Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
845
Views
0
Helpful
3
Replies

ASA Between Two Routers

Go to solution
Vishal Kolamkar
Level 1
Level 1

‎02-19-2017 06:08 AM - edited ‎03-12-2019 01:57 AM

Hi Team,

I am currently working on enterprise setup with ASA between two routed interfaces as below.

Since this is a new setup before presenting the setup diagram to management i have below doubts. Will this work or not, am i missing something?

Setup is as below

!

3850 Switch --- Po1------Bridge-----ETH1--ASA--ETH2--Bridge----Po1----ISR 4431

|--------------------------------------------------EIGRP-----------------------------------------------------|

!

3850 PO1 IP-  10.5.4.1 255.255.255.248

ISR 4431 PO1 IP- 10.5.4.2 255.255.255.248

Then i will build EIGRP between 3850 portchannel1 & 4431 portchannel1. Advertise subnets of 3850 to 4431.

So my question is will above setup work with EIGRP as planned?

Regards,

Vishal

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP
In response to Vishal Kolamkar

‎02-19-2017 01:20 PM

For availability you need two ASAs. And then you have another pair of switches between the ASAs and the redundant (!) routers.

BTW: instead of placing an ASA inline the link, using an FirePOWER module inside the ISR could also be an option.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Karsten Iwen
VIP
VIP

‎02-19-2017 06:50 AM

You can operate the ASA in transparent mode so that you don't have an additional L3 hop on the ASA. I'm not sure what you intend to do with the port-channels and bridges in your setup. Is the router located in a different location than the switch? And why have the ASA in the middle and not located near the router or the switch?

0 Helpful

Go to solution
Vishal Kolamkar
Level 1
Level 1
In response to Karsten Iwen

‎02-19-2017 07:59 AM

This is indeed a design finalized by client. I have joined in the middle of project.

Yes its probably be the Ethernet interfaces between router & asa. I am thinking of using portchannels as there to avoid  as port failures which will result in break of connectivity.

3850 is collapsed Core where user vlan & SVI will be created. And EIGRP will run between 3850 & ISR 4431 which has connectivity to ISP. ASA will be placed between 3850 Collapsed Core & Uplink 4431 Router.

Thanks for helping me here. So will above setup work? If you have any additional thought to share it will be great.

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to Vishal Kolamkar

‎02-19-2017 01:20 PM

For availability you need two ASAs. And then you have another pair of switches between the ASAs and the redundant (!) routers.

BTW: instead of placing an ASA inline the link, using an FirePOWER module inside the ISR could also be an option.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card