Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
791
Views
0
Helpful
3
Replies

ASA5510 FAILOVER

mustafa.s.raza
Level 1
Level 1

‎06-07-2011 12:12 PM - edited ‎03-11-2019 01:43 PM

Guys,

The client is only interested to have one-WAN(MPLS) and One internet circuit with Dual ASA5510 primary/failover configuration. In the event primary firewall fails, there is no direct WAN/internet connection to failover firewall. I beleived that  to mitigate the issue,  I needed to add a layer 3 switch , and have each circuit (MPLS/Internet) or (modems/routers) connect to a L3 switch. L3 switch will do the vlan based routing based on the state of firewall. ? am i correct?  The client want automatic failover to secondry firewall in the event the actual firewall failed without impacting the day to day business. Any help will be greatly appreciated.

Thanks

Labels:
0 Helpful
3 Replies 3

Jon Marshall
Hall of Fame
Hall of Fame

‎06-08-2011 05:08 AM

If i understand correctly then no you don't need a L3 switch, a L2 switch would do fine as long as the MPLS and internet routers could be in the same subnet on their inside interfaces ie.

R1 (MPLS)            R2(internet)

  192.168.5.3            192.168.5.4

            L2 switch

              VIP 192.168..5.1

192.168.5.5            192.168.5.6

  ASA1                        ASA2

apologies for poor diagram but hopefully you get the picture.

On the ASA you would then have a default-route pointing to 192.168.5.4 for the internet and then more specific routes for the remote sites via MPLS.

However you may not be able to assign both routers internal interfaces to the same subnet in which case yes, you would need a L3 switch.

Advantages/disadvantages - well with a L3 device in theory it would be possible to bypass the firewall ie. route directly between the internet and a remote MPLS site although this could be mitigated with acls on the L3 vlan interfaces.

With L2 switch you could bypass the firewall. The MPLS and internet traffic would end up on the same common vlan but this is not that unusual and they still only have the firewall to go to if they want to route anywhere else.

Obviously, whichever setup you choose you need to lock down the switch ie. restrict access to only internal use/use ssh/don't use vlan 1 etc..

Jon

0 Helpful

mustafa.s.raza
Level 1
Level 1
In response to Jon Marshall

‎06-08-2011 07:09 AM

Excellent explanation. thats what i was looking for becasue the client will terminate both wan/internet circuits in to one firewall.

One question thou.. why do i want to assing internal interface to the same subnet? and why not its not possible..

Thanks alot for your help

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to mustafa.s.raza

‎06-08-2011 08:45 AM

Actually you wouldn't necessarily need the same subnet to be honest. If you wanted you could have 2 outside interfaces, either physical interfaces (preferable) or subinterfaces on the same physical interface.

Jon

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card