Solved: ASA High Availability

Docklands · ‎05-03-2017

If two ASA5508-X are operating in Active-Standby HA mode and the internal interfaces are connected to two separate layer 3 distribution switches, what mechanism should run on the distrubtion switches to route traffic. Note, the two distribution layer switches are running HSRP for the stacked access layer 2 switches.

Thanks

Mike

Julio E. Moisa · ‎05-03-2017

Hi

I usually use HSRP between the firewalls and distribution switches, if the firewalls are not the gateway for the VLANs you can use static route between the firewall and distribution switches. As Reza mentioned you need a /29 subnet between them.

Let me share an example of the config that you need. It is a basic configuration.

DISTRIBUTION 1

conf t
vlan 777
int vlan 777
ip add 192.168.77.2 255.255.255.248
standby 77 ip 192.168.77.1
standby 77 preempt
standby 77 priority 105

ip route 0.0.0.0 0.0.0.0 192.168.77.4

*Trunk between the distribution switches to pass the vlan 777

DISTRIBUTION 2

conf t
vlan 777
int vlan 777
ip add 192.168.77.3 255.255.255.248
standby 77 ip 192.168.77.1
standby 77 preempt
standby 77 priority 100

ip route 0.0.0.0 0.0.0.0 192.168.77.4

*Trunk between the distribution switches to pass the vlan 777

PRIMARY FIREWALL

interface GigabitEthernet0/0
description OUTSIDE
nameif OUTSIDE
security-level 0
no shut
ip address 192.168.77.4 255.255.255.248 standby 192.168.77.5

route OUTSIDE 0.0.0.0 0.0.0.0 192.168.77.1 1

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

View solution in original post

Reza Sharifi · ‎05-03-2017

You are correct. It should be the internal interface.

HTH

View solution in original post

Reza Sharifi · ‎05-03-2017

Since the distribution switches are running layer-3, you just need a transit vlan (layer-3) between the distribution switches and the firewalls. Usually a /29 subnet would be sufficient.

HTH

Julio E. Moisa · ‎05-03-2017

Hi

I usually use HSRP between the firewalls and distribution switches, if the firewalls are not the gateway for the VLANs you can use static route between the firewall and distribution switches. As Reza mentioned you need a /29 subnet between them.

Let me share an example of the config that you need. It is a basic configuration.

DISTRIBUTION 1

conf t
vlan 777
int vlan 777
ip add 192.168.77.2 255.255.255.248
standby 77 ip 192.168.77.1
standby 77 preempt
standby 77 priority 105

ip route 0.0.0.0 0.0.0.0 192.168.77.4

*Trunk between the distribution switches to pass the vlan 777

DISTRIBUTION 2

conf t
vlan 777
int vlan 777
ip add 192.168.77.3 255.255.255.248
standby 77 ip 192.168.77.1
standby 77 preempt
standby 77 priority 100

ip route 0.0.0.0 0.0.0.0 192.168.77.4

*Trunk between the distribution switches to pass the vlan 777

PRIMARY FIREWALL

interface GigabitEthernet0/0
description OUTSIDE
nameif OUTSIDE
security-level 0
no shut
ip address 192.168.77.4 255.255.255.248 standby 192.168.77.5

route OUTSIDE 0.0.0.0 0.0.0.0 192.168.77.1 1

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Docklands · ‎05-03-2017

Hi Julio,

Thank you for the reply.

I'm not quite sure why the 192.168.77.4 and .5 addresses are attached to the OUTSIDE interfaces. I am connecting the distribution switches to the firewall INTERNAL interfaces?

Thanks

Mike

Ps. Sorry for the delay in replying but I just got home

Reza Sharifi · ‎05-03-2017

You are correct. It should be the internal interface.

HTH

Docklands · ‎05-03-2017

Thanks Reza

Julio E. Moisa · ‎05-03-2017

Lol you are right, it is just an example hehe but it can be inside or a name related.

Also you can use access mode port over the vlan 777 to connect to the firewalls

:-)

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<