Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3283
Views
55
Helpful
19
Replies

Two Firewall to One router

Go to solution
hithere
Level 1
Level 1

‎12-15-2022 09:11 AM

Hello everyone! 

I think that i'm really newbie and in  view of that I have a problem im not able to resolve.

I have two firewall working in active/passive mode, and only one router with only L3 interfaces. 

How to configure two interfaces with the same ip addrese? 

I found out that there is somethink like "interface backup" and it's works but with restriction, i mean only when phisical interface go down, then the backup interface go up. 

 

is there any way to do it?  

Labels:
2 Accepted Solutions

Accepted Solutions

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to MHM Cisco World

‎12-16-2022 03:35 PM

Backup interface is a create alternative, but I believe it is not a good solution for the requirements of the original post. Depending on the platform (and perhaps depending on version of code) you might want to look at Concurrent Routing and Bridging. In CRB you enable bridging on the router, each of the physical interfaces does not have an ip address and is configured with a bridge group. A Bridged Virtual Interface is configured to logically connect the physical interfaces and the BVI is configured with the single IP address that is shared by both physical interfaces.

HTH

Rick

View solution in original post

Go to solution
MHM Cisco World
VIP
VIP
In response to hithere

‎12-17-2022 06:59 AM

Screenshot (107).pngScreenshot (108).png

I run lab and config BDI and BVI in R1 and config ASA HA and you can see that both interface is normal.

note:- this is only lab for real network you can see same or different behaviour.

if you have Q please ask before apply config 

View solution in original post

0 Helpful
19 Replies 19

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎12-15-2022 12:12 PM

How to configure two interfaces with the same ip address?   - why do you need duplicated address to be configured ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
hithere
Level 1
Level 1
In response to balaji.bandi

‎12-15-2022 08:19 PM

I,ve got only /30 range. On firewalls eg. 10.10.10.1 one the both same address and on router 10.10.10.2. Backup interface on router is okay but only when phisical link is down, but for eg. When I update and reload active firewall, the passive is going to active state but link on the 1st one  is still UP in view of the fact that they are a VM’s on esxi.

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to hithere

‎12-16-2022 05:46 AM

before i can suggest any better, do you have any rough network diagram with the devices shows model and Firewall in the picture with IP information you looking to do please.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎12-15-2022 01:17 PM

You need L2SW connect both FW and connect router. this give you the choose of assign IP to FW and router.

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to MHM Cisco World

‎12-16-2022 05:53 AM

friend for FW HA you need L2SW connect both FW and connect router. 

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to MHM Cisco World

‎12-16-2022 03:35 PM

Backup interface is a create alternative, but I believe it is not a good solution for the requirements of the original post. Depending on the platform (and perhaps depending on version of code) you might want to look at Concurrent Routing and Bridging. In CRB you enable bridging on the router, each of the physical interfaces does not have an ip address and is configured with a bridge group. A Bridged Virtual Interface is configured to logically connect the physical interfaces and the BVI is configured with the single IP address that is shared by both physical interfaces.

HTH

Rick

Go to solution
hithere
Level 1
Level 1
In response to Richard Burts

‎12-17-2022 01:17 AM

exactly, i think this is a solution that I’m looking for. As a router I’m using ISR 4451 with the newest OS. 
so I think that I have to read smth about bvi. Is the configuration compliacated? 

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to hithere

‎12-17-2022 03:48 AM

@Richard Burts suggest is accept even if give use one point of failure, I will test this config today and see if FW work with BVI. 
@hithere I will inform you later update about lab.

Go to solution
hithere
Level 1
Level 1
In response to MHM Cisco World

‎12-17-2022 04:52 AM

Really appreciate that, thanks. 

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to hithere

‎12-17-2022 06:59 AM

Screenshot (107).pngScreenshot (108).png

I run lab and config BDI and BVI in R1 and config ASA HA and you can see that both interface is normal.

note:- this is only lab for real network you can see same or different behaviour.

if you have Q please ask before apply config 

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to MHM Cisco World

‎12-17-2022 07:39 AM

In looking at my response I realize that I should have suggested IRB (Integrated Routing and Bridging) rather than CRB (Concurrent Routing and Bridging). They are similar and IRB is newer and better than CRB.

The original poster asks " Is the configuration compliacated? ". I would say that the configuration is not particularly complicated. But I would perhaps not say that the config is entirely simple. The example posted by @MHM Cisco World  is pretty good and shows enabling bridging and configuring the BVI interface. It does not show enabling bridging on the physical interface, or the command to enable IRB (or CRB). So perhaps we might say it is somewhere in between simple and complicated

HTH

Rick

Go to solution
MHM Cisco World
VIP
VIP
In response to Richard Burts

‎12-17-2022 07:45 AM

I get your point, I know you mean IRB not CRB.
for my lab I enable bridge under the interface toward both FW, but I dont take screenshot I will take one and attach to my previous post. 

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to MHM Cisco World

‎12-17-2022 08:39 AM

Yes reading your post I recognized that you were configuring IRB not CRB and that I should correct my initial suggestion.

Adding screen shots of the bridge group on the interfaces and the bridge irb command will make it a better example.

HTH

Rick

Go to solution
MHM Cisco World
VIP
VIP
In response to Richard Burts

‎12-17-2022 08:41 AM

I will add later today 
and you are so so welcome 

0 Helpful
Customers Also Viewed These Support Documents