Connecting 2 ASA 5520 internally

Answered Question
Feb 10th, 2009

I have a network where I use two separate ISP connections on different locations within the same building. I would like to install an ASA 5520 to each connection as we don't have any firewall at the moment. Some of my traffic from one segment to the other is going through externally. I would like to connect the two ASA so internal traffic is routed between them and not externally. Is that possible or is there another way? Thank you.

I have this problem too.
0 votes
Correct Answer by Tshi M about 7 years 11 months ago

You could setup a layer3 link using a /30 private address between both core switches so that you route your internal traffic between both switches. Each side would use its own ASA for route to the internet.

Let say we have the following subnets:

Location A: 10.1.10.0/24

Location B: 10.1.20.0/24

=================================

Location A:

Location A G0/0

no switchport

desc connecting to Location B G0/0

ip address 10.2.2.1 255.255.255.252

ip route 10.1.20.0 255.255.255.0 10.2.2.2

ip route 0.0.0. 0.0.0.0 10.1.10.254 (ASA internal address)

====================================

Location B G0/0

no switchport

desc connecting to Location A G0/0

ip address 10.2.2.2 255.255.255.252

ip route 10.1.10.0 255.255.255.0 10.2.2.1

ip route 0.0.0. 0.0.0.0 10.1.20.254 (ASA internal address)

You could get fancy and setup EIGRP and IP SLA or PBR to redundancy for Internet for each side but is another story.

Regards,

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Tshi M Tue, 02/10/2009 - 06:29

Since you are talking about two different locations, I will suggest setting up a site-to-site VPN.

Regards,

emmanuelapostolidis Tue, 02/10/2009 - 07:36

I understand, but the two different locations are within the same building. We are using different VLANs internally but some traffic goes the long way around externally. Our ISP, or gateway, provides us with two connections and some traffic travels through their network and back to us. Regards,

Tshi M Tue, 02/10/2009 - 07:40

Could you please post your existing topology? If the locations are within the same building and are somewhat interconnected, you should be able to route all internal traffic without the use of the ASA. Though you still need your ASA for security purposes.

Regards,

Tshi M Tue, 02/10/2009 - 08:10

Emmanuel,

are those stack interconnected via fiber? if not, you might need to interconnect the backbone (Layer3) to keep your traffic internally. It looks like you will have to run to interconnect the stack switches. If fiber run is expensing, then site-to-site will do it.

emmanuelapostolidis Tue, 02/10/2009 - 08:36

Not at the moment but I could connect them by fiber. What will be the best way of doing this? I am just worried of creating a loop.

Correct Answer
Tshi M Tue, 02/10/2009 - 08:51

You could setup a layer3 link using a /30 private address between both core switches so that you route your internal traffic between both switches. Each side would use its own ASA for route to the internet.

Let say we have the following subnets:

Location A: 10.1.10.0/24

Location B: 10.1.20.0/24

=================================

Location A:

Location A G0/0

no switchport

desc connecting to Location B G0/0

ip address 10.2.2.1 255.255.255.252

ip route 10.1.20.0 255.255.255.0 10.2.2.2

ip route 0.0.0. 0.0.0.0 10.1.10.254 (ASA internal address)

====================================

Location B G0/0

no switchport

desc connecting to Location A G0/0

ip address 10.2.2.2 255.255.255.252

ip route 10.1.10.0 255.255.255.0 10.2.2.1

ip route 0.0.0. 0.0.0.0 10.1.20.254 (ASA internal address)

You could get fancy and setup EIGRP and IP SLA or PBR to redundancy for Internet for each side but is another story.

Regards,

Tshi M Tue, 02/10/2009 - 09:12

Sure thing. Please rate if helpful :-)

Thank you!

Actions

This Discussion