cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
606
Views
0
Helpful
9
Replies

Connecting 2 ASA 5520 internally

I have a network where I use two separate ISP connections on different locations within the same building. I would like to install an ASA 5520 to each connection as we don't have any firewall at the moment. Some of my traffic from one segment to the other is going through externally. I would like to connect the two ASA so internal traffic is routed between them and not externally. Is that possible or is there another way? Thank you.

1 Accepted Solution

Accepted Solutions

You could setup a layer3 link using a /30 private address between both core switches so that you route your internal traffic between both switches. Each side would use its own ASA for route to the internet.

Let say we have the following subnets:

Location A: 10.1.10.0/24

Location B: 10.1.20.0/24

=================================

Location A:

Location A G0/0

no switchport

desc connecting to Location B G0/0

ip address 10.2.2.1 255.255.255.252

ip route 10.1.20.0 255.255.255.0 10.2.2.2

ip route 0.0.0. 0.0.0.0 10.1.10.254 (ASA internal address)

====================================

Location B G0/0

no switchport

desc connecting to Location A G0/0

ip address 10.2.2.2 255.255.255.252

ip route 10.1.10.0 255.255.255.0 10.2.2.1

ip route 0.0.0. 0.0.0.0 10.1.20.254 (ASA internal address)

You could get fancy and setup EIGRP and IP SLA or PBR to redundancy for Internet for each side but is another story.

Regards,

View solution in original post

9 Replies 9

Tshi M
Level 5
Level 5

Since you are talking about two different locations, I will suggest setting up a site-to-site VPN.

Regards,

I understand, but the two different locations are within the same building. We are using different VLANs internally but some traffic goes the long way around externally. Our ISP, or gateway, provides us with two connections and some traffic travels through their network and back to us. Regards,

Could you please post your existing topology? If the locations are within the same building and are somewhat interconnected, you should be able to route all internal traffic without the use of the ASA. Though you still need your ASA for security purposes.

Regards,

I hope this helps.

Regards,

Emmanuel,

are those stack interconnected via fiber? if not, you might need to interconnect the backbone (Layer3) to keep your traffic internally. It looks like you will have to run to interconnect the stack switches. If fiber run is expensing, then site-to-site will do it.

Not at the moment but I could connect them by fiber. What will be the best way of doing this? I am just worried of creating a loop.

You could setup a layer3 link using a /30 private address between both core switches so that you route your internal traffic between both switches. Each side would use its own ASA for route to the internet.

Let say we have the following subnets:

Location A: 10.1.10.0/24

Location B: 10.1.20.0/24

=================================

Location A:

Location A G0/0

no switchport

desc connecting to Location B G0/0

ip address 10.2.2.1 255.255.255.252

ip route 10.1.20.0 255.255.255.0 10.2.2.2

ip route 0.0.0. 0.0.0.0 10.1.10.254 (ASA internal address)

====================================

Location B G0/0

no switchport

desc connecting to Location A G0/0

ip address 10.2.2.2 255.255.255.252

ip route 10.1.10.0 255.255.255.0 10.2.2.1

ip route 0.0.0. 0.0.0.0 10.1.20.254 (ASA internal address)

You could get fancy and setup EIGRP and IP SLA or PBR to redundancy for Internet for each side but is another story.

Regards,

Thank you very much for this, will give it a go.

Regards,

Sure thing. Please rate if helpful :-)

Thank you!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: