cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2427
Views
0
Helpful
8
Replies

Single firewall with 2 core switches

Hi All

Following is my requirement. Two different WAN links get connected to

the firewall via two routers.(Different ip subnets).I need to get this

two wan streams seperatly to the core switches.Core switches sits

Active/Stanby senario.If the Active  core goes down Stndby Core will

have take over the traffic. Pls advice my design is correct ,if not

sugest what do i need to change. ASA is 5520.Pls help me to find

suitable sample configuration for this senario

Thanks

8 Replies 8

rizwanr74
Level 7
Level 7

Is ASA5520 on Failover mode as well?

Or you have two separate interfaces are connected to Active-Switch and Standby-Switch on different security level ?

Hi  rizwanr74,

Thanks for the urgent reply, The ASA  not in failover mode. Yes ,ASA should have two seperate interfaces are connected to both core switches.(Sorry its not seen on the diagram)

Kawi

Hi guys,

Pls help................

Hello Kantha,

On the WAN side I do not see any issues as you will send all internet traffic over one router and then the connections to the other Sites via another router. PBR is not supported on the ASA but you will be able to accomplish this particular scenario

Now on the LAN side , the ASA 5520 needs to have each interface attached to a differnet subnet, in this case you will have two interface going to 2 different switches on the same subnet witch you cannot do it. I think what you could do is to have redundant interfaces.

Here is one example:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ref_examples.html#wp1009432

Please rate if this helps.

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hi Julio.

Kindly explain the LAN side which not clear to me.How I segment the Lan for different subnets.

KAWI

Hello Kantha,

You cannot use 2 interfaces at the same time connecting to the same subnet ( unless firewall is on transparent mode), so what you can do on this case will be to use redundant interfaces ( one will be up, the other one will be on stand-by) so you will provide more redundancy to your network witch I think is what you are looking for.

Regards,

Julio.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hi Guys,

01.There are 4 wan links with different subnets ( ADSL,Internet Leased line, Customer 1,Custpmer-2)

02. All routers are connected via L2 switch to the firewall

03. The FW has 5 context licences (ASA5520)

04. FW is connected to the 2 coreswitches (Active and Stnby)

My requirement is,

01. Is it possible to remove the L2 switch in  between the ASA and wan routers ( To avoid single point of failure)

02. If it can remove please advice how to config the ASA

03. How to config the ASA with contexts to route trafiic to the switches (Act/Stnby)

kawi

Message was edited by: KaWi

Hello Kantha,

1-So basically the two  routers are on the same broadcast domain than the ASA, the thing is that as soon as you remove the layer two switch you will need to use a separate interface to connect to each router, so then each interface will need to be on a different subnet ( let me know if that is possible).

2- So if you can set up that scenario ( 2 subnets) as you know the ASA does not support PBR but as you know the destination for the customer´s branchs we can do configure this:

Route outside1 branch1_network  subnet_mask  Router1_ipaddress

Route outside1 branch2_network  subnet_mask  Router1_ipaddress

Route outside2 0.0.0.0                    0.0.0.0             Router2_address

3-Regarding the context configuration:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808d2b63.shtml

http://www.tech21century.com/cisco-asa-multiple-context-mode-%E2%80%93-configuring-virtual-firewalls-on-same-chassis/

Rate if this post helps you.

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: