cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


153
Views
0
Helpful
4
Replies
Beginner

Firewall Redundancy

Hi All,

Hope you all are doing well.

 

Please help me in below.

 

I have below devices :

ASA 5525 (2 nos)

Cisco 2801 Router

Cisco 3560 SW (4 nos)

 

I have a very simple setup for my lab, Have one ISP connection terminated on my 2801 Router and from there i have connected one switch (3560) on which all user devices are connected.

 

I wanted to build a network with redundant ASA please help me with network diagram and configuration.

 

Regards

Sajid 

Everyone's tags (1)
4 REPLIES 4
Highlighted
Beginner

Re: Firewall Redundancy

Hello Sajid I place your ASAs behind your 2801 router and make them as gateways for your internal LANs. In brief the diagram would be

                         |ASA1|

|ISP|----|3560|-----|-----| ------ |3560|

                         |ASA2|

This is not the only solution. This can change depending on your ISP's configuration or how you want to treat your internal network

Configuration on your primary unit assuming you are using a single interface for failover failover lan unit primary failover lan interface folink gi0/2 (assuming your failover interface is gig0/2)

failover interface ip folink 192.168.0.1 255.255.255.252 standby 192.168.0.2

failover link statelink gi0/2

failover interface ip folink 192.168.0.5 255.255.255.255 standby 192.168.0.6

failover

On secondary:

failover lan interface gi0/2

failover interface ip folink 192.168.0.2 255.255.255.252 standby 192.168.0.1

failover lan unit secondary

failover

Beginner

Re: Firewall Redundancy

Hi Socratesp,

 

Thanks for your prompt response.

 

I have attached a diagram as per your suggestion, Please check and reply if its correct.

 

Regards

Sajid

Beginner

Re: Firewall Redundancy

PFA

Beginner

Re: Firewall Redundancy

looks good. You can also use a single switch where the two ports facing your 2801 router being in a different vlan