Solved: vlans hsrp asa - Page 2

jeffrey_craig1 · ‎10-29-2015

People i need your help

My network currently has a router connecting to the WAN and then it is connected to a cisco asa 5515x however the outside address is on the interface connected to the router from the ASA.

My plan is to remove the router and replace it with 2 cisco routers configured with HSRP.

I also have 7 vlans running through my LAN, so all the vlans gatways are on the routers to route between vlans also with HSRP how can i do this with the public address being before the routers?

How do i get through the firewall and use router interfaces as gateways with the constant protection of the asa?

Jon Marshall · ‎10-30-2015

You would -

1) configure the routers LAN facing interfaces using subinterfaces for the vlans and HSRP.

The subinterface IPs woud be the default gateways for clients.

2) connect the WAN interface of router to the ASA inside interface via switch usually.

3) add a default route on the router pointing to the inside interface IP of the firewall and on the firewall add routes for the internal subnets with the IP of the WAN interface on the router.

Then you confiure a default route on the firewall pointing to the ISP next hop and configure NAT etc.on the firewall.

That would work fine and your routers are doing all the routing internally between vlans

Jon

jeffrey_craig1 · ‎10-30-2015

Thanks mate I will let you know.

(Y) :)

jeffrey_craig1 · ‎10-30-2015

P.S I have seen a switch put there before between the routers and ASA's why ?

Jon Marshall · ‎10-30-2015

Generally because you would need a crossover cable otherwise.

You can use the same switch you use for clients ie. just create a vlan for that connection because it is all on the inside of the ASA so it is not a security risk.

Jon

jeffrey_craig1 · ‎10-30-2015

System IP Addresses:

Interface Name IP address Subnet mask Method

Vlan1 inside 192.168.1.12 255.255.255.0 manual

Vlan2 outside unassigned unassigned manual

Current IP Addresses:

Interface Name IP address Subnet mask Method

Vlan1 inside 192.168.1.12 255.255.255.0 manual

Vlan2 outside unassigned unassigned manual

The asa 5505 will not let me add ip addresses to the interface but to the vlan.

I cant ping them and dont understand whay they have vlans instead out int faces with ip address.

Jon Marshall · ‎10-30-2015

That is the way the ASA 5505 works ie. you use SVIs.

The inside interface is in vlan 1 by defaut so all you need to do is connect the WAN interface of the router and one of the ports on the ASA into your switch and each port needs to be in vlan 1.

Then you should be able to ping as long as the vlan 1 interface on the ASA is using an IP from the same subnet as the IP on the router's WAN interface.

Jon

jeffrey_craig1 · ‎10-30-2015

Thats brillaint mate thanks

Switch Virtual interface it is i researched it the one i am currently using on live network is 5515-x

Will i just be able to put the IP on the inside interface and set a deafault route to that in real time/

Jon Marshall · ‎10-30-2015

See my last post about using vlan 1 ie. it cannot both be used by clients and for the connection between the router and firewall.

I have given you the configuration to change the vlan used for the connection but the alternative is to not use vlan 1 for clients.

Up to you really.

I'm not sure I understand ie. you are asking about a 5505 but then talking about a different firewall in production.

Perhaps I have missed something ?

Jon

jeffrey_craig1 · ‎11-02-2015

Hello Jon

I have made VLAN 80 ASA and put all relevant port into the VLAN. i have made a default route of 0.0.0.0 0.0.0.0 192.168.1.11 /24 which is the ASA inside interface.

I sitll am unable to ping this.

I am using a 5505 .

thanks

Jon Marshall · ‎11-02-2015

I forgot in my last post that you are running two routers.

So you would need to run HSRP on both sides of the routers ie. HSRP to the clients and HSRP to the firewall and the firewall points to the HSRP VIP for any routes.

However that's not the issue you have at the moment.

What can you not ping and from where ie. src and dst IPs.

Jon

jeffrey_craig1 · ‎11-02-2015

and by hsrp on both sides you mean? can just track the ASA facing interfaces on routers?

I have attached a photo of the network i am working on, I cannot ping the asa inside interfaces they are in vlan 1 network 192.168.1.0 /24.

The switch has all 4 ports in vlan 80 a new vlan made for the ASA's

Jon Marshall · ‎11-02-2015

1) you say the inside interfaces are in vlan 1 but then you say you have created vlan 80.

2) don't know what you mean by track.

3) are you using both firewall in active standy because last time we spoke you said it was one firewall ?

Can you clarify because it makes a difference.

Jon

jeffrey_craig1 · ‎11-02-2015

well i want to make it 2 but i am firstly trying to sort it out on one i have now taken the second away.

what do i do now all vlans 1, 10,20,30,40,50,60,70 default gate ways are the 2 routers i now need to make all of them to transfer from default gate way to asa through the switch

Jon Marshall · ‎11-02-2015

Okay, one last question.

Your diagram shows each firewall with a separate connection to the internet.

Is that the case because it could significantly complicate things.

If it is seperate connections is it the same ISP or different ISPs ?

If it is different ISPs what about the IP addressing and are you proposing to run the firewalls standalone or in a pair.

The inside part is easy but if yoiu have multiple outside connections it's going to get complicated.

I need the full picture otherwise I have to make assumptions and I could end giving you something that doesn't work.

Jon

jeffrey_craig1 · ‎11-02-2015

Due to my lack of knowledge with the ASA's at the moment my plan is to just use the one ASA I will in the future use both as a pair, with 1 isp with different addresses per line and load balance between the 2.

At the moment with 1 firewall how do I router the traffic to the asa with nat at router and then nat at firewall or a access-list or what ?

am i making sense thank you for you patience