HSRP for switches and routing throuugh ASA

victor_87 · ‎07-23-2008

i have represented a preview of my n/w in the attachment, i have about 10- 15 host connected to the L2 switches, The L3 switches will be the gateway, and they are configured for HSRP, i.e i'll have the gateway as the standby Ip configured Right???

Now i need to connect the two L3 switches to the ASA and route traffic for 192.168.0.0 n/w through the Asa, users from the 192.168.0.0 n/w will also access my servers in the 172.16.0.0 n/w, for that i can use nat ( inside, outside) 172.16.0.0 172.16.0.0 etc and do the jOb,

Now my doubt is,

I need to connect the 2 L3 switches to the ASA inside and i do not have another switch to place in between, i.e. i have to use two physical interface on the ASA as INSIDE, how is this possible

And will i use the same standy IP to route on the ASA for the traffic coming from the 192.168.0.0 N/w to the 172.16.0.0 n/w

And also please explain hw HSRP be configured.

Thankyou.

Marwan ALshawi · ‎07-24-2008

i think its not possible to make two interfaces having the same ip network, however u cane make two interfaces withe same security level lets say inside1 and inside2

but u have to enable the comman that enable communication between interfaces in the same level because it is denied by default

If communication is required for the hosts on the same security level interfaces, use the global configuration

same-security-traffic permit inter-interface

also i think in the case hsrp will not be posible with ASA side u need to change the ip addressing for on of ur L3 switches between the swich and the ASA

make it routed interface on both swithces

and make a static route on the ASA

both static routes destend to ur inside network L2 and each one have ip address of one of ur L3 swithes and make the prefered switch with defaul config

and increase AD on the second static route that use the secone L3 switch

lets say u gonna make one switch the prefered and the active one with hsrp with ip address 1.1.1.1

and the standby with hsrp 2.2.2.2 as i told u make them routed interfaces wiht ASA

make inside interface named inside1 with security level 100 connected to 1.1.1.1

and another one named inside2 connected to 2.2.2.2

make the following routes

lets say ur internal network is 10.0.0.0

route inside1 10.0.0.0 255.0.0.0 1.1.1.1 1

route inside2 10.0.0.0 255.0.0.0 2.2.2.2. 3

and if u have any more isues ask such as nat

try it and good luck

Rate if helpful

victor_87 · ‎07-24-2008

i feel some steps in ur idea are possible and some are impossible, Anyway i'll try it, if it did work then u are the man.

I'll owe you.

thanks.

vj_vignesh · ‎07-27-2008

It really did work, gr8 idea, however the switchover is somewhat slow, but im satsified.

Marwan ALshawi · ‎07-27-2008

really i am happy because it worked and also because u are satsified :)

thanks for rating

Marwan

ralphcarter · ‎07-24-2008

When you use redundant Layer 3 switches, then you should use redundant firewalls and have a active/standby fw config or active/active.

What is sitting on the 192.168.0.0 network?

Can you physically connect the fw to the 192.168.0.0 switch( if there is one ), create a vlan for the inside interface and put fw inside, L3 switch 1 and L3 switch 2 in this vlan.

This way you create a 0.0.0.0 from both L3 switches via inside FW address. If any of your L3 switches goes down, you will still have connectivity out through the fw.

CCIE 26175
www.techsnips.com

victor_87 · ‎07-24-2008

you cannot create VLANS in CISco ASA 5510+ directly, VLANS are possible only on SUb interfaces, i already had this idea but, Vlans are available only on ASA5505 as it is switchport capable. the others just are not capanle of switching.

harmanrms · ‎07-24-2008

Hi Ralph,

I need a help on configuring HSRP on SUP level on 2 of the 6513 switches. Can you help us to know how we can configure HSRP between two SUP32 or can you provide us a document that will help us to conigure it? Your reply on this will be really appreciated.