cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
865
Views
0
Helpful
5
Replies

My configuration for this network diagram

gurwinkle.singh
Level 1
Level 1

I want to configure this network diagram in my network.I have been given 5 days.Please help me with this.Each router is connected to its internet which means there is one internet connection on each router and each router is connected to ASAs and then collapsed layer with multilayer switches and access switches.How to configure HSRP on routers and also how to configure redundancy of internet.One Firewall will be used for DMZ.Please guide me.I am having only 5 days.I am adding the diagram of the network.

5 Replies 5

Hi

If these firewalls are same model and image you could create a cluster active-standby then you could create and HSRP on the collapsed switches and create default route pointing to the firewall (how it is cluster)

 

Example:

Firewall as cluster (failover)

 

interface g0/0

nameif INSIDE

security-level 100

ip address 10.0.0.4 255.255.255.248

no shutdown

 

route INSIDE 192.168.1.0 255.255.255.0 10.0.0.1  (assuming 192.168.1.0/24 is an internal network)

route OUTSIDE 0.0.0.0 0.0.0.0 <public IP address>   <-- default routing pointing to ISP to get Internet 

 

DMZ Configuration

 

interface g0/1

nameif DMZ

security-level 50

ip address x.x.x.x y.y.y.y 

no shutdown

 

** Remeber create the ACLs  and Access groups **

 

Primary Switch

 

vlan 10 

name PRIMARY-SW-TO-FW-CLUSTER

 

Interface g0/1

description TO-FIREWALL

switchport access vlan 10

switchport mode access

no shutdown

 

interface vlan 10

description HSRP-CORE-FW

ip address 10.0.0.2 255.255.255.248

standby 10 ip 10.0.0.1 

standby 10 priority 105

standby 10 preempt

no shutdown

 

ip route 0.0.0.0 0.0.0.0 10.0.0.4 name INTERNET

 

 

Secondary Switch

 

vlan 10 

name PRIMARY-SW-TO-FW-CLUSTER

 

Interface g0/1

description TO-FIREWALL

switchport access vlan 10

switchport mode access

no shutdown

 

interface vlan 10

description HSRP-CORE-FW

ip address 10.0.0.3 255.255.255.248

standby 10 ip 10.0.0.1 

standby 10 priority 100   (100 is default)

standby 10 preempt

no shutdown

 

ip route 0.0.0.0 0.0.0.0 10.0.0.4 name INTERNET  (pointing to Firewall)

 

Now take in consideration, the Primary Switch is: 

- Primary root

- Primary routing protocol device (like DR in OSPF and BDR the secondary switch)

 

How to make a Cisco ASA Cluster, it is just an example because I don't know your firewall model:

https://www.thegeekstuff.com/2011/09/cisco-asa-high-availability/

 

Also remember create the NAT on the firewall to allow Internet access to the internal networks, the configuration could be vary depending of the IOS version or Platform.  

 

Hope it is useful

:-)




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Hello

Fyi - I think this post should be redirected to the security forum as you would get a lot better assistance from the gurus on their, Anyhow whilst your here and I am in the process of labbing such a scenario up I thought id give some input on the initial setup of a fw cluster in an active/standby mode

 

Just like to add to Julios comments that having a fw cluster in a active/standby state would be applicable to your query but also would an active/active scenario.

 

What you need to be aware of in either setup is the failover link between the fws needs to be a fast as possible and NOT physically connected between each other via a crossover but via lan switch port, This is so all statefull fw traffic  can be monitored and synchronize between the two units

 

Below is a lab configuration example I used to create such a setup, Most of the work is performed on the primary Fw and once failover is initiated all changes will be replicated to the secondary FW, it worked as I expected it to do and was enjoyable to create as its something i don't normally get a chance to do.

 

ASA1 
E0/0 Outside  Primary 172.16.2.254/24
Standby ip 172.16.2.253/24


E0/1 Inside 70 Primary 172.16.1.254/24
Standby ip -  172.16.1.253/24


E0/2 DMZ 50 Primary 172.16.4.254/24
Standby ip 172.16.4.254/24

E0/3  FailOver-- fail-over link ( via switchport)
active IP address of 172.16.5.254/24
Standby ip 172.16.5.253

 

interface e0/0
nameif Outside
ip address 172.16.2.254 255.255.255.0 standby 172.16.2.253
no shut

interface e0/1
nameif Inside
security-level 70
ip address 172.16.1.254 255.255.255.0 standby 172.16.1.253
no shut

 

interface e0/2
nameif DMZ
security-level 50
ip address 172.16.4.254 255.255.255.0 standby 172.16.4.253
no shut
exit

int e0/3
no shut
exit
failover lan unit primary
failover lan interface FailOver e0/3
failover interface ip FailOver 172.16.5.254 255.255.255.0 standby 172.16.5.253
failover key STAN
failover

 

ASA2
int e0/3
no shut
exit
failover lan unit secondary
failover lan interface FailOver e0/3
failover interface ip FailOver 172.16.5.254 255.255.255.0 standby 172.16.5.253
failover key STAN
failover

 

once the cluster is created, you can enable ping to pass through the fws and so to test failover manually by initiating a ping from inside to outside you network and manually performing a failover to test

 

policy-map global_policy
class inspection_default
inspect icmp
exit

ASA2
failover active

 

show failover
show failover interfaces
sh run all mon

 

 

Excellent reference material - Here

 

res
Paul

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

What about redundancy on routers. 

What about HSRP on routers.

Hi,

I have included the HSRP configuration above. Please let me know if there is any doubt. Now if you are going to use Active/Active scheme I could recommen GLBP instead HSRP to obtain loadbance.

:-)




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<
Review Cisco Networking for a $25 gift card