Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA 5520 implementation

Hi,

I have a question regarding ASA failover pair connection. Inside and outside interface (no DMZ) needs to be connected via L2 switch, and via LAN based cable. My question: is it possible to use the same switch for connecting ASA interfaces? Please look at attach file. Inside interfaces of both ASA is connected to ports in the same VLANs, an additional port (trunk) is connected to Cisco 6500 an OSPF is configured. Also, the sam is with outside interfaces of both ASAs.

2 ACCEPTED SOLUTIONS

Accepted Solutions
Hall of Fame Super Blue

Re: ASA 5520 implementation

Hi

Yes you can do this if you want to although i would question why you want to do this. The problem is you have redundant firewalls but only connecting to one switch so your catalyst 2960/3560 is now a single point of failure.

Seems wrong to have redundant firewalls hanging off one switch.

HTH

Jon

Hall of Fame Super Blue

Re: ASA 5520 implementation

Hi

Yes you are right it is still a single point of failure. The idea would be to have one inside interface to one switch and the other inside interface to another switch and the same for the outside.

You could if you wanted use the same physical switches and so you need 2 switches, each with 2 vlans although quite often designs often use separate switches for the outside interfaces.

It all depends on the level of redundancy you need.

Jon

5 REPLIES
Hall of Fame Super Blue

Re: ASA 5520 implementation

Hi

Yes you can do this if you want to although i would question why you want to do this. The problem is you have redundant firewalls but only connecting to one switch so your catalyst 2960/3560 is now a single point of failure.

Seems wrong to have redundant firewalls hanging off one switch.

HTH

Jon

New Member

Re: ASA 5520 implementation

OK, you are right, but what if we do that with two separate devices...for example, inside interfaces is connected two one switch, and outside in another...if something goes wrong with inside switch, nothing will work, it is still a single point of failure...same with outside switch...

Hall of Fame Super Blue

Re: ASA 5520 implementation

Hi

Yes you are right it is still a single point of failure. The idea would be to have one inside interface to one switch and the other inside interface to another switch and the same for the outside.

You could if you wanted use the same physical switches and so you need 2 switches, each with 2 vlans although quite often designs often use separate switches for the outside interfaces.

It all depends on the level of redundancy you need.

Jon

New Member

Re: ASA 5520 implementation

yes, level of redundancy and amount of money that customer want to give..:) In this moment, thay have only one switch, so it was important for me to know if it is possible to implement that only with one switch. Thanks on answers

New Member

Re: ASA 5520 implementation

jon, is this possible to assign same subnet address to two inside interfaces on ASA 5520 sw v 7.2.2?

In order to use two ASAs in redundancy mode connected to two different L2 switches, this would be required so I was wondering if it's doable?

130
Views
0
Helpful
5
Replies