Solved: Re: ASA & IPS

estelamathew · ‎02-03-2011

Hello Dear's,

Please see the attached design and confirm, what i m thinking is correct and it is fully redundant.

Web Server NIC's are in active/standby mode

Full DMZ is in 1 subnet

IPS-1 and IPS-2 will be having inline interface pairing as per the diagram attached

If primary ASA fails,,the packets will be routed by DMZ-Switch-2 to Secondary ASA.

Packet flow will ------> web server----NIC-1-----switch-1----switch-2----secondary ASA

Thanks

PAUL GILBERT ARIAS · ‎02-03-2011

I don't think that is a fully redundant design. If the cables marked as 3 or 4 fail the communication will get interrupted. There's got to be redundant links all over.

View solution in original post

Jennifer Halim · ‎02-03-2011

Unfortunately, ASA failover does not work in that fashion.

ASA can only have 1 active firewall at a given time, and the redundancy is provided when the ASA actually fails over from the active to the standby ASA when the failure actually occurs on the ASA firewall, not when other devices in the network fails

When the web server fails over and traffic is actually being routed towards the secondary standby ASA, the standby ASA will drop the packet because standby ASA does not route nor inspect any traffic. Within the ASA failover pair, there is only 1 active ASA at any given time as well as only 1 active IP Address. The ip address follows the active ASA firewall.

For example:

IP address of 10.1.1.1 is currently active on the primary ASA, and when primary fails over to the secondary ASA, secondary ASA becomes active and it resumes the ip address of 10.1.1.1. The standby ip address normally assigned to the standby ASA is only used for management purposes.

Hope that helps.

View solution in original post

Jennifer Halim · ‎02-04-2011

That looks perfect now. Just to confirm again that only the active ASA will be passing traffic, so traffic will always be routed to only the active ASA.

View solution in original post

PAUL GILBERT ARIAS · ‎02-04-2011

This new design doesn't seem as soo good as the one before. There are two week points. It will be better to have to cables for each ASA going to each switch. If you have an extra interface on each ASA you can configure redundant interfaces which will make two physical interfaces work as one that way you can cable two interfaces of each ASA going to each switch on VLAN 120.

Check the attachment.

View solution in original post

Jennifer Halim · ‎02-04-2011

This design looks fine to me.

As Paul has advised, you can further drill down on redundancy. It's just how far you would like to make the network redundant.

View solution in original post

PAUL GILBERT ARIAS · ‎02-04-2011

Here is the link for redundant interface:

http://www.cisco.com/en/US/partner/docs/security/asa/asa80/configuration/guide/intrface.html#wp1045838

I don't think you second design will cause issues.

View solution in original post

PAUL GILBERT ARIAS · ‎02-03-2011

I don't think that is a fully redundant design. If the cables marked as 3 or 4 fail the communication will get interrupted. There's got to be redundant links all over.

Jennifer Halim · ‎02-03-2011

Unfortunately, ASA failover does not work in that fashion.

ASA can only have 1 active firewall at a given time, and the redundancy is provided when the ASA actually fails over from the active to the standby ASA when the failure actually occurs on the ASA firewall, not when other devices in the network fails

When the web server fails over and traffic is actually being routed towards the secondary standby ASA, the standby ASA will drop the packet because standby ASA does not route nor inspect any traffic. Within the ASA failover pair, there is only 1 active ASA at any given time as well as only 1 active IP Address. The ip address follows the active ASA firewall.

For example:

IP address of 10.1.1.1 is currently active on the primary ASA, and when primary fails over to the secondary ASA, secondary ASA becomes active and it resumes the ip address of 10.1.1.1. The standby ip address normally assigned to the standby ASA is only used for management purposes.

Hope that helps.

estelamathew · ‎02-04-2011

Hello Experts,

You''ll are perfect.

Now chk the attached diagram and please confirm the routing & switching and redundancy are perfect,?? If not please suggest me according to ur expierience.

