Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

How to configure routers connected to ASA

ASA.bmp

Hello

This is the image that you see everywhere for configuring failover. What is the vertical line to the left and right of the ASAs?

I'm studying for SNAF and I wanted to test ASA failover. I wanted to shutdown primary ASA inside or outside interface and see if inside and outside routers' pings would continue through the failover ASA. How do I connect two ASAs to two routers(inside and outside) and what IP addresses I configure on router interfaces? If only one of the ASAs (e.g. primary)connects to inside/outside routers how would the secondary talk to the routers if failover occurs due to power loss to primary?

Thanks.

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: How to configure routers connected to ASA

Hello,

Here are the answers to your questions:

What is the vertical line to the left and right of the ASAs?

--the vertical line to the left is the outside network segment, the vertical line to the right is the inside network segment

How do I connect two ASAs to two routers(inside and outside) and what IP addresses I configure on router interfaces?

--the outside router will need to connect to the outside network segment, and the inside router will need to connect to the inside network segment.  If you have a switch, you can configure a VLAN for the outside segment and a separate VLAN for the inside segment.  The outside router interface will need to be assigned an IP address that is on the same subnet as the IP address assigned to the outside interface of the ASA.  Likewise, the inside router interface will need to be assign an IP address that is on the same subnet as the inside interface of the ASA.

If only one of the ASAs (e.g. primary)connects to inside/outside routers how would the secondary talk to the routers if failover occurs due to power loss to primary?

--For failover to work, you cannot connect the router directly to one of the ASAs.  The outside and inside routers must be reachable for both ASAs.

Please take a look at the network diagram in the attached PDF, it will illustrate a typical failover design.

Hope this helps.

2 REPLIES
Cisco Employee

Re: How to configure routers connected to ASA

Hello,

Here are the answers to your questions:

What is the vertical line to the left and right of the ASAs?

--the vertical line to the left is the outside network segment, the vertical line to the right is the inside network segment

How do I connect two ASAs to two routers(inside and outside) and what IP addresses I configure on router interfaces?

--the outside router will need to connect to the outside network segment, and the inside router will need to connect to the inside network segment.  If you have a switch, you can configure a VLAN for the outside segment and a separate VLAN for the inside segment.  The outside router interface will need to be assigned an IP address that is on the same subnet as the IP address assigned to the outside interface of the ASA.  Likewise, the inside router interface will need to be assign an IP address that is on the same subnet as the inside interface of the ASA.

If only one of the ASAs (e.g. primary)connects to inside/outside routers how would the secondary talk to the routers if failover occurs due to power loss to primary?

--For failover to work, you cannot connect the router directly to one of the ASAs.  The outside and inside routers must be reachable for both ASAs.

Please take a look at the network diagram in the attached PDF, it will illustrate a typical failover design.

Hope this helps.

New Member

Re: How to configure routers connected to ASA

Excellent. Thanks Allen. A diagram of a switch instead of that ve

rtical line would have saved me a few hours of reading, searching and

frustration. So the outside interfaces on two ASAs and the interface on the outside router will all be in the same subnet, inside interfaces on two ASAs and the connecting interface on the inside router will be in the same subnet. Thanks again.

662
Views
0
Helpful
2
Replies