Solved: You can also configure it the

craig5258 · ‎02-03-2017

Hi,

We have a primary SIP trunk for internet with a backup EFM circuit. Both lines terminate in a seperate ISP-managed router. The customer-side interfaces of both routers need to be connected on the same physical segment for HSRP failover (i.e. the outside interface of the ASA, the HSRP interface and the inside interface of the 2 ISP routers are all on the same subnet).

I've currently got a 1Gig mini-switch sitting between the ISP routers and the ASA but I don't like having this additional point of failure and potential bottleneck.

Is there a better way to do it? Can an ASA support direct connection to the ISP routers and have 2 interfaces on the same subnet?

Thanks in advance.

Karsten Iwen · ‎02-03-2017

You can also configure it the following way:

two mini-switches connected to each orher
Connect Router1 to switch1
Connect Router2 to switch2
connect two ASA interfaces, one to each switch.
combine both interfaces to a redundant interface

Or if you are really brave, you can upgrade to ASA version 9.7(1) and combine two interfaces into one bridge-group and connect both routers directly to the ASA.

View solution in original post

Karsten Iwen · ‎02-03-2017

You can also configure it the following way:

two mini-switches connected to each orher
Connect Router1 to switch1
Connect Router2 to switch2
connect two ASA interfaces, one to each switch.
combine both interfaces to a redundant interface

Or if you are really brave, you can upgrade to ASA version 9.7(1) and combine two interfaces into one bridge-group and connect both routers directly to the ASA.

Marius Gunnerud · ‎02-03-2017

Instead of using redundant interfaces, you could stack the switches, and then create a portchannel between the ASA and the stack(one link to each switch). Then also cable one router into one switch and the other router into the second switch.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Karsten Iwen · ‎02-03-2017

Mini-switch with stacking? Don't think so ... ;-)

Marius Gunnerud · ‎02-03-2017

overlooked the mini switch :-s

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

craig5258 · ‎02-06-2017

Thanks for the reply.

I wasn't aware of interface redundancy on ASAs but it's on my radar now - thanks. It would only help in this case if you could link the redudnancy/failover to an IP SLA or similar so that if the SIP trunk failed upstream, the ASA interface would flip over. Otherwise, it would only failover if the inside interface of router1 went down - which is less likely.

I did read something about bridging groups - they sit behind a bridged virtual interface don't they? I thought that was my answer until I realised my ASA doesn't support them. So, I'll investigate the upgrade to 9.7(1). I've got a spare firewall so I can do some testing.

Thanks again.

Karsten Iwen · ‎02-06-2017

You don't need the upstream tracking here. That is done automatically by the ISP-routers. The redundant interfaces help with failures of ASA interfaces or the outside switch.

And yes, you bundle physical interfaces in the same bridge-group and configure all parameters (nameif, ip, sec-level) on the bvi. An example is shown in the config guide for the 5506-default config.

craig5258 · ‎02-06-2017

Sorry - I missed the bit about connecting the mini-switches to each other. I was thinking that the ASA interface failover would need to mirror the HSRP failover. So, yes - this would do the job without any software upgrades. Thanks.

I'll check out the BVI config though - I'd be interested to see it working.

Connecting Cisco ASA to 2 internet lines - best practice