yes mate just for now keep it to that cheers. 

VLAN 80 fire wall and router. i have made vlan 80 in firewall and put the inside interface in vlan 80 with address 192.168.80.1 /24 where else do i make this vlan just on the switch between router anf firewall? the rest of the switches with vlans have VTP running. 

You need to put the router interfaces that face the firewall into vlan 80 as well.

Then setup HSRP on those router interfaces.

Add a default route to the routers pointing to the vlan 80 interface IP on the firewall.

On the ASA add routes for the internal subnets pointing to the HSRP VIP for vlan 80 on the routers.

Also firewall needs a default route to ISP.

Jon

On the ASA add routes for the internal subnets pointing to the HSRP VIP for vlan 80 on the routers.???????????? ^^^^^^

I have put all interfaces in VLAN 80, the 2 router interfaces facing ASA gig0/1 are configured with ip 192.168.80.1 and .2.

I have conifgured HSRP on these interfaces VIP 192.168.80.10 /24 and the ASA inside interface 192.168.80.3 /24.

So all ips are- Active Router - 192.168.80.1

                       Standby router- 192.168.80.2

                       ASA inside     - 192.168.80.3 

                       HSRP  VIP      - 192.168.80.10  

I have then conifgured routes on ASA for internal subnets with VIP. \/\/\/\/

route inside 192.168.1.0 255.255.255.0 192.168.1.10 1 (VLAN 1)

route inside 192.168.10.0 255.255.255.0 192.168.10.10 1 (VLAN 10)

route inside 192.168.20.0 255.255.255.0 192.168.20.10 1 (VLAN 20)

route inside 192.168.30.0 255.255.255.0 192.168.30.10 1 (VLAN 30)

route inside 192.168.40.0 255.255.255.0 192.168.40.10 1 (VLAN 40)

route inside 192.168.50.0 255.255.255.0 192.168.50.10 1 (VLAN 50)

route inside 192.168.60.0 255.255.255.0 192.168.60.10 1 (VLAN 60)

route inside 192.168.70.0 255.255.255.0 192.168.70.10 1 (VLAN 70)

route inside 192.168.80.0 255.255.255.0 192.168.80.10 1 (VLAN 80) For ASA

I configured a defualt route on the active router. 

S* 0.0.0.0/0 [1/0] via 192.168.80.3 

I am still unable to ping the ASA, I can ping the gig0/1 interfaces on each router from the internal network. but nothing after. I know the problem is obviously in the routing but I am confussed how to route it. 

Hope this can help you help me ! 

P.s just ton show you hsrp. 

Interface Grp Pri P State Active  Standby       Virtual IP

Gig0/0 1 110    P     Active local       192.168.1.2       192.168.1.10

Gig0/1 80 110  P   Active local     192.168.80.2   192.168.80.10

           10 110   P    Active local      192.168.10.2    192.168.10.10

            20 110  P   Active local     192.168.20.2   192.168.20.10

            30 110  P   Active local     192.168.30.2    192.168.30.10

            40 110  P   Active local      192.168.40.2    192.168.40.10

            50 110  P   Active local      192.168.50.2     192.168.50.10

            60 110  P   Active local      192.168.60.2     192.168.60.10

            70 110  P   Active local       192.168.70.2     192.168.70.10

Hello John I have sorted the issue. I can now ping 192.168.80.3 which is the inside interface for the ASA, for some reason the inside int eth0/0 on ASA had moved into vlan 2 without me relising, gos knows why.

Once I had sorted the issue i took out the route bvetween the router and the firewall and i am still able to ping ??

thanks 

Your routes on the ASA are wrong.

You are telling the ASA the next hop IP to get to the subnets so all routes should have 192.168.80.10 as the next hop IP.

Jon

Thanks for that evrything is in order. 

Ok, so making 2 firewalls, what are the complications and changes likely to need changed?

Are the firewalls going to be a  pair or is each firewall going to be standalone.

If each firewall has it's own connection and you want to use both then if a pair they are going to have to be both active and you use contexts.

