05-24-2011 05:55 AM - edited 03-04-2019 12:30 PM
Hello,
I have 1 internet router 2960 and 2 No's ASA firewalls,The issue is Suppose if ASA-1 fails the failover will happen on ASA-2 but The issue is i dont have a layer 2 Switch in between the ASA's and Internet router, i have to manually shift the cable from ASA-1 to ASA-2,
what sort of configuration i can do on 2960 router interfaces to support failover from ASA-1 to ASA-2, I have enough interface on 2960 router to occupy ASA-2. These all 3 devices should be in 1 Subnet,
Thanks
05-24-2011 06:52 AM
Just do a new VLAN and put all the relevant ports and cables in there.
05-24-2011 07:29 AM
Dear,
It is a typinig mistake it is not 2960 router it is a 2920 router,, I dont have a switch in between 2920 router and ASA firewalls this is the issue.
Thanks
05-24-2011 12:24 PM
Hello,
Can anybody help for the above query please.
Thanks
05-24-2011 12:56 PM
What is the hardware configuration of your router? I'm guessing its really a 2921.
take a look at this product sheet. It would facilitate what you want to do.
Here is another link, check the second diagram.
05-24-2011 02:05 PM
Hello ,
I think My question is not clear i elaborate more to be clear understanding.
please find the attached screenshot,
As you can see in the attached screen shot the switch between the firewall and the internet router where all 3 devices are connecting is missing in my Network.
For temporary Solution if i m connecting ASA-1 to Internet router traffic will flow as a stream BUT incase ASA-1 fails then i have to manually shift cables from ASA-1 to ASA-2.
To avoid shifting of cables Is there any solution that i can do on Internet router interfaces to avoid manual interaction of changing cables
Thanks
05-24-2011 02:13 PM
there is a second diagram in the attachement for failover that shows:
2 fw to fw direct links, and a link from each fw to the router. it does require 2 interfaces on the router and 3 interfaces on the firewalls.
without that, you essentially need either a switch module in the router (link #1) or, an external switch.
05-24-2011 09:50 PM
Hello,
Still it is not clear i think so,
There is nothing to do with the ASA, Everything has to be done on the Internet router. Suppose if i get a Public pool of IP address 202.202.202.202/29, From this subnet I will use 1 IP on ASA outside interface and 1 IP on the Internet Router interface (gig0/1) connecting to ASA-1 but what IP i should use on gig0/2 of Internet Router,(GiG 0/1 Subnet IP is not accepted on router on GIG0/2), So when the failover happens to ASA-2 and it is connected to gig0/2 interface of Internet router which is having no ip address, so in this case what configuration i shld do to on 2920 Internet Router.so that if GIG0/1 goes down GIG0/2 should take over the IP of GIG0/1.
Thanks
05-25-2011 09:36 AM
you need either a bigger public pool for HSRP on the router. you still need to cross connect the appliances so they can share state information.
05-25-2011 12:32 PM
Hello,
Is it so we can do Bridging on 2 interfaces of router???? Is it possible,
Can u elaborate more the previous mail please.
Thanks
05-25-2011 01:16 PM
If you could hsrp 2 ethernet ports on the router that consumes 3 host addressess out of your public ip address space,
then you need somthing for NAT, and FIrewall interfaces.
05-25-2011 10:31 PM
Hello,
HSRP is done between 2 routers, I have only 1 Internet router (2920) ??? How HSRP solution will work i think it is not possible,
Is it Bridging can work, I have not read abt Bridging but i want general idea on this thread.
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide