Please Help: ASA firewall Redundant with 3850 switch

uzair.infotech · ‎02-23-2016

Dear Members,

I have the network diagram attached. I have ASA Firewall running in Active/Standby mode with 3850 switch. My question is that how should i configure 3850 so ASA firewall can point it to route traffic coming from outside to inside.

Regards,

Uzair Hussain

Philip D'Ath · ‎02-23-2016

And something like this on the ASA:

interface Redundant5.50
 vlan 50
 nameif inside
 security-level 100
 ip address 10.181.11.4 255.255.255.0 standby 10.181.11.5

uzair.infotech · ‎02-23-2016

Dear Philip D'Ath,

Find the attached diagram for more clear picture. I have 2 interfaces (INSIDE) on both ASA firewall running in redundant mode and have ip address 10.181.11.4 standby 10.181.11.5. Switch 3850 point 10.181.11.4 (Firewall Inside) as its default gateway. My internal network has multiple VLANs and 3850 switch is doing inter-vlan routing.

My question is that how ASA firewall will route the traffic to the 3850 switch and how to configure the interfaces on switch 3850.

ASA firewall outside interface has ip address 10.181.10.6 standby 10.181.10.7.

Regards,

Uzair Hussain

Philip D'Ath · ‎02-23-2016

Your diagram shows there is an inside and outside switch. I am assuming the inside switch is the 3850. Is this correct?

Just add a route on the ASA for the inside networks. Something like (where "x" is the IP address of your 3850 in the 10.181.11 VLAN).

route inside 10.181.20.0 255.255.255.0 10.181.11.x
route inside 10.181.30.0 255.255.255.0 10.181.11.x
route inside 10.181.50.0 255.255.255.0 10.181.11.x

uzair.infotech · ‎02-23-2016

Dear Philip D'Ath,

Find the attached diagram for more clear picture. I have 2 interfaces (INSIDE) on both ASA firewall running in redundant mode and have ip address 10.181.11.4 standby 10.181.11.5. Switch 3850 point 10.181.11.4 (Firewall Inside) as its default gateway. My internal network has multiple VLANs and 3850 switch is doing inter-vlan routing.

My question is that how ASA firewall will route the traffic to the 3850 switch and how to configure the interfaces on switch 3850.

ASA firewall outside interface has ip address 10.181.10.6 standby 10.181.10.7.

Regards,

Uzair Hussain

Philip D'Ath · ‎02-23-2016

In that case, you can just make them ordinary access ports. You can use static routes on the ASA for internal subnets back to the 3850's.

interface GigabitEthernet a/b/c
 description ASA firewall
 switchport access vlan 50
 switchport mode access
 spanning-tree portfast
 spanning-tree link-type point-to-point

uzair.infotech · ‎02-23-2016

Dear Philip D'Ath,

I am new user for ASA firewall, so please eleborate. The link between ASA and 3850 switch will be carrying multiple VLAN traffic and how incoming traffic will communicate with VLAN 20, 30, 50 when there is no route on ASA. Should i configure the ip address on same subnet 10.181.11.4, if yes then how?

Regards,

Uzair Hussain

Philip D'Ath · ‎02-23-2016

I would trunk the VLANs into the ASA, as you obviously need at least two interfaces (inside and outside). Your diagram doesn't show how the second interface works.

On the 3850 I would be trunking the VLANs with something like:

interface GigabitEthernet a/b/c
 description ASA firewall
 switchport trunk allowed vlan 50,...
 switchport mode trunk
 spanning-tree portfast trunk
 spanning-tree link-type point-to-point