Connecting 2 ASA 5520 internally

Answered Question
Feb 10th, 2009
User Badges:

I have a network where I use two separate ISP connections on different locations within the same building. I would like to install an ASA 5520 to each connection as we don't have any firewall at the moment. Some of my traffic from one segment to the other is going through externally. I would like to connect the two ASA so internal traffic is routed between them and not externally. Is that possible or is there another way? Thank you.

Correct Answer by Tshi M about 8 years 3 months ago

You could setup a layer3 link using a /30 private address between both core switches so that you route your internal traffic between both switches. Each side would use its own ASA for route to the internet.

Let say we have the following subnets:

Location A: 10.1.10.0/24

Location B: 10.1.20.0/24

=================================

Location A:


Location A G0/0

no switchport

desc connecting to Location B G0/0

ip address 10.2.2.1 255.255.255.252


ip route 10.1.20.0 255.255.255.0 10.2.2.2

ip route 0.0.0. 0.0.0.0 10.1.10.254 (ASA internal address)


====================================

Location B G0/0


no switchport

desc connecting to Location A G0/0

ip address 10.2.2.2 255.255.255.252


ip route 10.1.10.0 255.255.255.0 10.2.2.1

ip route 0.0.0. 0.0.0.0 10.1.20.254 (ASA internal address)


You could get fancy and setup EIGRP and IP SLA or PBR to redundancy for Internet for each side but is another story.


Regards,

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Tshi M Tue, 02/10/2009 - 06:29
User Badges:
  • Silver, 250 points or more

Since you are talking about two different locations, I will suggest setting up a site-to-site VPN.


Regards,

emmanuelapostolidis Tue, 02/10/2009 - 07:36
User Badges:

I understand, but the two different locations are within the same building. We are using different VLANs internally but some traffic goes the long way around externally. Our ISP, or gateway, provides us with two connections and some traffic travels through their network and back to us. Regards,

Tshi M Tue, 02/10/2009 - 07:40
User Badges:
  • Silver, 250 points or more

Could you please post your existing topology? If the locations are within the same building and are somewhat interconnected, you should be able to route all internal traffic without the use of the ASA. Though you still need your ASA for security purposes.


Regards,

Tshi M Tue, 02/10/2009 - 08:10
User Badges:
  • Silver, 250 points or more

Emmanuel,


are those stack interconnected via fiber? if not, you might need to interconnect the backbone (Layer3) to keep your traffic internally. It looks like you will have to run to interconnect the stack switches. If fiber run is expensing, then site-to-site will do it.

emmanuelapostolidis Tue, 02/10/2009 - 08:36
User Badges:

Not at the moment but I could connect them by fiber. What will be the best way of doing this? I am just worried of creating a loop.

Correct Answer
Tshi M Tue, 02/10/2009 - 08:51
User Badges:
  • Silver, 250 points or more

You could setup a layer3 link using a /30 private address between both core switches so that you route your internal traffic between both switches. Each side would use its own ASA for route to the internet.

Let say we have the following subnets:

Location A: 10.1.10.0/24

Location B: 10.1.20.0/24

=================================

Location A:


Location A G0/0

no switchport

desc connecting to Location B G0/0

ip address 10.2.2.1 255.255.255.252


ip route 10.1.20.0 255.255.255.0 10.2.2.2

ip route 0.0.0. 0.0.0.0 10.1.10.254 (ASA internal address)


====================================

Location B G0/0


no switchport

desc connecting to Location A G0/0

ip address 10.2.2.2 255.255.255.252


ip route 10.1.10.0 255.255.255.0 10.2.2.1

ip route 0.0.0. 0.0.0.0 10.1.20.254 (ASA internal address)


You could get fancy and setup EIGRP and IP SLA or PBR to redundancy for Internet for each side but is another story.


Regards,

Tshi M Tue, 02/10/2009 - 09:12
User Badges:
  • Silver, 250 points or more

Sure thing. Please rate if helpful :-)


Thank you!

Actions

This Discussion