Ok, if the ASA does the

blue phoenix · ‎09-02-2015

Hi all,
My client has a Sonic Wall Firewall and I need to replace it with an ASA with Failover design.

Kicker:
The 3750x is doing the inter-VLAN routing currently and has a default route (ip route 0.0.0.0 0.0.0.0) going to the Sonic Wall
They have a proxy-server so, my assumption is that there is a return route to the proxy-server and the next hop is the 3750x. The only IP that is NAT'd is the proxy-server IP...

WHAT I AM GOING TO DO:

I will use 8 interfaces on the 3750x and JUST USE 1 port-channel5; Connecting 4 interfaces to ACTIVE ASA, and 4 interfaces to SECONDARY ASA.

! PORT-CHANNEL CONFIGURATION ON THE 3750 WILL BE:
int range g1/0/2-5
description TO ACTIVE ASA
switchport mode trunk
switchport trunk encap dot1q
switchport trunk allowed vlan x,y,z
channel-group 5 mode active

interface range g2/0/2-5
description to SECONDARY ASA
switchport mode trunk
switchport trunk encap dot1q
switchport trunk allowed vlan x,y,z
channel-group 5 mode active

interface Vlan600
description TO ACTIVE AND SECONDARY ASA CONNECTION
ip address 10.136.255.233 255.255.255.248
standby 1 ip 10.136.255.235
standby 1 priority 110
standby 1 preempt
standby 1 authentication md5 key-string 7 aaa
standby 1 track 1 decrement 30

track 1 interface port-channel 5 line-protocol

! IS THIS THE CORRECT NEXT HOP???
ip route 0.0.0.0 0.0.0.0 10.136.255.236

================================================

! PORT CHANNEL CONFIGURATION ON ASA WILL BE:
interface range Gi0/1-4
speed 1000
duplex full
channel-group 5 mode active
lacp port-priority 32768
no flowcontrol send on
no nameif
no security-level
no ip address

port-channel 5.600
lacp max-bundle 8
port-channel min-bundle 1
no port-channel span-cluster
vlan 600
ip address 10.136.255.236 255.255.255.248 standby 10.136.255.237
description Runcorn Comms
security-level 100
speed 1000
duplex full
port load-balance src-dst-ip

Question 1:
Is this the right design implementation or is there a better way? If there is kindly point me to a document since all the Cisco documents seems to be isolated to hardware and no integration design for several platforms....
Do I need to use port-channel5 to connect to ACTIVE ASA, and port-channel6 to SECONDARY ASA?, In Cisco document, it says to use 2 different port channels connecting to a switch that is in VSS mode. My 3750 is just stacked... and it is just 1 switch with one IP address for management, no virtual switch. So does that mean I can use only 1 port-channel5? No need to create a port-channel 6 ?

Question 2:
In HSRP, you have 2 physical interfaces on the 2 devices and 1 virtual IP and a virtual mac-address, that way when the primary router dies, users will not feel it since it is pointing to a virtual IP and mac-address. In the 3750, when I create a default route going to the ASA, do I just use the IP of the ACTIVE ASA? Do I need to configure a virtual mac-address and can someone point me to a simple doc that will do that?

Please let me know if you need more details and I will try to provide.

Thanks,

Karsten Iwen · ‎09-02-2015

Question 1:
You have to configure two port-channels, one for each ASA. With only one channel, traffic would flow also to the standby ASA which couldn't handle that traffic.

Question 2:
ASA failover works completely different then HSRP. The IP and MAC that is used on the active ASA is used for the communication with the rest of the network. In the event of a failover, the addresses are shaped between the active and standby ASA. You connected devices still use the same IP as the default-gateway and nothing changes in the ARP-caches. Only the mac-address has to be learned on a different port. For that the ASA sends a gracious ARP to the neighbors.

blue phoenix · ‎09-02-2015

@Karsten Iwen

If I configure 2 port-channels, I need another subnet which means I need to ask the client to give me one.

Does that mean I will have 2 static routes?

1 pointing to port-channel5

1 pointing to port-channel6

Please clarify... and thanks for the quick response.

Karsten Iwen · ‎09-02-2015

No, you don't need an additional subnet. Both channels *have to* share the same subnet for failover to work.

The network-design is completely independent of the fact that you want to use a channel. Normally you have one link from the primary ASA to your switch and one link from the secondary ASA. Now you just replace the single link with a channel.

blue phoenix · ‎09-02-2015

@Karsten Iwen

I am a little bit confused on the setup you are recommending...
2 port-channels but only 1 IP subnet on the 3750x? I configured an IP subnet since it needs to communicate with the ASA on the same subnet. The port-channels are trunk links on the 3750x side as you can see in the configs.

Could you please help to clarify by sending sample configs

Karsten Iwen · ‎09-02-2015

You need one IP subnet per logical firewall interface. If all your internal VLANs are terminated at the core, then you only have a single transfer network as in your config, but with two channels. You would only allow your vlan 600. Just be aware that your port-channel is a layer 2 interface and doesn't have an IP-subnet by itself.

Now let's assume you want to terminate your guest-vlan (999) at the firewall.

