Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
375
Views
0
Helpful
2
Replies

Scenario Help

Go to solution
SANTHOSHKUMAR SARAVANAN
Level 4
Level 4

‎01-25-2010 08:51 AM - edited ‎03-06-2019 09:26 AM

Hi All ,

               I have a common vlan between my both ASA via my core switch for stateful failover .

ASA inside interface

IP address 192.168.10.1 255.255.255.0 standby 192.168.1.2

For eg : VLAN10  192.168.10.0 255.255.255.0

I Have created L3 Vlan  192.168.10.3 at core switch 1 and 192.168.10.4 at core switch 2 and trunk link between two switches for stateful failover  among ASA ,

           I have internal 6 vlan  at core which will have default route pointing  inside interface to Active ASA , My question over here reverse route for internal network from ASA to core switches ,whether i need configure reverse route for internal network from ASA  pointing to 192.168.10.3 and weightage route to 192.168.10.4

                        Else i need to run HSRP between core switches and pointing the reverse route from ASA towards standby ip address of core switches .If my Core Switch 1 fails , stateful failover will happen and switch to  ASA 2 then then reverse route from ASA 2 will also have reverse route pointing to  HSRP standby ip address.

                           If i am wrong here please correct me over here need ur help

Labels:
Preview file
27 KB
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Ganesh Hariharan
VIP Alumni
VIP Alumni

‎01-25-2010 09:01 AM 

Hi All ,
               I have a common vlan between my both ASA via my core switch for stateful failover .
ASA inside interface
IP address 192.168.10.1 255.255.255.0 standby 192.168.1.2
For eg : VLAN10  192.168.10.0 255.255.255.0
I
Have created L3 Vlan  192.168.10.3 at core switch 1 and 192.168.10.4 at
core switch 2 and trunk link between two switches for stateful
failover  among ASA ,
           I have internal 6 vlan  at core which will have default route pointing  inside interface to Active ASA , My question over here
reverse route for internal network from ASA to core switches ,whether i
need configure reverse route for internal network from ASA  pointing to
192.168.10.3 and weightage route to 192.168.10.4
                       
Else i need to run HSRP between core switches and pointing the reverse
route from ASA towards standby ip address of core switches .If my Core
Switch 1 fails , stateful failover will happen and switch to  ASA 2
then then reverse route from ASA 2 will also have reverse route
pointing to  HSRP standby ip address.
                           If i am wrong here please correct me over here need ur help

Hi,

Yes you are right as the internal vlan are in different subnets then you need to drop reverse route for those subnet towards the switches.If you are configuring HSRP for traffic towards internal traffic from ASA then point towards vip.

Hope to help !!

Ganesh.H

View solution in original post

0 Helpful

Go to solution
sachinraja
Level 9
Level 9

‎01-25-2010 09:10 AM

I would think HSRP VIP option will be the best & only choice here:

with option 1 - having routes to physical IP addreses of vlan 10 -> you will have two different routes on both the ASA's and unless you are running active/active, you will not have config sync between the ASA's. eg - ASA 1 will have route inside x.x.x.x x.x.x.x 192.168.10.3 (say) , and ASA B - route inside x.x.x.x x.x.x.x 192.168.10.4 .. so the route configuration mismatches between the ASA's and configurations arent synchronised (which is an issue)

with option 2 - You will have a single route pointing to HSRP VIP on both the ASA's  - route inside x.x.x.x x.x.x.x 192.168.10.5 (VIP)... this would make sure you have configurations synced between the ASA firewalls. just to note, even if you have VIP's configured, your physical path depends on which ASA is forwarding packets to !.. for eg, if ASA 1 goes down, incoming traffic hit ASA 2 - your HSRP will still have core 1 as the primary.. hence on layer 2 your ASA 2 will forward traffic to Core 2, which inturn forwards traffic to Core 1 over the trunk, and your data stream is forwarded..

Hope this helps..alll the best..


Raj

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Ganesh Hariharan
VIP Alumni
VIP Alumni

‎01-25-2010 09:01 AM 

Hi All ,
               I have a common vlan between my both ASA via my core switch for stateful failover .
ASA inside interface
IP address 192.168.10.1 255.255.255.0 standby 192.168.1.2
For eg : VLAN10  192.168.10.0 255.255.255.0
I
Have created L3 Vlan  192.168.10.3 at core switch 1 and 192.168.10.4 at
core switch 2 and trunk link between two switches for stateful
failover  among ASA ,
           I have internal 6 vlan  at core which will have default route pointing  inside interface to Active ASA , My question over here
reverse route for internal network from ASA to core switches ,whether i
need configure reverse route for internal network from ASA  pointing to
192.168.10.3 and weightage route to 192.168.10.4
                       
Else i need to run HSRP between core switches and pointing the reverse
route from ASA towards standby ip address of core switches .If my Core
Switch 1 fails , stateful failover will happen and switch to  ASA 2
then then reverse route from ASA 2 will also have reverse route
pointing to  HSRP standby ip address.
                           If i am wrong here please correct me over here need ur help

Hi,

Yes you are right as the internal vlan are in different subnets then you need to drop reverse route for those subnet towards the switches.If you are configuring HSRP for traffic towards internal traffic from ASA then point towards vip.

Hope to help !!

Ganesh.H

0 Helpful

Go to solution
sachinraja
Level 9
Level 9

‎01-25-2010 09:10 AM

I would think HSRP VIP option will be the best & only choice here:

with option 1 - having routes to physical IP addreses of vlan 10 -> you will have two different routes on both the ASA's and unless you are running active/active, you will not have config sync between the ASA's. eg - ASA 1 will have route inside x.x.x.x x.x.x.x 192.168.10.3 (say) , and ASA B - route inside x.x.x.x x.x.x.x 192.168.10.4 .. so the route configuration mismatches between the ASA's and configurations arent synchronised (which is an issue)

with option 2 - You will have a single route pointing to HSRP VIP on both the ASA's  - route inside x.x.x.x x.x.x.x 192.168.10.5 (VIP)... this would make sure you have configurations synced between the ASA firewalls. just to note, even if you have VIP's configured, your physical path depends on which ASA is forwarding packets to !.. for eg, if ASA 1 goes down, incoming traffic hit ASA 2 - your HSRP will still have core 1 as the primary.. hence on layer 2 your ASA 2 will forward traffic to Core 2, which inturn forwards traffic to Core 1 over the trunk, and your data stream is forwarded..

Hope this helps..alll the best..


Raj

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card