Firewall Redundancy

sajid231088 · ‎02-18-2019

Hi All,

Hope you all are doing well.

Please help me in below.

I have below devices :

ASA 5525 (2 nos)

Cisco 2801 Router

Cisco 3560 SW (4 nos)

I have a very simple setup for my lab, Have one ISP connection terminated on my 2801 Router and from there i have connected one switch (3560) on which all user devices are connected.

I wanted to build a network with redundant ASA please help me with network diagram and configuration.

Regards

Sajid

socratesp1980 · ‎02-18-2019

Hello Sajid I place your ASAs behind your 2801 router and make them as gateways for your internal LANs. In brief the diagram would be

|ASA1|

|ISP|----|3560|-----|-----| ------ |3560|

|ASA2|

This is not the only solution. This can change depending on your ISP's configuration or how you want to treat your internal network

Configuration on your primary unit assuming you are using a single interface for failover failover lan unit primary failover lan interface folink gi0/2 (assuming your failover interface is gig0/2)

failover interface ip folink 192.168.0.1 255.255.255.252 standby 192.168.0.2

failover link statelink gi0/2

failover interface ip folink 192.168.0.5 255.255.255.255 standby 192.168.0.6

failover

On secondary:

failover lan interface gi0/2

failover interface ip folink 192.168.0.2 255.255.255.252 standby 192.168.0.1

failover lan unit secondary

failover

sajid231088 · ‎02-18-2019

Hi Socratesp,

Thanks for your prompt response.

I have attached a diagram as per your suggestion, Please check and reply if its correct.

Regards

Sajid

sajid231088 · ‎02-18-2019

PFA

socratesp1980 · ‎02-18-2019

looks good. You can also use a single switch where the two ports facing your 2801 router being in a different vlan