#M489383 Julio Carvajal 2012-01-09T05:51:58Z https://community.cisco.com/t5/network-security/single-firewall-with-2-core-switches/m-p/1853524#M489384 <HTML><HEAD></HEAD><BODY><P>Hi Julio.</P><P>Kindly explain the LAN side which not clear to me.How I segment the Lan for different subnets.</P><P></P><P></P><P>KAWI</P></BODY></HTML> Mon, 09 Jan 2012 07:54:06 GMT https://community.cisco.com/t5/network-security/single-firewall-with-2-core-switches/m-p/1853524#M489384 Kantha Wijesekara 2012-01-09T07:54:06Z https://community.cisco.com/t5/network-security/single-firewall-with-2-core-switches/m-p/1853525#M489385 <HTML><HEAD></HEAD><BODY><P>Hello Kantha,</P><P></P><P>You cannot use 2 interfaces at the same time connecting to the same subnet ( unless firewall is on transparent mode), so what you can do on this case will be to use redundant interfaces ( one will be up, the other one will be on stand-by) so you will provide more redundancy to your network witch I think is what you are looking for.</P><P></P><P>Regards,</P><P></P><P>Julio.</P></BODY></HTML> Mon, 09 Jan 2012 18:47:40 GMT https://community.cisco.com/t5/network-security/single-firewall-with-2-core-switches/m-p/1853525#M489385 Julio Carvajal 2012-01-09T18:47:40Z https://community.cisco.com/t5/network-security/single-firewall-with-2-core-switches/m-p/1853526#M489386 <HTML><HEAD></HEAD><BODY><P><IMG src="http://supportforums.cisco.com/sites/default/files/legacy/1/5/2/72251-Senario2.JPG" class="jive-image" />Hi Guys,</P><P>01.There are 4 wan links with different subnets ( ADSL,Internet Leased line, Customer 1,Custpmer-2)</P><P>02. All routers are connected via L2 switch to the firewall </P><P>03. The FW has 5 context licences (ASA5520)</P><P>04. FW is connected to the 2 coreswitches (Active and Stnby)</P><P></P><P> My requirement is,</P><P>01. Is it possible to remove the L2 switch in&nbsp; between the ASA and wan routers ( To avoid single point of failure)</P><P>02. If it can remove please advice how to config the ASA</P><P>03. How to config the ASA with contexts to route trafiic to the switches (Act/Stnby)</P><P></P><P>kawi</P><P></P><P>Message was edited by: KaWi</P></BODY></HTML> Wed, 11 Jan 2012 06:26:36 GMT https://community.cisco.com/t5/network-security/single-firewall-with-2-core-switches/m-p/1853526#M489386 Kantha Wijesekara 2012-01-11T06:26:36Z https://community.cisco.com/t5/network-security/single-firewall-with-2-core-switches/m-p/1853527#M489387 <HTML><HEAD></HEAD><BODY><P>Hello Kantha,</P><P></P><P>1-So basically the two&nbsp; routers are on the same broadcast domain than the ASA, the thing is that as soon as you remove the layer two switch you will need to use a separate interface to connect to each router, so then each interface will need to be on a different subnet ( let me know if that is possible).</P><P></P><P>2- So if you can set up that scenario ( 2 subnets) as you know the ASA does not support PBR but as you know the destination for the customer´s branchs we can do configure this:</P><P>Route outside1 branch1_network&nbsp; subnet_mask&nbsp; Router1_ipaddress</P><P>Route outside1 branch2_network&nbsp; subnet_mask&nbsp; Router1_ipaddress</P><P>Route outside2 0.0.0.0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0.0.0.0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Router2_address</P><P></P><P>3-Regarding the context configuration:</P><P><A class="active_link" href="http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808d2b63.shtml">http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808d2b63.shtml</A></P><P></P><P><A href="http://www.tech21century.com/cisco-asa-multiple-context-mode-%E2%80%93-configuring-virtual-firewalls-on-same-chassis/">http://www.tech21century.com/cisco-asa-multiple-context-mode-%E2%80%93-configuring-virtual-firewalls-on-same-chassis/</A></P><P></P><P>Rate if this post helps you.</P><P></P><P>Julio</P></BODY></HTML> Wed, 11 Jan 2012 06:38:30 GMT https://community.cisco.com/t5/network-security/single-firewall-with-2-core-switches/m-p/1853527#M489387 Julio Carvajal 2012-01-11T06:38:30Z