redundant Links with asa firewall

Unanswered Question
Dec 29th, 2008

Hi,

I am planning to implement have a collapsed core architecture with two core switch connected to two asa firewall. Can somebody guide me on the High availibility options that i have. Can i have two links connecting to a single asa firewall originating from both the core switch.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Mon, 12/29/2008 - 04:28

Naresh

"Can i have two links connecting to a single asa firewall originating from both the core switch."

This is not typically what you would do. 2 interfaces on the same ASA cannot be in the same IP subnet and so the interfaces would need to be in different subnets.

If you want to use active/standby as shown in your diagram then you would be better off removing the cross connects between the core switches and the ASA firewalls so core1 connects to ASA1 and core2 connects to ASA2 on the inside interfaces of the ASA's. You still need to have a separate pair of interfaces for stateful failover.

Then assuming ASA1 is active

1) if core1 dies ASA2 becomes active

2) if the link from core1 to ASA1 goes down ASA2 becomes active

This assumes that the link between your 2 core switches is a L2 trunk. If it is L3 routed link then the above would not apply.

Jon

Actions

This Discussion