Hi  rizwanr74,

Thanks for the urgent reply, The ASA  not in failover mode. Yes ,ASA should have two seperate interfaces are connected to both core switches.(Sorry its not seen on the diagram)

Kawi

Hi guys,

Pls help................

Hello Kantha,

On the WAN side I do not see any issues as you will send all internet traffic over one router and then the connections to the other Sites via another router. PBR is not supported on the ASA but you will be able to accomplish this particular scenario

Now on the LAN side , the ASA 5520 needs to have each interface attached to a differnet subnet, in this case you will have two interface going to 2 different switches on the same subnet witch you cannot do it. I think what you could do is to have redundant interfaces.

Here is one example:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ref_examples.html#wp1009432

Please rate if this helps.

Julio

Hi Julio.

Kindly explain the LAN side which not clear to me.How I segment the Lan for different subnets.

KAWI

Hello Kantha,

You cannot use 2 interfaces at the same time connecting to the same subnet ( unless firewall is on transparent mode), so what you can do on this case will be to use redundant interfaces ( one will be up, the other one will be on stand-by) so you will provide more redundancy to your network witch I think is what you are looking for.

Regards,

Julio.

Hi Guys,

01.There are 4 wan links with different subnets ( ADSL,Internet Leased line, Customer 1,Custpmer-2)

02. All routers are connected via L2 switch to the firewall

03. The FW has 5 context licences (ASA5520)

04. FW is connected to the 2 coreswitches (Active and Stnby)

My requirement is,

01. Is it possible to remove the L2 switch in  between the ASA and wan routers ( To avoid single point of failure)

02. If it can remove please advice how to config the ASA

03. How to config the ASA with contexts to route trafiic to the switches (Act/Stnby)

kawi

Message was edited by: KaWi

Hello Kantha,

1-So basically the two  routers are on the same broadcast domain than the ASA, the thing is that as soon as you remove the layer two switch you will need to use a separate interface to connect to each router, so then each interface will need to be on a different subnet ( let me know if that is possible).

2- So if you can set up that scenario ( 2 subnets) as you know the ASA does not support PBR but as you know the destination for the customer´s branchs we can do configure this:

Route outside1 branch1_network  subnet_mask  Router1_ipaddress

Route outside1 branch2_network  subnet_mask  Router1_ipaddress

Route outside2 0.0.0.0                    0.0.0.0             Router2_address

3-Regarding the context configuration:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808d2b63.shtml

http://www.tech21century.com/cisco-asa-multiple-context-mode-%E2%80%93-configuring-virtual-firewalls-on-same-chassis/

Rate if this post helps you.

Julio