Solved: Re: ASA & IPS - Page 2

estelamathew · ‎02-03-2011

Hello Dear's,

Please see the attached design and confirm, what i m thinking is correct and it is fully redundant.

Web Server NIC's are in active/standby mode

Full DMZ is in 1 subnet

IPS-1 and IPS-2 will be having inline interface pairing as per the diagram attached

If primary ASA fails,,the packets will be routed by DMZ-Switch-2 to Secondary ASA.

Packet flow will ------> web server----NIC-1-----switch-1----switch-2----secondary ASA

Thanks

Jennifer Halim · ‎02-07-2011

You are absolutely correct.

If you are using different switches, then there is no issue at all as long as the only way from the web server towards the ASA and vice versa is via the IPS.

estelamathew · ‎02-09-2011

Hello Dear's,

Inline pair IPS-1

gig0/0<------>gig0/1

gig0/2<------>gig0/3

Inline pair IPS-2

gig0/0<------>gig0/1

gig0/2<------>gig0/3

Please find the attched the previous topology and the current attached topology is not fully redundant, We missed the below conditions,

For previous topology,

IF ASA-SW1,IPS-2 and DMZ-SW-1 fails there is no connectivity (buisness down)

IF ASA-SW2,IPS-1 and DMZ-SW-2 fails there is no connectivity (buisness down)

In Current attached topology:

IF suppose ASA-SW1 and IPS-1 and DMZ-SW2 fails then there is no connectivity,(buisness down)

IF suppose ASA-SW2 and IPS-2 and DMZ-SW1 fails then there is no connectivity,(buisness down)

What can be the soluttion dears i dont think so we can do it by interface pairing,IF you'll have any ideas pls suggest,I have to try with inline vlan pairing i tried but i have some doubts,

For example IPS 4240,

I have configured gig0/0 as inline vlan pair for vlan 1 and vlan 2 and on the DMZ-SW1 i had configured trunk

what i shld configure on gig0/2,???? when i configure the same pair on gig0/2 it gives me error and i saw in user guide it is written that we should'nt configure same pair on more than 1 interface

Please please suggest .

estelamathew · ‎02-09-2011

Hello Jennifer/Paul

I need ur help on above questions,

PAUL GILBERT ARIAS · ‎02-10-2011

Estela one of the major concerns is that there is only one link between each switch and the ASA. If the link fails on the primary unit the traffic will fail. Let me analyze this in detail.

estelamathew · ‎02-10-2011

Hello paul,

Attached is the new design and answer me.the problem below

DMZ-SW1 all ports will be vlan 2 and 2 trunk port connecting to ASA-SW1 & ASA-SW2
DMZ-SW2 all ports will be in vlan 4 and 2 trunk port connecting to ASA-SW2 & ASA-SW1

Can we configure the redundant interface on ASA, 1 active interface will go to the ASA-SW1 on vlan 3 and another standby interface of active ASA to ASA-SW2 in vlan 5

PUT A SCENARIO WHEN ASA-SW2 ,IPS1 and DMZ-SW1 fails

Packet will come from DMZ-SW2 from vlan 4 and it will pass to IPS it will change to vlan 5 and do a arp request for ASA-interface ,the arp request will go to the ASA-SW1 also but it will not respond becz on ASA-SW1 the ASA interface is in vlan 3 the packet will be drop and standby interface of active ASA on ASA-SW2 is in vlan 5 which is already (ASA-SW2) down according to this scenario.

How the packet will reach ASA with full redundancy without any issues. I need a solution dears,,