You just add the vlan 999 to the allowed vlan-list and configure an additional subinterface on your ASA.

blue phoenix · ‎09-02-2015

ok, so all my internal vlans are in the 3750x
! SWITCH CONFIG
I will create L2 port-channels 5 and 6 connecting to ASA-STANDBY and ASA-ACTIVE respectively and they are trunk dot1q.
! I will only allow vlans that are in the 3750x?
I will have SVI for vlan600 which is the FW interconnect from the 3750x to the ASAs, I will allow also vlan600 in the trunk
! FIREWALL CONFIG
I will configure interface portchannel 5.600
I will configure an ip address the same subnet as the SVI for vlan600 in the 3750x switch
! WHAT WILL HAPPEN TO portchannel6? WHAT IS IT'S IP ADDRESS?

Karsten Iwen · ‎09-02-2015

> ! I will only allow vlans that are in the 3750x?

The Trunk only needs the transfer-clan 600 because all other plans are routed on the 3750.

> ! WHAT WILL HAPPEN TO portchannel6? WHAT IS IT'S IP ADDRESS?

On the 3750 you have two port-channels. On the ASA, there is only one channel configured that is used on both the active and the standby ASA.

blue phoenix · ‎09-02-2015

So just to confirm if I got you right.
!SWITCH CONFIG
interface range Gi1/0/2-5
description to ASA-STANDBY
switchport mode trunk
switchport trunk encap dot1q
switchport trunk allowed vlan 2,3,52,200,600
channel-group 5 mode active

interface range Gi2/0/2-5
description to ASA-PRIMARY
switchport mode trunk
switchport trunk encap dot1q
switchport trunk allowed vlan 2,3,52,200,600
channel-group 6 mode active

interface Vlan600
description FW_interconnect
ip address 10.136.255.233 255.255.255.248
standby 1 ip 10.136.255.235
standby 1 priority 110
standby 1 preempt
standby 1 authentication md5 key-string 7 ASA
standby 1 track 1 decrement 30

track 1 interface port-channel 5 line-protocol

ip route 0.0.0.0 0.0.0.0 10.136.255.236

!FIREWALL CONFIG
Port-channel 5.2
lacp max-bundle 8
port-channel min-bundle 1
no port-channel span-cluster
vlan 2
ip address 10.0.5.1 255.255.255.0 standby 10.0.50.2
description LAN1
security-level 100
speed 1000
duplex full
port load-balance src-dst-ip

Port-channel 5.3
lacp max-bundle 8
port-channel min-bundle 1
no port-channel span-cluster
vlan 3
ip address 3.0.0.157 255.0.0.0 standby 3.0.0.158
description Legacy LAN2
security-level 100
speed 1000
duplex full
port load-balance src-dst-ip

Port-channel 5.52
lacp max-bundle 8
port-channel min-bundle 1
no port-channel span-cluster
vlan 52
ip address 10.0.52.1 255.255.255.0 standby 10.0.52.2
description LAN3
security-level 100
speed 1000
duplex full
port load-balance src-dst-ip

port-channel 5.200
lacp max-bundle 8
port-channel min-bundle 1
no port-channel span-cluster
vlan 200
ip address 10.136.1.254 255.255.255.0 standby 10.136.1.253
description LAN4
security-level 100
speed 1000
duplex full
port load-balance src-dst-ip

port-channel 5.600
lacp max-bundle 8
port-channel min-bundle 1
no port-channel span-cluster
vlan 600
ip address 10.136.255.236 255.255.255.248 standby 10.136.255.237
description FIREWALL INTERCONNECT
security-level 100
speed 1000
duplex full
port load-balance src-dst-ip

interface range Gi0/1-4
speed 1000
duplex full
channel-group 5 mode active
lacp port-priority 32768
no flowcontrol send on
no nameif
no security-level
no ip address

ip route LAN1 255.255.255.0 10.136.255.235
ip route LAN2 255.255.255.0 10.136.255.235
ip route LAN3 255.255.255.0 10.136.255.235
ip route LAN4 255.255.255.0 10.136.255.235
ip route 0.0.0.0 0.0.0.0 [PUBLIC IP TO INTERNET ROUTER]

Karsten Iwen · ‎09-02-2015

On your original post you mention that the 3750 is doing the vlan-routing. Now you have your VLANs on the ASA (and additionally routes to the 3750) ... What do you really want?

And there are no "nameif" commands on your subinterfaces which are needed.

blue phoenix · ‎09-02-2015

Sorry for that confusion. Initially the interVLAN routing is on the 3750x for the internal vlans. The Sonic Wall Firewall is the default route going to the internet, and on the Sonic Wall I believe that there is a route going to the proxy-server with the 3750x as the next hop. (Sorry but I am all just assuming the routing since I am not really an expert on Sonic Wall firewall. But I believe that there is a default route to the Sonic Wall if ever no routes.

In replacing the Sonic Wall firewall, the client required for the 2 ASA's to do the interVLAN routing and pose as gateways for the internal LANS, and also for the DMZ's for the future.

Now the 2 ASA's will have connections to the 3750x.