If standlone then not an issue.

What you have at the moment is not complete because there is no proper failover ie. if the LAN interface of the active router fails the WAN interface (facing the firewall) does not go down so the return traffic is sent to the router with the failed LAN interface.

Similiarly if the WAN interface to the firewall fails then the clients still send to that router because the LAN interface is up.

With L3 switches this is easy to fix but with routers you are going to need to HSRP tracking so if one side fails the HSRP switches on the other side.

I used HSRP because I assumed your firewalls would act as a pair.

If not then routing may be a better soltution.

This is only an issue because you are using routers not L3 switches.

So how do you see the firewalls working in terms of internet connectivity ?

Jon

Yes I am happy with HSRP Tracking mate we have HSRP running on both sides of the routers now so if i track from both ends that should solve the first issue you spoke about ?

What do you advise with the fire walls I was planning on using them as a pair? 

The plan at the momonet is to use acitve telecom ISP with one line Virgin and one SKY, so there will be 2 seperate ips?

whats the best thing to do looking at the topology to better the business?

Cheers jon you are basically paying my wage here lol. 

Good to hear about the tracking.

In terms of the firewalls are both lines going to be active or is one line going to be active and other backup ?

The issue is if each firewall is responsible for it's own line then if you want to use both lines then you can't have them as an active/standby pair.

You could run them as active/active but that is not what it sounds like ie. you hae two contexts (virtual firewalls) on each and each virtual firewall has an active/standby setup.

You can cluster firewalls so they literally act as one but I have never done that and don't know whether your firewalls support that.

In terms of public addressing are you hosting any services or is it just outbound internet for clients ?

If you can explain exactly how you want to use the circuits it will help decide what you can and can't do.

Jon

right ok mate, we are not hosting any services at the moment, just internet access.

I was hoping to use both lines to load balance the traffic and use secondary firewall for redundancy.

OR just use 1 line and 1 firewall as pure failover

It's complicated :-)

You can just one firewall and the other for failover but it's a question of how you connect to the outside ISP connections.

There are a number of alternatives -

1) have each firewall standalone connected to one of the ISPs and have two default routes on your routers pointing to each firewall.

You would need to track the default routes from your routers and the challenge is to make sure you are using the right firewall to track the right default ie. you must make sure you are not tracking a defaut that could be routed via the wrong firewall.

Then your routers could simply alternate between the two.

This should work because you are doing NAT on your firewalls so the return traffic should come back to the correct firewall.

It's not a design I have ever used and for some reason it doesn't feel quite right but I can't quite say why because it should work.

2) have your firewalls as a pair but here things get tricky.

An ASA cannot use multiple default routes out of two different interfaces but it can use multiple defaults out of the same interface.

With ASA 9.4 you can do PBR to force certain traffic out of another interface so you could choose which client traffic used which ISP.

However if you did not want to use PBR or it is not available then you are probably going to hate me for this but the alternative is to have the ISPs connecting to your routers and then the firewalls are an active/standby pair.

The firewalls then have two default routes pointing out of the same interface to the two different routers.

The clients would then route off the firewalls so the routers are outside.

The issue here is your public addressing ie. if you have only been allocated an IP for your end you would have to use that on the outisde interfaces of your routers ie. the interfaces connecting to the ISP.

In which case the routers have to do the NAT not the firewalls which I am not a huge fan of especially if you end up doing any type of VPN.

So it depends on your public addressing but with this way the firewalls are actually acting as a redundant pair.

Sorry to overload you with details but with mutiple ISPs it can be tricky.

And if you end up hosting services it can be lot tricker if you need redundancy for those as well but I'm not going to go into that at the moment.

Jon

Re option 1)

It would make more sense to have each firewall track it's own default route and then use a routing protocol (EIGRP for example) between each firewall and the routers.

Each firewall redistributes a statiic default route into EIGRP for the routers.

If the default becomes unavailable then the firewall stops advertising the default to the routers.

Jon