Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)

Connecting 2 ASA 5520 internally

I have a network where I use two separate ISP connections on different locations within the same building. I would like to install an ASA 5520 to each connection as we don't have any firewall at the moment. Some of my traffic from one segment to the other is going through externally. I would like to connect the two ASA so internal traffic is routed between them and not externally. Is that possible or is there another way? Thank you.

1 ACCEPTED SOLUTION

Accepted Solutions
Bronze

Re: Connecting 2 ASA 5520 internally

You could setup a layer3 link using a /30 private address between both core switches so that you route your internal traffic between both switches. Each side would use its own ASA for route to the internet.

Let say we have the following subnets:

Location A: 10.1.10.0/24

Location B: 10.1.20.0/24

=================================

Location A:

Location A G0/0

no switchport

desc connecting to Location B G0/0

ip address 10.2.2.1 255.255.255.252

ip route 10.1.20.0 255.255.255.0 10.2.2.2

ip route 0.0.0. 0.0.0.0 10.1.10.254 (ASA internal address)

====================================

Location B G0/0

no switchport

desc connecting to Location A G0/0

ip address 10.2.2.2 255.255.255.252

ip route 10.1.10.0 255.255.255.0 10.2.2.1

ip route 0.0.0. 0.0.0.0 10.1.20.254 (ASA internal address)

You could get fancy and setup EIGRP and IP SLA or PBR to redundancy for Internet for each side but is another story.

Regards,

9 REPLIES
Bronze

Re: Connecting 2 ASA 5520 internally

Since you are talking about two different locations, I will suggest setting up a site-to-site VPN.

Regards,

Re: Connecting 2 ASA 5520 internally

I understand, but the two different locations are within the same building. We are using different VLANs internally but some traffic goes the long way around externally. Our ISP, or gateway, provides us with two connections and some traffic travels through their network and back to us. Regards,

Bronze

Re: Connecting 2 ASA 5520 internally

Could you please post your existing topology? If the locations are within the same building and are somewhat interconnected, you should be able to route all internal traffic without the use of the ASA. Though you still need your ASA for security purposes.

Regards,

Re: Connecting 2 ASA 5520 internally

I hope this helps.

Regards,

Bronze

Re: Connecting 2 ASA 5520 internally

Emmanuel,

are those stack interconnected via fiber? if not, you might need to interconnect the backbone (Layer3) to keep your traffic internally. It looks like you will have to run to interconnect the stack switches. If fiber run is expensing, then site-to-site will do it.

Re: Connecting 2 ASA 5520 internally

Not at the moment but I could connect them by fiber. What will be the best way of doing this? I am just worried of creating a loop.

Bronze

Re: Connecting 2 ASA 5520 internally

You could setup a layer3 link using a /30 private address between both core switches so that you route your internal traffic between both switches. Each side would use its own ASA for route to the internet.

Let say we have the following subnets:

Location A: 10.1.10.0/24

Location B: 10.1.20.0/24

=================================

Location A:

Location A G0/0

no switchport

desc connecting to Location B G0/0

ip address 10.2.2.1 255.255.255.252

ip route 10.1.20.0 255.255.255.0 10.2.2.2

ip route 0.0.0. 0.0.0.0 10.1.10.254 (ASA internal address)

====================================

Location B G0/0

no switchport

desc connecting to Location A G0/0

ip address 10.2.2.2 255.255.255.252

ip route 10.1.10.0 255.255.255.0 10.2.2.1

ip route 0.0.0. 0.0.0.0 10.1.20.254 (ASA internal address)

You could get fancy and setup EIGRP and IP SLA or PBR to redundancy for Internet for each side but is another story.

Regards,

Re: Connecting 2 ASA 5520 internally

Thank you very much for this, will give it a go.

Regards,

Bronze

Re: Connecting 2 ASA 5520 internally

Sure thing. Please rate if helpful :-)

Thank you!

174
Views
0
Helpful
9
Replies
CreatePlease to create content