01-25-2010 08:51 AM - edited 03-06-2019 09:26 AM
Hi All ,
I have a common vlan between my both ASA via my core switch for stateful failover .
ASA inside interface
IP address 192.168.10.1 255.255.255.0 standby 192.168.1.2
For eg : VLAN10 192.168.10.0 255.255.255.0
I Have created L3 Vlan 192.168.10.3 at core switch 1 and 192.168.10.4 at core switch 2 and trunk link between two switches for stateful failover among ASA ,
I have internal 6 vlan at core which will have default route pointing inside interface to Active ASA , My question over here reverse route for internal network from ASA to core switches ,whether i need configure reverse route for internal network from ASA pointing to 192.168.10.3 and weightage route to 192.168.10.4
Else i need to run HSRP between core switches and pointing the reverse route from ASA towards standby ip address of core switches .If my Core Switch 1 fails , stateful failover will happen and switch to ASA 2 then then reverse route from ASA 2 will also have reverse route pointing to HSRP standby ip address.
If i am wrong here please correct me over here need ur help
Solved! Go to Solution.
01-25-2010 09:01 AM
Hi All ,
I have a common vlan between my both ASA via my core switch for stateful failover .
ASA inside interface
IP address 192.168.10.1 255.255.255.0 standby 192.168.1.2
For eg : VLAN10 192.168.10.0 255.255.255.0
I Have created L3 Vlan 192.168.10.3 at core switch 1 and 192.168.10.4 at core switch 2 and trunk link between two switches for stateful failover among ASA ,
I have internal 6 vlan at core which will have default route pointing inside interface to Active ASA , My question over here reverse route for internal network from ASA to core switches ,whether i need configure reverse route for internal network from ASA pointing to 192.168.10.3 and weightage route to 192.168.10.4
Else i need to run HSRP between core switches and pointing the reverse route from ASA towards standby ip address of core switches .If my Core Switch 1 fails , stateful failover will happen and switch to ASA 2 then then reverse route from ASA 2 will also have reverse route pointing to HSRP standby ip address.
If i am wrong here please correct me over here need ur help
Hi,
Yes you are right as the internal vlan are in different subnets then you need to drop reverse route for those subnet towards the switches.If you are configuring HSRP for traffic towards internal traffic from ASA then point towards vip.
Hope to help !!
Ganesh.H
01-25-2010 09:10 AM
I would think HSRP VIP option will be the best & only choice here:
with option 1 - having routes to physical IP addreses of vlan 10 -> you will have two different routes on both the ASA's and unless you are running active/active, you will not have config sync between the ASA's. eg - ASA 1 will have route inside x.x.x.x x.x.x.x 192.168.10.3 (say) , and ASA B - route inside x.x.x.x x.x.x.x 192.168.10.4 .. so the route configuration mismatches between the ASA's and configurations arent synchronised (which is an issue)
with option 2 - You will have a single route pointing to HSRP VIP on both the ASA's - route inside x.x.x.x x.x.x.x 192.168.10.5 (VIP)... this would make sure you have configurations synced between the ASA firewalls. just to note, even if you have VIP's configured, your physical path depends on which ASA is forwarding packets to !.. for eg, if ASA 1 goes down, incoming traffic hit ASA 2 - your HSRP will still have core 1 as the primary.. hence on layer 2 your ASA 2 will forward traffic to Core 2, which inturn forwards traffic to Core 1 over the trunk, and your data stream is forwarded..
Hope this helps..alll the best..
Raj
01-25-2010 09:01 AM
Hi All ,
I have a common vlan between my both ASA via my core switch for stateful failover .
ASA inside interface
IP address 192.168.10.1 255.255.255.0 standby 192.168.1.2
For eg : VLAN10 192.168.10.0 255.255.255.0
I Have created L3 Vlan 192.168.10.3 at core switch 1 and 192.168.10.4 at core switch 2 and trunk link between two switches for stateful failover among ASA ,
I have internal 6 vlan at core which will have default route pointing inside interface to Active ASA , My question over here reverse route for internal network from ASA to core switches ,whether i need configure reverse route for internal network from ASA pointing to 192.168.10.3 and weightage route to 192.168.10.4
Else i need to run HSRP between core switches and pointing the reverse route from ASA towards standby ip address of core switches .If my Core Switch 1 fails , stateful failover will happen and switch to ASA 2 then then reverse route from ASA 2 will also have reverse route pointing to HSRP standby ip address.
If i am wrong here please correct me over here need ur help
Hi,
Yes you are right as the internal vlan are in different subnets then you need to drop reverse route for those subnet towards the switches.If you are configuring HSRP for traffic towards internal traffic from ASA then point towards vip.
Hope to help !!
Ganesh.H
01-25-2010 09:10 AM
I would think HSRP VIP option will be the best & only choice here:
with option 1 - having routes to physical IP addreses of vlan 10 -> you will have two different routes on both the ASA's and unless you are running active/active, you will not have config sync between the ASA's. eg - ASA 1 will have route inside x.x.x.x x.x.x.x 192.168.10.3 (say) , and ASA B - route inside x.x.x.x x.x.x.x 192.168.10.4 .. so the route configuration mismatches between the ASA's and configurations arent synchronised (which is an issue)
with option 2 - You will have a single route pointing to HSRP VIP on both the ASA's - route inside x.x.x.x x.x.x.x 192.168.10.5 (VIP)... this would make sure you have configurations synced between the ASA firewalls. just to note, even if you have VIP's configured, your physical path depends on which ASA is forwarding packets to !.. for eg, if ASA 1 goes down, incoming traffic hit ASA 2 - your HSRP will still have core 1 as the primary.. hence on layer 2 your ASA 2 will forward traffic to Core 2, which inturn forwards traffic to Core 1 over the trunk, and your data stream is forwarded..
Hope this helps..alll the best..
Raj
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide