Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
893
Views
5
Helpful
6
Replies

Connection on Two ASA firewall with one cisco 4331 router without switch in between

Satinderpal Singh Dhaliwal
Level 1
Level 1

‎06-18-2018 12:07 PM - edited ‎02-21-2020 07:53 AM

Hi am working on a design where i have two ASA firewalls in Active and Passive  state and for Gre over IPsec connection i need one router in front of these firewalls .Can any one provide me config or tell what is best way to design this connectivity.

 

ASA 5525 (Active) ------

                                         Cisco 4331

ASA 5525(Standby)------

 

So i have two connection from both firewalls on Cisco 4331.

 

Thanks

Labels:
0 Helpful
6 Replies 6

Dennis Mink
VIP Alumni
VIP Alumni

‎06-18-2018 05:43 PM

take two ports on your ISR and connect and outside interface of the ASAs to each of the ports.

 

Run a link between the two ASA's directly as a HA

Please remember to rate useful posts, by clicking on the stars below.

Satinderpal Singh Dhaliwal
Level 1
Level 1
In response to Dennis Mink

‎06-18-2018 08:15 PM

Thank you Dennis, but what will be configuration on ISR side and ASA on those ports ,as i am using firewall as active and standby.

 

should i use /30 pool on both links i don’t think that will work as firewalls are active/Standby.

 

any suggestions?

 

 

0 Helpful

Dennis Mink
VIP Alumni
VIP Alumni
In response to Satinderpal Singh Dhaliwal

‎06-18-2018 08:45 PM

the subnet between ASA's and ISR is not really that relevant, but it needs to contain at least 3 host addresses. from the ISR you can do a default route pointing to the outside of each of your ASA, with an sla track statement. you could decidedc to used dynamic routing to allow failover for when the active ASA fails over to the standby.

Please remember to rate useful posts, by clicking on the stars below.

0 Helpful

Florin Barhala
Level 6
Level 6
In response to Dennis Mink

‎06-19-2018 01:01 AM

Nice insights - I would favor EIGRP over any static route with IP SLAs.
0 Helpful

andrewstigen
Level 1
Level 1

‎06-19-2018 08:57 AM

I am doing all of my configurations through the GUI ASDM. (I know, some people really love the CLI even for configurations, but I don’t. I am using it only for troubleshooting issues.) For this lab I am using a Cisco ASA 5506-X with ASA version 9.5(1), while ASDM is version 7.5(1). In my lab, I have a default route to ISP 1 (gi1/1) and a different connection to ISP 2 (gi1/2). There is no route to ISP 2 in the routing table. I want that each user generated http/https traffic is routed to ISP 2, while anything else is still traversing through ISP 1 to the Internet.

My recommendation: https://www.routerinstructions.com/

0 Helpful

Dennis Mink
VIP Alumni
VIP Alumni
In response to andrewstigen

‎06-19-2018 09:05 PM

andrew, are you spamming us or is there something useful in that link?

Please remember to rate useful posts, by clicking on the stars below.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card