Cisco ASA 5525X - Two interfaces same subnet problem

Nicholas Beard · ‎06-13-2012

Hi Folks,

I have a setup as follows -

2 x Cisco ASA 5525X Series firewalls in an Active/Standby pair

2 x Cisco 4948E Switches connected via 2 x TwinAx 10GbE cables (Layer 3)

There are approximately 100 VLANs (which must remain seperate) being used in the access layer, therefore I am load balancing VLANs within the spanning tree between both the Cisco 4948E Distro switches (Odds and Evens). I am trunking the access layer VLANs up to the Cisco 4948E switches using DOT1Q and utilising SVIs on the 4948s with HSRP for the gateways of each VLAN. Both 4948E switches are connected via a 2 x channeled 10GbE interfaces running at Layer 3. The 4948E switches will then use Policy Based Routing for each VLAN to route traffic up to the Cisco ASA devices.

This is where my problem comes into play as I would like to connect the ASA devices as follows -

Cisco ASA#1 (Active Device) -

Two Redundant Interfaces for Inside#1 utilising Gi0/0 and Gi0/1 plugged into Cisco 4948E switch 1 (Called Redundant1)

Two Redundant Interfaces for Inside#2 utlising Gi0/2 and Gi0/3 plugged into Cisco 4948E switch 2 (Called Redundant2)

Each of these redundant interfaces will be setup to not pass traffic by removing the "nameif" command. I will then subdivide these redundant interfaces into sub-interfaces using Dot1Q. The reason I would like it physically setup in this manner is to route traffic up to the active ASA directly from both the 4948E switches rather than having the traffic traverse the 10GbE etherchannel layer 3 link.

However, I am aware that you cannot create two interfaces in the same subnet and the same VLAN. See example below -

Int Redundant1.101

ip address 10.101.1.254 255.255.255.0

vlan 101

Int Redundant2.101

ip address 10.101.1.253 255.255.255.0

vlan 101

The above is NOT possible.

So what I really need to be able to achieve is the above physical connectivity, with the ability to route directly up to the Cisco ASA from both switches. Is anybody aware of a method to achive this utilising my current hardware?

Many Thanks

Nick

Ramraj Sivagnanam Sivajanam · ‎07-28-2012

Hi Bro

For your requirement, make the link between the SW and FW a Layer 3, not a L2. With this, you can enable PBR in your SW. This means source VLAN-A next hop will be Redundant 1.1, while source VLAN-A next hop will be Redundant 2.1.

Please note, Redundant 1.1 and Redundant 2.1. must have different network address, and can never be the same for routing purposes, during the return path. Hence, many /30 subnets will fit in well, in this scenario.

P/S: if you think this comment is useful, please do rate them nicely :-)

Warm regards,
Ramraj Sivagnanam Sivajanam

nkarthikeyan · ‎07-28-2012

Hi Nicholas,

You have the HSRP running between your core devices. You can have your core A - ASA1 & Core-B - ASA2.

In your core switch you need to have a sepearate VLAN to connect the uplink to the firewall and asusual in asa you can have the primary and standby address configured and in core also you can have the vlan with hsrp ip configured.

But make sure that in your firewall you should mention the static routes for each subnets pointing to the core device hsrp.

The other scenario is you have make you ASA a standalone firewalls and in one firewall you need to have route to core a as primary and core b as secondary and in the other firewall vice versa. So that your traffic will get load balanced.

Please do rate if the given information helps.

By

Karthik