Redundant ASA with two Switches

ahmad82pkn · ‎11-13-2012

Hi, i am working on some high availibility design for my campus network. i need little help.

Currently my 6509 is connected with 2xASA(Active/Standby) that connect with a single outside switches(poitn of failure) and then internet router(point of failure).

we got another interner router with another ISP and did BGP multihomed and connected it with second outside switch and configured HSRP on it.

Now my question is can i connect Primary ASA outside interface with first outside switch and connect secondary ASA outside interface with second outside switch? ( is it that simple? ) all i want is in case primary outside switch go down, traffic move to second outside switch and then out to internet via second router.

Attached is diagram for more explanation

Reza Sharifi · ‎11-13-2012

Hi,

It should work fine. You need to run HSRP or VRRP with a /28 or 29 between the 2 outside switches and the firewalls. You also need a connection between the firewalls to be used as the active/stand-by heard beat.

HTH

ahmad82pkn · ‎11-14-2012

Hello Reza,

Yes both Firewall already configured and connected via LAN base failover cable.

Outside switches are Layer 2, but i am planning to run HSRP on routers.

so with above clarification and my original question and my proposed diagram, i should be fine right?

more cautions since change is in main data center so want to avoid any downtime, though its been lucky for running since longs without hardware failure.