I have two identical 5550 units with the same features and licenses, I want to implement failover between them, these are brand new and I am going to use them for the first time, I need some guidelines, I have the scenario as following
I have one Server farm, four VLANs, all the VLAN client are connected through Catalyst 3550 Layer 3 switch and this switch is connected to Catalyst 3750 layer 3 switch through one uplink, server farm switch is connected with Catalyst 3750 layer 3 switch.
I want to secure my all servers as all servers are on one VLAN named server farm, I want to secure server farm from inside and from outside as well.
Like three legs scenario, one inside, DMZ and outside.
What will be the diagram in this scenario, how can I make this scenario with failover.
Do I need layer 2 switch at inside, DMA and outside sides?
I will really appreciate if you can send the best practice diagram and configuration for my scenario with failover.
Prepare diagram yourself in below manner.
I am assuming your outside connectivity is metro ethernet.
1 connect two 5550 firewalls inside interfaces to 3550 switch and keep them in single vlan.
2 connect two 5550 firewalls directly using cross cable for stateful failover.
3 connect two 5550 firewalls outside interfaces to 3750 switch and keep them in single vlan.
4 connect server farm switch to both firewalls dmz interfaces.
The attached diagram will be the setup
1. Suggest me, Active-Active failover will better or Active-Passive?
2. I have license for Active-Active.
3. I have VSAT Internet connection from UK
4. All the Publishable Servers (Web, DNS and Email) and Internet Proxy servers (Microsoft ISA 2006) are part of one server farm VLAN 105.
5. What should I do on Outside Interface its D-Link Layer 2 switch, should I replace it with Cisco 2960G or not?
6. Should I put Inside, DMZ and Outside ASA interfaces on the same relevant VLANS or separate VLANS, like Inside VLANS are 101,102,103 and 104 ASA will be the part of one of these VLANS or it will be out in its own VLAN, what should I do with DMZ and outside as well?
I will appreciate if you can answer me the above questions and give me some examples.
Suggest me if you have better idea of implementation.
I have seen your diagram, I will recommend you to change inside connectivity.
If you any low cost switch, use it to connect in below manner.
1 Connect 3750---L2switch----ASA1 inside interface
2 Connect 3550---L2switch----ASA2 inside interface.
3 Enable trunking in between 3750 and 3550, create new vlan for ASA1&2 inside connectivity and run HSRP at L3switches side.
If you don't have L2 switch, create new vlan on 3750 and use it to connect ASA1&2 inside interfaces.
I feel Active-Passive failover is better.
You need not to replace D-Link switch.
Coming to DMZ and outside interfaces, you need not to create separate vlans.
Should I make DMZ and Inside Interfaces part of their relevant VLANS or Should I do like ASA DMZ interface will be directly connected to the Server Farm switch (Cat 2960G) so should I make ASA5550 DMZ interface a router port and put my all the server in non VLAN mode in Cat2960G switch and just make all servers default gateway as the IP address of ASA DMZ router port IP address? OR how should I configure it?
For Inside Interface, I will create this interface as router port on ASA and on the Layer 3 switch I will do the same like create a Layer 3 interface and will allow the routing between them in this way my all the Internal VLANs can communicate with the Inside Interface of ASA.
Is this okay?
What the advantage\diference b\w using Active-Active mode or Active-Passive mode failover?
I really appreciate your response and help
Network or security design purely depends on requirement. If you wanted to restrict communication between servers (like web, sap,etc)create different vlans on dmz switch and configure trunk between dmz switch and ASA1&ASA2. Otherwise just leave all the servers in single vlan pointing to ASA as gateway.
I feel in first phase you just setup dmz in single vlan, later based on your requirement you can create multiple vlans to separate servers communications.
Create separate vlan for ASA1&2 inside connectivity to 3750.
In Active-Active configuration you can load balance the traffic. This you can use, if one firewall throughput is not satisfying your line speed. But I recommend first you start with active-passive configuration, later you try active-active.
Sory for not replying and updating you, I am working on ASA single unit first to see how it works then I will add the Failover functionality in it in the light of your guidelines, I will get back to you once I am done.
Do you know any very good book only for CISCO ASA5500 series otherthen the online CISCO docs?
Quick question if you can advise me.
Currently I am using Microsoft ISA server 2006 with its firewall services+two interfaces one inside otherone directly connected to the Internet, I want to use ISA server as a Proxy+Cahe only behind the ASA5550 firewall, in this situation I will place ISA server in DMZ zone and clients will make internet request, it will come to DMZ-ISA then ISA will forward it to Outside interface using the NAT feature,
Is this ok? Or you have any other idea
I will appreciate advice
Please read the following link. It's quite explanatory:
There are some sample topologies and config at the bottom but please read the whole document.