Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2486
Views
0
Helpful
46
Replies

vlans hsrp asa

Go to solution
jeffrey_craig1
Level 1
Level 1

‎10-29-2015 09:08 AM - edited ‎03-08-2019 02:29 AM

People i need your help

My network currently has a router connecting to the WAN and then it is connected to a cisco asa 5515x however the outside address is on the interface connected to the router from the ASA.

My plan is to remove the router and replace it with 2 cisco routers configured with HSRP.

I also have 7 vlans running through my LAN, so all the vlans gatways are on the routers to route between vlans also with HSRP how can i do this with the public address being before the routers?

How do i get through the firewall and use router interfaces as gateways with the constant protection of the asa?

Labels:
0 Helpful
46 Replies 46

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to jeffrey_craig1

‎11-02-2015 08:46 AM

One other thing.

You need to do HSRP tracking on the active router in case it's interface to the LAN fails.

What can happen is if the active routers LAN interface fails then HSRP moves to the other router.

So traffic from the clients gets to the firewall and out.

Trouble is when traffic comes back the firewall sends it to the active router which is the one with the failed interface to the LAN so traffic is dropped.

So if the LAN interface fails you also need it swap on the WAN side as well.

Or you could run a dynamic routing protocol between the firewall and the routers if you are not bothered which router return traffic from the internet goes through ie. the firewall might pick either router.

Just get it setup with previous instructions to prove it works and then we can go from there.

Jon

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to jeffrey_craig1

‎10-30-2015 09:26 AM

Should have said.

If you are using vlan 1 for clients on the LAN as one of your subnets you need to use a different vlan for the connectivity between the router and firewall otherwise it won't work properly.

To do this -

1) create a new vlan on the switch but no subinterfaces on the routers

2) put two ports into that vlan and connect the router's WAN interface to one of the ports.

2)  on ASA the port connecting to the switch you need to put that port into the new vlan ie.

int <x/y>
switchport access vlan <x>

then configure your inside interface ie.

int vlan <x>
nameif inside
security-level 100
ip address x.x.x.x <subnet mask>

Jon

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card