IPS-1 inline interface pair 1 and 3, 2 and 4

IPS-2 inline interface pair 1 and 3, 2 and 4.

Thanks,

Jennifer Halim · ‎02-04-2011

That looks perfect now. Just to confirm again that only the active ASA will be passing traffic, so traffic will always be routed to only the active ASA.

PAUL GILBERT ARIAS · ‎02-04-2011

now you got it.

estelamathew · ‎02-04-2011

Hello Dears,

Yes only 1 ASA will be active either ASA-1 or ASA-2,
I have prepared new design with 1 IPS in DMZ in which i will configure the inline vlan interface pair in IPS.

Please have a look at the attached,

PAUL GILBERT ARIAS · ‎02-04-2011

This new design doesn't seem as soo good as the one before. There are two week points. It will be better to have to cables for each ASA going to each switch. If you have an extra interface on each ASA you can configure redundant interfaces which will make two physical interfaces work as one that way you can cable two interfaces of each ASA going to each switch on VLAN 120.

Check the attachment.

estelamathew · ‎02-04-2011

Hello Experts,

I have prepared the 2nd design becz i may be runnng in shortage with 1 No's switch, According to ur redundant interface configuiration it is not possible becz i m running shortage of interface on ASA too. Can u link me any redundant interface configuration example on ASA.

Can u confirm me with 2nd design whether there will any issue with routing and swithching or redundancy. If u say about the redundant interface then in 1st design also i have only 1 interface going to 1 switch.

Thanks

PAUL GILBERT ARIAS · ‎02-04-2011

Here is the link for redundant interface:

http://www.cisco.com/en/US/partner/docs/security/asa/asa80/configuration/guide/intrface.html#wp1045838

I don't think you second design will cause issues.

Jennifer Halim · ‎02-04-2011

This design looks fine to me.

As Paul has advised, you can further drill down on redundancy. It's just how far you would like to make the network redundant.

estelamathew · ‎02-04-2011

Hello Dear's,

I have 1 doubt in my 2nd design,

If i m doing interface pairing insted of vlan pairing on IPS (Right side 100 and 200 from NIC B ) and (Left side 100 and 200 from NIC A), suppose if Active ASA fails still the packets from NIC B will flow to Active ASA (previous standby) without any issues.

The above query is about interface pairing in IPS, what i know abt interface pairing is ,, it is just forwarding packets to out interface of the pair.i.e (Right side vlan 200 on IPS from NIC B ).

Thanks

estelamathew · ‎02-05-2011

Hello, Jennifer/Paul

Waiting for ur last reply dear's,

Thanks

Jennifer Halim · ‎02-05-2011

There are 2 options in configuring IPS with interface pairing:

1) Connect each of the IPS interface to 2 different switches.

2) If you need to connect both IPS interfaces to 1 switch, you are correct, both needs to be in different VLAN, and the default gateway needs to be on the opposite VLAN.

For example:

Inside network: vlan 100 (10.10.10.0/24), eg: host A connects to vlan 100 with ip address of 10.10.10.5 and its default gateway is 10.10.10.1 (ASA inside interface).

ASA inside interface: vlan 200 (10.10.10.1)

IPS interface 1: vlan 100

IPS interface 2: vlan 200

Hope this answers your question.

estelamathew · ‎02-05-2011

Hello Jennifer,

Cool Explanation.......

I have attached new design with added 1 more switch with full redundant design, as client is running in stock of switches.

Jennifer if i m wrong please correct me , My each IPS pair is going on different switch so they can be in same vlan. If i m wrong then which interface will be in which vlan please guide.

IPS-1:

Pair 1 and 3 ( ASA-SW-1 and DMZ-SW-1)

Pair 2 and 4 (ASA-SW-1 and DMZ-SW-2)

IPS-2

Pair 1 and 3 ( ASA-SW-2 and DMZ-SW-1)

Pair 2 and 4 (ASA-SW-2 and DMZ-SW-2)