Please let me know what else is not clear so I can clarify.

* I have added the nameifs on the subifs

So just to confirm if I got you right.
!SWITCH CONFIG
interface range Gi1/0/2-5
description to ASA-STANDBY
switchport mode trunk
switchport trunk encap dot1q
switchport trunk allowed vlan 2,3,52,200,600
channel-group 5 mode active

interface range Gi2/0/2-5
description to ASA-PRIMARY
switchport mode trunk
switchport trunk encap dot1q
switchport trunk allowed vlan 2,3,52,200,600
channel-group 6 mode active

interface Vlan600
description FW_interconnect
ip address 10.136.255.233 255.255.255.248
standby 1 ip 10.136.255.235
standby 1 priority 110
standby 1 preempt
standby 1 authentication md5 key-string 7 ASA
standby 1 track 1 decrement 30

track 1 interface port-channel 5 line-protocol

ip route 0.0.0.0 0.0.0.0 10.136.255.236

!FIREWALL CONFIG
Port-channel 5.2
nameif LAN1
lacp max-bundle 8
port-channel min-bundle 1
no port-channel span-cluster
vlan 2
ip address 10.0.5.1 255.255.255.0 standby 10.0.50.2
description LAN1
security-level 100
speed 1000
duplex full
port load-balance src-dst-ip

Port-channel 5.3
nameif LAN2
lacp max-bundle 8
port-channel min-bundle 1
no port-channel span-cluster
vlan 3
ip address 3.0.0.157 255.0.0.0 standby 3.0.0.158
description Legacy LAN2
security-level 100
speed 1000
duplex full
port load-balance src-dst-ip

Port-channel 5.52
nameif LAN3
lacp max-bundle 8
port-channel min-bundle 1
no port-channel span-cluster
vlan 52
ip address 10.0.52.1 255.255.255.0 standby 10.0.52.2
description LAN3
security-level 100
speed 1000
duplex full
port load-balance src-dst-ip

port-channel 5.200
nameif LAN4
lacp max-bundle 8
port-channel min-bundle 1
no port-channel span-cluster
vlan 200
ip address 10.136.1.254 255.255.255.0 standby 10.136.1.253
description LAN4
security-level 100
speed 1000
duplex full
port load-balance src-dst-ip

port-channel 5.600
nameif FW-INTERCONNECT
lacp max-bundle 8
port-channel min-bundle 1
no port-channel span-cluster
vlan 600
ip address 10.136.255.236 255.255.255.248 standby 10.136.255.237
description FIREWALL INTERCONNECT
security-level 100
speed 1000
duplex full
port load-balance src-dst-ip

interface range Gi0/1-4
speed 1000
duplex full
channel-group 5 mode active
lacp port-priority 32768
no flowcontrol send on
no nameif
no security-level
no ip address

ip route LAN1 255.255.255.0 10.136.255.235
ip route LAN2 255.255.255.0 10.136.255.235
ip route LAN3 255.255.255.0 10.136.255.235
ip route LAN4 255.255.255.0 10.136.255.235
ip route 0.0.0.0 0.0.0.0 [PUBLIC IP TO INTERNET ROUTER]

Karsten Iwen · ‎09-02-2015

Ok, if the ASA does the internal routing, then you don't need any static routes for that LANs that are terminated on the ASA.

And if all VLANs are terminated on the ASA, then you probably don't need the FW-Interconnect subinterface on the ASA and the VLAN on the 3750. You only need it if you want to separate the management of the 3750.

blue phoenix · ‎09-02-2015

so other than description on port-channel5.600 (I can make this MANAGEMENT), the configs I posted are spot on and no changes should be made?

!SUMMARY
!SWITCH CONFIGURATION
have 2 port-channels, port-channel5 to the standby, port-channel6 to the active
ip route 0.0.0.0 0.0.0.0 10.136.255.236 -> active ip of firewall
no need to use SVI 600 3750x?

!FIREWALL CONFIGS
have port-channel5 only
port-channel5.x on all internal vlans including vlan 600 if will be used for another service

Please let me know so I can shake your hand and probably buy you a beer if you are in UK...

Karsten Iwen · ‎09-02-2015

> ip route 0.0.0.0 0.0.0.0 10.136.255.236 -> active ip of firewall
> no need to use SVI 600 3750x?

Without vlan 600, the switch needs a management-ip from one of the other vlans. The default-route will point to the ASA in the van where the management-IP will be.

> Please let me know so I can shake your hand and probably buy you a beer if you are in UK...

No trip to UK planned for the moment, But I'll remind you about the beer if I travel there ... ;-)

blue phoenix · ‎09-02-2015

Ok, so my default route is not one of the subnets I have defined... it's the management IP subnet for all the network devices is that it (existing already and it's vlan1000)
interface Management0/0
speed auto
duplex auto
no flowcontrol send on
management-only
nameif management
security-level 100
ip address 10.136.253.11 255.255.255.0 standby 10.136.253.12
delay 1

so:
ip route 0.0.0.0 0.0.0.0 10.136.253.11
is this correct?

How to configure L2 logical connections between Cisco 3750x and ASA 5525x