Solved: Router to ASA connection Question

Ed Willson · ‎11-07-2012

Hello - I have a question about connecting our ASA to the external router.

Currently the external router's G0/0 is connected to a switch, and the ASA's (active/standby) outside interfaces are plugged into the same switch. So I have a switch that we're only using 3 ports on, and is a single point of failure.

What I'd like to do is connect the router's G0/0 to the active ASA's outside interface and connect the G0/1 to the standby ASA's outside interface. This would eliminate the switch...

Is this possible?

Thanks,

Ed

Karsten Iwen · ‎11-07-2012

That should be possible by combining both physical interfaces of the router into one bridge-group. But that's not very elegant. What about using a HWIC-Switch-module in the router and connect the ASAs there?

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

View solution in original post

Karsten Iwen · ‎11-07-2012

That should be possible by combining both physical interfaces of the router into one bridge-group. But that's not very elegant. What about using a HWIC-Switch-module in the router and connect the ASAs there?

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

John Blakley · ‎11-07-2012

Karsten,

That's a good solution..

John

HTH, John *** Please rate all useful posts ***

Ed Willson · ‎11-07-2012

Karsten,

If I could sell an add-in card I would. We're replacing the router next year too. It's the 12 year old switch I'm worried about.

As far as setting up a bridge-group goes would it be something like this?:

interface G0/0

no ip address

no ip proxy-arp

bridge-group 1

!

interface G0/1

no ip address

no ip proxy-arp

bridge-group 1

!

bridge 1 protocol ieee

bridge 1 route ip

!

interface BVI 1

ip address 10.10.10.1 255.255.255.0

Thanks,

Ed

John Blakley · ‎11-08-2012

That would work Ed...

HTH,

John

HTH, John *** Please rate all useful posts ***

ALIAOF_ · ‎11-07-2012

You guys don't have any other switches, what are you using as your core switches?

Karsten Iwen · ‎11-10-2012

A dedicated switch would be fine, but the outside interface should never share a physical switch with the core. If that switch had a malfunction, you have the possibility to bypass the firewall with that switch.

Ed Willson · ‎11-09-2012

I was able to lab it up with a couple old PIXs and everything worked fine. I was able to find a couple refurbished EtherSwitch modules that fit the 2821 for super cheap, so I've got them on order.

Instictually I like the idea of having the switch modules in the router. But I'm wondering why you think the bridged interface is a bit kludgey as it eliminates un-needed hardware?

Thanks,

Ed

Karsten Iwen · ‎11-10-2012

> Instictually I like the idea of having the switch modules in the router. But I'm wondering why you think the bridged interface is a bit kludgey as it eliminates un-needed hardware?

Bridging is not the native function of a router. And at least on older platforms it was quite slow. I'm not aware if anything changed on newer platforms or newer IOS, but I wouldn't expect that. Better do some performance-tests after implementing that.

Sent from Cisco Technical Support iPad App