I'm installing some new ASA 5520's which will be used strictly for VPN connections (both lan-to-lan and client connections).
I have some questions about the best way to setup redundancy and failover and integrate it into our network. I've attached a diagram to help describe the scenario. I failed to indicate on the diagram that clients who connect to the ASA's will be assigned an address via DHCP on the VLAN which the inside interfaces of the ASA's connect to.
ASA-A and ASA-B are setup as active/standby, with ASA-A being active. There is a default route on the ASA's which point to an HSRP address on our Internet routers. I do not want to use OSPF on the outside interfaces of the ASA's as I do not want these ASA's to be able to route from our internal network out to the Internet as we have other firewalls to handle that. So essentially, the ASA's have a route of 0.0.0.0/0 which points to the HSRP address which is on the ethernet interface(s) of our Internet routers. This part of the design works fine.
My concerns are about handling the inside interfaces of the ASA's. There are a couple of ways this could be done.
A) ASA-A and ASA-B can be connected to the same VLAN on both core switches, and that VLAN will be trunked between the cores. I could then add static routes on the ASA's for our internal address space which point to an HSRP address on the layer3 VLAN's on our cores. I would also add static routes on our core switches for site-to-site VPN connections.
B) I can run OSPF on the VLAN on the core switches, and also on the ASA's. The problem I have with this design is that the core switches will neighbor each other through OSPF as well, they are already neighbors on another VLAN, and I don't want them to be neighbors on multiple VLANs. The advantage to this design though is that I believe RRI can added routes to our core network via OSPF for our site-to-site tunnels. I've not used RRI though, and I'm not sure it works as I think it does. Can anyone confirm it can do this? Also, is there an easy way to prevent the core switches from neighboring each other?
Does anyone know what the best practice is for connecting the ASA's for VPN to an internal network? I know there are many ways to solve this problem, and I may have overlooked some, but what is the best practice? Did I miss something which is obvious and a better solution?
Thanks in advance!