ASA 5520 Active/Standby Topology Help

Unanswered Question
Jun 8th, 2010

I need suggestions on how to design an ASA 5520 Active/Standby solution.

Current configuration:

T1 coming in from ISP to patch panel (Disaster Recovery site that also hosts our webservers)

T1 -> ASA -> L3 Switches -> Servers

Proposed configuration:

T1 connecting to a router or L3 switch

ASA Primary and ASA standby connected to a port on the L3 switch in the same VLAN

ASA Primary and ASA standby connected via a GigabitEthernet interface for the failover link

ASA Primary and ASA standby inside interface connected to L3 switch that has our webservers

We have two L3 switches which our servers are connected to...should each ASA connect to both switches?  One switch per ASA?  Both ASA's to one switch?  Does it matter?

Is this correct?  Or is my design flawed?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Federico Coto F... Tue, 06/08/2010 - 16:10

Hi John,

If you're going to have redundancy with a pair of ASAs, then the recommendation normally is to have redundancy everywhere as well (in this case two switches).

Its recommended that the failover link goes connected via a switch (with no other devices on the same VLAN)

Here's the supported configuration from Cisco for A/S failover:

http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/ha_active_standby.html

Hope it helps.

Federico.

jlg@8thwarrior.com Thu, 06/10/2010 - 15:05

I'm assuming I can use the Stateful Failover option by using two switches and the ASA's in their own VLAN?

And yes we do have two switches at this location and I thought having each ASA inside interface go to each switch.

Federico Coto F... Thu, 06/10/2010 - 15:13

Yes.

Active/Standby Failover can be configured as Stateless or Stateful Failover.

Stateful failover is preferred and you can use a single interface for the stateful communication as well as the failover link (as long as you used the interface with the highest speed on the ASAs)

Federico.

Nagaraja Thanthry Mon, 07/19/2010 - 15:00

Hello,

Yes. You can use a layer 3 switch in place of the router and L2 switch.

Regards,

NT

Actions

Login or Register to take actions

This Discussion

Posted June 8, 2010 at 11:21 AM
Stats:
Replies:5 Overall Rating:
Views:2726 Votes:0
Shares:0

Related Content

 

Discussions Leaderboard

Rank Username Points
1
Jouni Forss
8,441
2
Julio Carvajal
6,223
3
Jon Marshall
3,325
4
Marvin Rhoads
2,498
5
Marius Gunnerud
1,695
Rank Username Points
Jon Marshall
125
Marius Gunnerud
37
Andre Neethling
35
Jouni Forss
35
Marvin Rhoads
34