Redundant Network Config with two ASA's and two switches

Unanswered Question
Oct 2nd, 2009

I'm hoping some can critique a very basic redundant ASA configuration. Currently, we have rackspace at our provider. The provider provides us two uplinks to their cores. I have one ASA5520 and one 3560 switch, so both uplinks (fiber) are on the same switch. I would like to introduce another ASA and another 3560 (or 3750). I envision that one provider uplink will go into one switch, and the other uplink will go to our new switch. I can simply run spanning tree and will not need a routing protocol. We do not have an internet router. The outside interface of our ASA is placed into the same VLAN as the provider uplinks, and we "go out" from there. Our provider routes us a netblock to our ASA outside interface IP. I then NAT to our internal servers which are also plugged into the same switch, and VLAN appropriately. You can see we have all our eggs in one basket with the switch and ASA.

I can only introduce two more devices into our rack, so one more switch and one more ASA is all I have to work with. Please see the attached pic to see if I've thought this out.


1. I am confused if the two switches need to be connected together via an etherchannel and HSRP or anything like that. The ASA is the default gateway for all the devices on the network, so the switches really aren't routing.

2. Our current ASA is running some older 7.2 code. I obviously want to get it up to the 8.X series. This may have to be a phased implementation, since this is a production site and my downtimes can't be long. Is it difficult to bring a single, standalone ASA into an Active/Standby configuration with an entirely new ASA? I know they have to be the same hardware config, code rev, etc.

I've done one of these before, but it was from scratch and I had the luxury of time.

The goal here (obviously) is to keep our servers available in the event we lose one ASA or one switch. Please look at the pic and offer any suggestions. Thanks very much.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Yudong Wu Fri, 10/02/2009 - 17:45

1. If you will config 2 ASAs as Active/Standby, you just need a trunk between two switches. ASA failover need a layer 2 connectivity for all related interface.

2. My suggestion for the implementation would be:

a. Map your current config to the new ASA with 8.x code and configure it as Primary unit in Failover.

b. Take down the previous ASA and bring the new ASA on line to test the connectivity during a maintenance window. In this way, if anything goes wrong, you can still bring back the previous ASA. If you use the same IP on the new ASA as that on the previous ASA, remember to clear ARP table on its neighbor devices since it still points to the previous ASA's mac address.

c. upgrade the previous ASA and configure it as secondary Unit in Failover, then bring it back on line.

sbader48220 Sat, 10/03/2009 - 08:51

Like kwu2 said, you'll need to have a layer2 trunk between both switches which trunks the inside, outside, and if you have it, dmz vlans.

How does your provider offer redundancy? Do you have a static route pointed to an HSRP address on their side? If so, with the addition of the trunk, your design should work just fine.

kwu2 had an excellent idea to stand up the new ASA, then upgrade the old one and make it standby. Just keep in mind that the ASA's need to be exactly identical -- same license, modules, etc.

Once you have the redundant design, you'll be able to perform nearly zero downtime upgrades of the ASA, which is something I love.



This Discussion