Hello Reza,,

Mlachake · ‎03-29-2017

Hi all,

I currently have one active ASA and one ISP. Recently, we acquired a second ISP and ASA for failover. One ASA will be active and the other standby. The second circuit (ISP) will also be standby. In addition, we acquired two-3750 stack switches to necessitate the failover configuration (more ports). The 3750 will sit between the ISP routers and ASA.

I have not had a chance to configure this scenario before. I have worked on the ASA and would like any ideas and suggestions on how to configure the 3750 stack to achieve the failover goal. I will also need to set up a WAF that is currently set on the DMZ of the ASA on the stack as well so that the outside traffic will hit the WAF before it is allowed to the DMZ zone.

Any ideas and suggestions will be appreciated.

+----------+ +----------+

| R1 ISP1 | | R2 ISP2 |

+----------X X----------+

X X

X----------------X

| 3750 |

+----------------+

| 3750 |

X----------------X

X X

+---------X X-----------+

| ASA1 | | ASA2 |

+---------+ +-----------+

Sam.

Reza Sharifi · ‎03-29-2017

Hi Sam,

The stack of the 3750s just need a layer-2 vlan to span all 4 connections (2 from the ISPs and 2 from the firewalls). You also need a connection between isp1 and isp2 and run HSRP towards inside the network.

HTH

Mlachake · ‎03-30-2017

Hi Reza,

Thank you for the prompt response to my concern. When you say " a layer-2 Vlan" do you mean just one vlan or two vlans; one for each ISP-switch-ASA? Do I have to set HSRP on the switches if failover will be set on the ASA (one active and the other standby)?. Try to clarifying if the switch needs to be aware of the state of connection or this will be handled by the ASA.

Thank you.

Sam.

Reza Sharifi · ‎03-30-2017

Hi Sam,

When you say " a layer-2 Vlan" do you mean just one vlan or two vlans; one for each ISP-switch-ASA?

No, you just need one vlan on the switch. This vlan will have all 4 ports (2 from the ISPs and 2 from the firewalls) in it.

Do I have to set HSRP on the switches if failover will be set on the ASA (one active and the other standby)?

You need HSRP between r1-ISP1 and r2-ISP2. So, lets say that you want the left side of your diagram which includes r1-ISP1 and ASA1 to be the primary and right side as stand-by.

You configure HSRP on r1-ISP1 with higher priority (110), so it is the active HSRP and you keep the opposite side as default priority (100) so, it stays as stand-by.

The same way with the firewalls, keep the left side as primary in your cluster and the right side as backup. Once you set it all up you would need to do some testing and tuning in a maintenance window to make sure fail-over works correctly.

HTH

Mlachake · ‎03-30-2017

Hello Reza,,

Thank you so much for clarification regarding vlan configuration. I will go a head and configure the switches as such you have recommended and give it a test. I will provide an update how it goes...probably early next week.

Thank you for your time and assistance.

Sam.

Configuring 3750 Stack to support Dual ISP/Dual ASA 5525 Failover