Connect 2 redundant routers to 1 firewall or 2 switches to 1 router?

CiscoPurpleBelt · ‎04-05-2018

So if I have two redundant routers (running HSRP) would I be able to connect them to 1 ASA5585X?

Would I give the FW interface connecting to Router 1 let's say nameif inside

give the other FW interface connecting to Router 2 nameif inside 2

then be able to apply the same ACL to both interfaces?

But then how would I point both routers to 1 ip address on the FW if this actually can work?

I have same question in regards to 2 switches connecting to 1 router, and the switches point to same let's say .1 address on the router?

Julio E. Moisa · ‎04-05-2018

Hi

A solution in order to have 2 routers connected to the firewall is:

- User HSRP between 2 routers creating a virtual IP

- Connect the routers and firewall using a switch and using one VLAN and the same network for example a network /29 for all the devices, example: R1 10.0.0.2, R2 10.0.0.3, HSRP virtual on Routers 10.0.0.1 and on the firewall 10.0.0.4 everything /29.

- Routers will use different priorities and their next hop will be the IP configured on the firewall.

- The firewall will have 1 next hop to the internal network and the IP used as next hop will be the virtual IP of the HSRP.

With this, you will have just one 'inside' nameif and you will not duplicate ACLs.

Take in consideration, the firewall is a point of failure, if it is possible by budget is create a cluster of firewall and for the switch create a stack of 2 switches or 2 standalone switches.

Hope it is useful

:-)

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

CiscoPurpleBelt · ‎04-06-2018

Ok can you take a look at the diagram I made real quick?

Let's say I have 2 routers I can use to connect to the FW. Would it work the way I am showing? I guess since I have 2 connections to the FW I would have 2 identical inside nameif.

Julio E. Moisa · ‎04-06-2018

Hi,

Usually this scheme is with 2 firewalls one connected to each switch, now you could enable port channel on the ASA but my suggestion is install a stack of switch instead of stand alone switches.

:-)

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Dennis Mink · ‎04-05-2018

I would stick a layer 2 device between the firewall and the two routers, so that your ASA's outside interface connects to both routers with a switch in the middle.

Please remember to rate useful posts, by clicking on the stars below.

CiscoPurpleBelt · ‎04-06-2018

What if I had 2 additional switches for redundancy to connect to one FW would this work? Would the FW allow me to make two identical inside nameif?

Please see diagram.

CiscoPurpleBelt · ‎04-07-2018

Ok Please take a look at this diagram. My connections seem right?

Julio E. Moisa · ‎04-07-2018

Hi

That scheme will work but you will have 2 point of failure, the switch and the firewall.

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

CiscoPurpleBelt · ‎04-07-2018

Ok yes ideally I would have 2 of everything up to the edge router.

If I have switches connecting to each router for redundancy, I can't use the same subnets on each router port connection for each Sw meaning how would I configure the connecting ports on the routers?

The routers would be configured for HSRP, and the interface that connects to each switch would have the sub-interfaces for routing all the subnets. If AccSw1 is connected to InternalRt1 g1 (G1 has 10.0.0.1, g1.2 10.0.2.1, g1.3 10.0.3.1, etc.) how would I configure the port on InternalRt1 that connects to AccSw2? Vice versa for AccSw to InternalRt2

Please see diagram I updated showing the redundant connections.

Julio E. Moisa · ‎04-07-2018

Hi

In order to connect the routers and firewall to the switch is using the same VLAN, for example:

Router 1 ------ Switch1

|

trunk

|

Router 2 ------ Switch2

ROUTER1

interface g0/0

description TO-ISP

ip address 10.123.0.2 255.255.255.248

standby 10 ip 10.123.0.1

standby 10 preempt

standby 10 priority 105

no shutdown

ip route 0.0.0.0 0.0.0.0 10.123.0.4 name INTERNET

ROUTER2

interface g0/0

description TO-ISP

ip address 10.123.0.3 255.255.255.248

standby 10 ip 10.123.0.1

standby 10 priority 100

no shutdown

ip route 0.0.0.0 0.0.0.0 10.123.0.4 name INTERNET

SWITCH 1

vlan 123

name INTERCONNECT-DEVICES

interface g1/0/1

description TO-ROUTER1

switchport access vlan 123

switchport mode access

no shutdown

interface g1/0/2

description TO-FIREWALL

switchport access vlan 123

switchport mode access

no shutdown

interface g1/0/24

description TRUNK-BETWEEN-SWs

switchport mode trunk

no shutdown

SWITCH 2

vlan 123

name INTERCONNECT-DEVICES

interface g1/0/1

description TO-ROUTER1

switchport access vlan 123

switchport mode access

no shutdown

interface g1/0/2

description TO-FIREWALL

switchport access vlan 123

switchport mode access

no shutdown

interface g1/0/24

description TRUNK-BETWEEN-SWs

switchport mode trunk

no shutdown

Hope it is useful

:-)

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

CiscoPurpleBelt · ‎04-07-2018

Yes this is very helpful thanks!

Just trying to understand or clarify a couple things still.

So on the g0/0 interfaces on the routers, you referring to the connection that goes to the Edge Sw (Interconnecting Sw) and are you giving an example as if I had 2 Edge/Interconnect switches?

In regards to the Access switches, I can't connect each switch to each router as well given I can't put the same IPs on each port on the routers that is used to connect to each switch correct?

CiscoPurpleBelt · ‎04-07-2018

Also it is probably best to use a management Vlan for the ports on the interconnecting switch in order to give all devices IPs in the management vlan correct?

CiscoPurpleBelt · ‎04-08-2018

Also, the ports on the routers (g2) that connect to the Interconnecting switch, how would I configure them if the interconnecting switch is just for vlan access 123?

I know I would configure HSRP interfaces on g1 of the router, but what about g2 interfaces that connect to the other switches (each access switch connects to each router)?

Please take a look at the diagram as I updated it to help clarify.

CiscoPurpleBelt · ‎04-27-2018

Ok so there is no way to connect both redundant routers to 1 FW right meaning the FW would need to of the same "inside" interfaces I guess right?

Also, I can get the interfonnect switch to ping the router via trunk connection, but can only get the switch to ping the FW if I put the connecting interface in switcport access vlan 10 (which is same subnet as inside interface on FW).

My concern is if all internal subnets on the LAN will be able to pass through the interconnect switch and on out to the internet.

See attached diagram.

Any help is appreciated.

CiscoPurpleBelt · ‎04-27-2018

Ok so there is no way to connect both redundant routers to 1 FW right meaning the FW would need to of the same "inside" interfaces I guess right?

So I stuck a switch in between (interconnect switch) - I can get the interfonnect switch to ping the router via trunk connection, but can only get the switch to ping the FW if I put the connecting interface in switcport access vlan 10 (which is same subnet as inside interface on FW).

My concern is if all internal subnets on the LAN will be able to pass through the interconnect switch and on out to the internet.

See attached diagram.

Any help is appreciated.