Re: My configuration for this network diagram

gurwinkle.singh · ‎01-13-2018

I want to configure this network diagram in my network.I have been given 5 days.Please help me with this.Each router is connected to its internet which means there is one internet connection on each router and each router is connected to ASAs and then collapsed layer with multilayer switches and access switches.How to configure HSRP on routers and also how to configure redundancy of internet.One Firewall will be used for DMZ.Please guide me.I am having only 5 days.I am adding the diagram of the network.

Julio E. Moisa · ‎01-13-2018

Hi

If these firewalls are same model and image you could create a cluster active-standby then you could create and HSRP on the collapsed switches and create default route pointing to the firewall (how it is cluster)

Example:

Firewall as cluster (failover)

interface g0/0

nameif INSIDE

security-level 100

ip address 10.0.0.4 255.255.255.248

no shutdown

route INSIDE 192.168.1.0 255.255.255.0 10.0.0.1 (assuming 192.168.1.0/24 is an internal network)

route OUTSIDE 0.0.0.0 0.0.0.0 <public IP address> <-- default routing pointing to ISP to get Internet

DMZ Configuration

interface g0/1

nameif DMZ

security-level 50

ip address x.x.x.x y.y.y.y

no shutdown

** Remeber create the ACLs and Access groups **

Primary Switch

vlan 10

name PRIMARY-SW-TO-FW-CLUSTER

Interface g0/1

description TO-FIREWALL

switchport access vlan 10

switchport mode access

no shutdown

interface vlan 10

description HSRP-CORE-FW

ip address 10.0.0.2 255.255.255.248

standby 10 ip 10.0.0.1

standby 10 priority 105

standby 10 preempt

no shutdown

ip route 0.0.0.0 0.0.0.0 10.0.0.4 name INTERNET

Secondary Switch

vlan 10

name PRIMARY-SW-TO-FW-CLUSTER

Interface g0/1

description TO-FIREWALL

switchport access vlan 10

switchport mode access

no shutdown

interface vlan 10

description HSRP-CORE-FW

ip address 10.0.0.3 255.255.255.248

standby 10 ip 10.0.0.1

standby 10 priority 100 (100 is default)

standby 10 preempt

no shutdown

ip route 0.0.0.0 0.0.0.0 10.0.0.4 name INTERNET (pointing to Firewall)

Now take in consideration, the Primary Switch is:

- Primary root

- Primary routing protocol device (like DR in OSPF and BDR the secondary switch)

How to make a Cisco ASA Cluster, it is just an example because I don't know your firewall model:

https://www.thegeekstuff.com/2011/09/cisco-asa-high-availability/

Also remember create the NAT on the firewall to allow Internet access to the internal networks, the configuration could be vary depending of the IOS version or Platform.

Hope it is useful

:-)

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

paul driver · ‎01-13-2018

Hello

Fyi - I think this post should be redirected to the security forum as you would get a lot better assistance from the gurus on their, Anyhow whilst your here and I am in the process of labbing such a scenario up I thought id give some input on the initial setup of a fw cluster in an active/standby mode

Just like to add to Julios comments that having a fw cluster in a active/standby state would be applicable to your query but also would an active/active scenario.

What you need to be aware of in either setup is the failover link between the fws needs to be a fast as possible and NOT physically connected between each other via a crossover but via lan switch port, This is so all statefull fw traffic can be monitored and synchronize between the two units

Below is a lab configuration example I used to create such a setup, Most of the work is performed on the primary Fw and once failover is initiated all changes will be replicated to the secondary FW, it worked as I expected it to do and was enjoyable to create as its something i don't normally get a chance to do.

ASA1
E0/0 Outside Primary 172.16.2.254/24
Standby ip 172.16.2.253/24

E0/1 Inside 70 Primary 172.16.1.254/24
Standby ip - 172.16.1.253/24

E0/2 DMZ 50 Primary 172.16.4.254/24
Standby ip 172.16.4.254/24

E0/3 FailOver-- fail-over link ( via switchport)
active IP address of 172.16.5.254/24
Standby ip 172.16.5.253

interface e0/0
nameif Outside
ip address 172.16.2.254 255.255.255.0 standby 172.16.2.253
no shut

interface e0/1
nameif Inside
security-level 70
ip address 172.16.1.254 255.255.255.0 standby 172.16.1.253
no shut

interface e0/2
nameif DMZ
security-level 50
ip address 172.16.4.254 255.255.255.0 standby 172.16.4.253
no shut
exit

int e0/3
no shut
exit
failover lan unit primary
failover lan interface FailOver e0/3
failover interface ip FailOver 172.16.5.254 255.255.255.0 standby 172.16.5.253
failover key STAN
failover

ASA2
int e0/3
no shut
exit
failover lan unit secondary
failover lan interface FailOver e0/3
failover interface ip FailOver 172.16.5.254 255.255.255.0 standby 172.16.5.253
failover key STAN
failover

once the cluster is created, you can enable ping to pass through the fws and so to test failover manually by initiating a ping from inside to outside you network and manually performing a failover to test

policy-map global_policy
class inspection_default
inspect icmp
exit

ASA2
failover active

show failover
show failover interfaces
sh run all mon

Excellent reference material - Here

res
Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

gurwinkle.singh · ‎01-14-2018

What about redundancy on routers.

gurwinkle.singh · ‎01-14-2018

What about HSRP on routers.

Julio E. Moisa · ‎01-14-2018

Hi,

I have included the HSRP configuration above. Please let me know if there is any doubt. Now if you are going to use Active/Active scheme I could recommen GLBP instead HSRP to obtain loadbance.

:-)

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<