12-19-2013 02:05 AM - edited 03-11-2019 08:20 PM
Hi,
As per attached diagram ASA outside interfaces doesn’t have the L2 connectivity between ASAs and cable between the ASA outside routers has completely different network, thats the reason we cannot successfully PING the standby device outside interface but able to PING the standby device inside interface.
To resolve this issue , instead of introducing new hardwares of ROUTER with SWITCH MODULE or L2 switch between outside interfaces, please advise that can the below solution will be helpful;
IRB Bridging and using this on routers interfaces connecting to each other and as well as routers interfaces connecting to the firewall, as well as a BVI, to create both a logical Layer 2 path between firewalls and routers (Bridge Group) as well as an escape path from 192.168.1.0/28 towards other Layer 3 Domains (BVI Interface)
However,I have few queries from Breakfix perspective as below
1) Does the IRB/BVI combo forward whatever Layer 2 Packets the ASAs use to speak to each other
a. i.e. just because the IRB forwards HSRP, doesn’t mean it forwards <ASA Failover Protocol>
2) If it works, do we need/bother with the 10.10.20.1/30 Routed Link, or leave it configured without an IP address and just a member of the IRB (i.e. it just becomes a “Layer 2 forwarding” interface?
3) Is there a better way of doing this/is using a “Bridged HSRP Address”
12-19-2013 04:20 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide