Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
672
Views
0
Helpful
2
Replies

Routing with firewalls

Senbonzakura
Level 1
Level 1

‎02-03-2020 10:07 AM - edited ‎02-03-2020 10:10 AM

Hey everyone, I need your input.

 

So, I have a ASA5510 Firewall that has two Cisco ISR 1921 hooked into that firewall with HSRP for redundancy. The firewall is the edge router and the other two routers are hooked into two different switches which are in a hybrid mesh setup.

 

If I use another router like 1921 then lets say running OSPF as the edge router instead of the firewall everything works great.

 

How would I go about configuring the firewall as the edge router with routing tables and all, you can use your own IP address scheme. I got as far as configuring the interfaces with IP address and security levels. Also, in this situation since I only have two routers attached to two different switches running HSRP one router isn't even being used to route traffic. The main router, should it only run NAT or just statically configure the routes and leave it at that?

 

Thank you again.

0 Helpful
2 Replies 2

Georg Pauwen
VIP
VIP

‎02-03-2020 11:24 AM

Hello,

 

if you use the firewall as a routing device, make sure you have:

 

same-security-traffic permit inter-interface

 

configured. That without knowing what the rest of your configuration looks like. Can you post the running config of the ASA ?

0 Helpful

paul driver
VIP
VIP

‎02-03-2020 12:44 PM - edited ‎02-03-2020 12:49 PM

Hello

Can you post a diagram on your propose setup,

Also having the asa performing the L3 routing and inter-vlan routing any vlans on the fw if i remember won't by default.

 

To allow to communicate with each vlan - you need to allow intra/inter traffic and nat between the vlans.

Example:
int x/x
security-level 100
no shut

 

int x/x.100
nameif vlan100
security-level 100
vlan 1000
ip address 192.168.100.1 255.255.255.0

 

int x/x.200
nameif vlan200
security-level 100
vlan 200

ip address 192.168.200.1 255.255.255.0

 

same-security-permit intra-interface
same-security-permit inter-interface


static(vlan100,vlan200)192.168.100.0 192.168.100.0 netmask 255.255.255.0
static(vlan200,vlan100)192.168.200.0 192.168.200.0 netmask 255.255.255.0 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful
Customers Also Viewed These Support Documents