Thanks Jennifer,

I have did this sucessfully need to configure the firewall interfaces also, Need to put some ip's on outside / inside and we have to create DMZ also. need help on routing too. I'll appreciate for this,

failover

failover lan unit primary

failover lan interface FAILOVER Ethernet0/3

failover replication http

failover interface ip FAILOVER 192.168.3.1 255.255.255.0 standby 192.168.3.2

-------------------------

failover

failover lan unit secondry

failover lan interface FAILOVER Ethernet0/3

failover replication http

failover interface ip FAILOVER 192.168.3.1 255.255.255.0 standby 192.168.3.2

Reg

Sanjeev

Hi Jen,

I have applied the same and working,,,,,,,,clients asking to configure like below....as per the enclosed diagram....

routers and firwalls

    link 1 :  172.16.1.0 255.255.255.252 ----- Outside int for Data on E0/0

    Link 2 : 172.16.2.0 255.255.255.252 ----- Outside int for Voice on E0/3

    DMZ   : 10.28.63.33 255.255.255.240 standby 10.28.63.34 E0/2 with Vlan 100

    Inside : 10.28.63.17  255.255.255.240  standby 10.28.63.18 255.255.255.240 with Vlan 102

On ASA Firewall –

• •1)      Inside ip addresses pointing towards core switch for LAN network
• •2)      MPLS Data connectivity destinations pointing towards MPLS Link1
• •3)      DMZ destinations pointing towards DMZ
• •4)     MPLS Voice connectivity destinations pointing towards MPLS Link2

My confusion is about route ........how to add route for all...?

Regards

Sanjeev

What subnets are behind each of the interfaces, and what is the next hop for each interface.

Once you provide those information, i can assist with the route statement.

Hi Jen,

Below is few more details...Pls. refer enclosed diagramm.

routers and firwalls

    link 1 :  172.16.1.0 255.255.255.252 ----- Outside int for Data on E0/0

    Link 2 : 172.16.2.0 255.255.255.252 ----- Outside int for Voice on E0/3

    DMZ   : 10.28.63.33 255.255.255.240 standby 10.28.63.34 E0/2 with Vlan 100

    Inside : 10.28.63.17  255.255.255.240  standby 10.28.63.18 255.255.255.240 with Vlan 102

Hmm, i am confused. Your diagram above does not correlate to your previous post.

Can you share your ASA configuration? I assume that you have configured all the interfaces?

Also, you haven't specified which networks/subnets are behind each of the ASA interfaces.

Still not configured will try with below...

interface Ethernet0/0

description Outside_Data

nameif outside

security-level 0

ip address standby

!

interface Ethernet0/1

Description Inside LAN Interface

no nameif

no security-level

no ip address

!

interface Ethernet0/1.102

Description Inside LAN Interface

vlan 102

nameif INSIDE

security-level 100

ip address 10.28.63.17  255.255.255.240  standby 10.28.63.18 255.255.255.240

no shut

interface Ethernet0/2

no nameif TechM

no security-level 50

no ip address

no shut

!

interface Ethernet0/2.100

Description CDMZ

vlan 100

nameif CDMZ

security-level 50

ip address 10.28.63.33 255.255.255.240 standby 10.28.63.34

no shut

exit

!

interface Ethernet0/3

description Outside Voice

nameif Outside_Voice

security-level 0

ip address standby

!

interface Management0/0

Description LAN/STATE Failover Interface

OK, looking good so far with the interface configuration.

Hi Jen,

My confusion is how to put route and how many route need to add..if need to add PAT also.

Sanjeev

It depends on how you would like to route those networks behind each interface.

Initially, you would need a default route for the Outside interface.

route outside 0.0.0.0 0.0.0.0

Does your voice network needs to reach the internet or they are internal only?

Actually i have two link towards outside one for Data and another for voice..with ip given below

routers and firwalls

    link 1 :            172.16.1.0 255.255.255.252 ( Don't have standby IP will arrange shortly )

    Link 2 : (not yet in production) 172.16.2.0 255.255.255.252 ( Don't have standby IP will arrange shortly )

for INSIDE ip address 10.28.63.17  255.255.255.240  standby 10.28.63.18 255.255.255.240 with vlan 102 and gateway

10.28.63.30

for DMZ ip address 10.28.63.33 255.255.255.240 standby 10.28.63.34 with vlan 100 and gateway10.28.63.46 255.255.255.240

So i have config like below..and please suggest for the best.....

TechMFWPRIM(config)# sh run

: Saved

:

ASA Version 8.4(2)

!

hostname TechMFWPRIM

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

description Outside Airtel_Data

nameif Outside_Data

security-level 0

ip address 172.16.1.2 255.255.255.252

!

interface Ethernet0/1

description Inside Airtel LAN Interface

no nameif

no security-level

no ip address

!

interface Ethernet0/1.102

description Inside Airtel LAN Interface

vlan 102

nameif INSIDE

security-level 100

ip address 10.28.63.17 255.255.255.240 standby 10.28.63.18

!

interface Ethernet0/2

no nameif

no security-level

no ip address

!

interface Ethernet0/2.100

description CDMZ

vlan 100

nameif CDMZ

security-level 50

ip address 10.28.63.33 255.255.255.240 standby 10.28.63.34

!

interface Ethernet0/3

description Outside_Voice

nameif Outside_Voice

security-level 0

ip address 172.16.2.2 255.255.255.252

!

interface Management0/0

description LAN Failover Interface

!

ftp mode passive

pager lines 24

logging asdm informational

mtu Outside_Data 1500

mtu INSIDE 1500

mtu CDMZ 1500

mtu Outside_Voice 1500

failover

failover lan unit primary

failover lan interface HA-SYNC Management0/0

failover replication http

failover interface ip HA-SYNC 192.168.3.1 255.255.255.0 standby 192.168.3.2

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

route Outside_Data 0.0.0.0 0.0.0.0 172.16.1.1 1

route Outside_Voice 0.0.0.0 0.0.0.0 172.16.2.1 2

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable

http 10.28.0.0 255.255.255.240 INSIDE

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

telnet 0.0.0.0 0.0.0.0 INSIDE

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

username TIMFW password c.6Nu5hdpSeNFjvS encrypted

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

  inspect icmp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:39242421493f5e1e7e9039247fa4ac00

: end

TechMFWPRIM(config)#

Please kindly be advised that you can't have 2 default routes on ASA firewall. Hence you can't have 2 Outside interfaces which will be connected to the Internet.

You would need to share your Outside Data and Outside Voice as one interface.

HI Jen,

Unable to understand, could you pls. suggest an example or do the amendment on my configuration, so this can done with your kind help.

Reg

Sanjeev