Solved: Re: Connecting 2 ASA 5520 internally

Emmanuel_Roberts · ‎02-10-2009

I have a network where I use two separate ISP connections on different locations within the same building. I would like to install an ASA 5520 to each connection as we don't have any firewall at the moment. Some of my traffic from one segment to the other is going through externally. I would like to connect the two ASA so internal traffic is routed between them and not externally. Is that possible or is there another way? Thank you.

Tshi M · ‎02-10-2009

You could setup a layer3 link using a /30 private address between both core switches so that you route your internal traffic between both switches. Each side would use its own ASA for route to the internet.

Let say we have the following subnets:

Location A: 10.1.10.0/24

Location B: 10.1.20.0/24

=================================

Location A:

Location A G0/0

no switchport

desc connecting to Location B G0/0

ip address 10.2.2.1 255.255.255.252

ip route 10.1.20.0 255.255.255.0 10.2.2.2

ip route 0.0.0. 0.0.0.0 10.1.10.254 (ASA internal address)

====================================

Location B G0/0

no switchport

desc connecting to Location A G0/0

ip address 10.2.2.2 255.255.255.252

ip route 10.1.10.0 255.255.255.0 10.2.2.1

ip route 0.0.0. 0.0.0.0 10.1.20.254 (ASA internal address)

You could get fancy and setup EIGRP and IP SLA or PBR to redundancy for Internet for each side but is another story.

Regards,

View solution in original post

Tshi M · ‎02-10-2009

Since you are talking about two different locations, I will suggest setting up a site-to-site VPN.

Regards,

Emmanuel_Roberts · ‎02-10-2009

I understand, but the two different locations are within the same building. We are using different VLANs internally but some traffic goes the long way around externally. Our ISP, or gateway, provides us with two connections and some traffic travels through their network and back to us. Regards,

Tshi M · ‎02-10-2009

Could you please post your existing topology? If the locations are within the same building and are somewhat interconnected, you should be able to route all internal traffic without the use of the ASA. Though you still need your ASA for security purposes.

Regards,

Emmanuel_Roberts · ‎02-10-2009

I hope this helps.

Regards,

Tshi M · ‎02-10-2009

Emmanuel,

are those stack interconnected via fiber? if not, you might need to interconnect the backbone (Layer3) to keep your traffic internally. It looks like you will have to run to interconnect the stack switches. If fiber run is expensing, then site-to-site will do it.

Emmanuel_Roberts · ‎02-10-2009

Not at the moment but I could connect them by fiber. What will be the best way of doing this? I am just worried of creating a loop.

Tshi M · ‎02-10-2009

You could setup a layer3 link using a /30 private address between both core switches so that you route your internal traffic between both switches. Each side would use its own ASA for route to the internet.

Let say we have the following subnets:

Location A: 10.1.10.0/24

Location B: 10.1.20.0/24

=================================

Location A:

Location A G0/0

no switchport

desc connecting to Location B G0/0

ip address 10.2.2.1 255.255.255.252

ip route 10.1.20.0 255.255.255.0 10.2.2.2

ip route 0.0.0. 0.0.0.0 10.1.10.254 (ASA internal address)

====================================

Location B G0/0

no switchport

desc connecting to Location A G0/0

ip address 10.2.2.2 255.255.255.252

ip route 10.1.10.0 255.255.255.0 10.2.2.1

ip route 0.0.0. 0.0.0.0 10.1.20.254 (ASA internal address)

You could get fancy and setup EIGRP and IP SLA or PBR to redundancy for Internet for each side but is another story.

Regards,

Emmanuel_Roberts · ‎02-10-2009

Thank you very much for this, will give it a go.

Regards,

Tshi M · ‎02-10-2009

Sure thing. Please rate if helpful :-)

Thank you!