Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1233
Views
5
Helpful
2
Replies

Single Internet link split between failover 5525 firewalls

Go to solution
kerryjcox
Level 1
Level 1

‎01-09-2015 03:26 PM - edited ‎03-07-2019 10:10 PM

Greetings,

I was finally able to get a secondary ASA 5525X firewall into my collocation facility. I have a single uplink to the Internet (collocation port on patch panel) from Gi0/0 on my primary 5525X. I have a /26 block of IP addresses, so I can easily allocate another IP on the 2nd firewall, but the uplink is restricted to a single patch port.

I figure I can drop this patch panel link into my C3750X switch, split it out between the two 5525X firewalls, and then set up Active/Standby Failover.

Wondering what the best way to configure the three ports on my C3750X (one for the connection to the uplinked patch panel, and two to the two firewalls). I am assuming I can simply place these three ports in their own VLAN and they should be good?

Am I missing anything?

Thanks in advance.

Kerry

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Reza Sharifi
Hall of Fame
Hall of Fame

‎01-09-2015 08:57 PM

Hi Kerry,

You scenario should work fine.

You can connect the provider's patch to one of the ports on the 3750 and also connect the firewalls to 2 other ports on the 3750 and put all 3 ports in the same layer-2 vlan (access-port). This will give you firewalls redundancy but you still have a single point of failure on the link to your provider.

HTH

View solution in original post

2 Replies 2

Go to solution
Reza Sharifi
Hall of Fame
Hall of Fame

‎01-09-2015 08:57 PM

Hi Kerry,

You scenario should work fine.

You can connect the provider's patch to one of the ports on the 3750 and also connect the firewalls to 2 other ports on the 3750 and put all 3 ports in the same layer-2 vlan (access-port). This will give you firewalls redundancy but you still have a single point of failure on the link to your provider.

HTH

Go to solution
Karsten Iwen
VIP
VIP

‎01-10-2015 02:18 PM

Just one addition to think about: If you only had one firewall and one internet-uplink before, then I assume that the internet-link was connected back-to-back and the 3750X is also your internal switch? Using the same device as inside and outside device is a bad security practice. In a worst case scenario this one switch can bridge around your firewall and remove this security control completely.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card