Hell Dear,

I am a little bit worry to hear that the second Nic is working as  well... is that second Nic Card for just internal traffic?

NO they both are going to DMZ interface.

The server's NIC are teamed to 1 virtual network adapter when we create a teaming between the 2 physical interface. So there will be a Ip on virtual adapter and it can be configured in failover mode or load balanced mode.so these servers are configured in load balanced mode,

My concern is if servers NIC-2 send traffic to DMZ switch-2 then IPS will receive traffic on port 4 i.e pair with port 2 ,Port 2 is connected to standby ASA SO Will the  IPS will route traffic to ASA-1 by port-1 ????????????????

Thanks

Hello Estela,

Nope, the IPS wont do any kind of routing, it just forwards the packet to the outgoing interface (In this case the port that is directly connected to the standby ASA).

Hope it helps

Mike

Hello Dear,

There will no such routing DMZ zone will be in 1 subnet,there will be arp request.

Thanks.

Estela

I am sorry I was not clear enough. By routing I wanted to say that he will just send the packet to the outgoing interface, he wont try to do arp lookups or anything to try to send it to the primary Unit, he will just forward the packet.

Any doubts let me know.

Mike

Hello Mike,

If there are 2 switches as per the design then there is a problem for packet to reach ASA interface when traffic is send by DMZ switch-2 when server's NIC are in loadbalance mode ,Suppose if enable only failover mode in server's NIC that means it will be active only through DMZ switch-1 ,incase server's 1 NIC-1 fails or if suppose switch-1  failure then server's can send traffic through NIC-2 through switch-2 which is connected to IPS port-4.

I can configure the inline interface pair for port 1 and 3 and inline interface pair for port 2 and 4.

Please correctme if i m wrong.

Thnaks

Hello

You are correct! After some thinking....here is what I was able to figure out

1-The interface 2 of the IPS connect it to the DMZ swtich 2

2-Connect the DMZ interface to the switch

3-Do the same with the other firewall and the IPS interface

That way if the packet comes from the second NIC it will go to the switch 2, then to the IPS, switch 1 and then the firewall.

Cheers.

Mike

Hello Mike,

Please find the attached in the mail

I did'nt  understood ur reply , can be more specific????? I think ur view is according to New attached file but the traffic from switch-1 will directly flow directly to primary ASA it will not hit to IPS.???????

My view for  Traffic flow is if server's NIC's are in failover mode:(not in load balanced mode)

Server NIC-1 ----->Switch-1 ---->IPS-port3----->IPS-port1---->Primary ASA

If suppose switch fails then Traffic flow will be

Server NIC-2----->Switch-2------>IPS-port4----->IPS-port2---->Secondary ASA

Inline interface pair are port 1 and 3 and inline  interface pair for port 2 and 4

BUT how ASA will come to know to switover to secondary firewall when DMZ switch-1 fails or IPS port 3 fails.

Any mechanismm to track.

Thanks

Hello Estela,

Kinda yeah, but we would need to make vlans here...Take a look at the topology I draw.

In case packet leaves from Nic A going to the Active Unit

1-The packet would go to Vlan 100 to the left switch then its going to go into the IPS

2-The IPS then sends it out to switch on the vian Vlan 120 right

3-The packet is going to be forwarded to the DMZ interfae of the firewall.

In case the packet leaves from Interface B

1-The packet gets to the switch on Vlan 100

2-The packet gets to the IPS and forwards it to vlan 120

3-Gets to the switch and it is sent to the interface of the firewall

If you have any doubts please let me know

Hello Mike,

Thanks for precious reply ,I have some dout's please help me.

According to ur Drawing nd replies:

In case packet leaves from Nic A going to the Active Unit

1-The packet  would go to Vlan 100 to the left switch then its going to go into the  IPS

2-The IPS then sends it out to switch on the vian Vlan 120  right

3-The packet is going to be forwarded to the DMZ interfae of  the firewall.

1)You told me do pairig of interface in IPS left port vlan 100 and right port vlan 120.

Answers: How the packet will flow for example: switch (left) receives packet it will do broadcast on vlan 100, IPS will recive packet and will forward out to his another interface of pair i.e vlan 120 (right side) going to Active ASA.??????, Is this secnario will work when server and DMZ interface are in same subnet but in different vlan????

Please correct me for question 1 If i m wrong

2) If suppose Active ASA fails and the switch does'nt fail's still  the packet flow will be the same as above and packet will be drop  because the pairing is between vlan 100(left) and vlan 120 (right),IPS  will forward to the right vlan 120 that will be standby ASA.

Please correct me question 2 If i m wrong

3) In case the packet leaves from Interface B

1-The packet gets to the switch  on Vlan 100

2-The packet gets to the IPS and forwards it to vlan  120

3-Gets to the switch and it is sent to the interface of the  firewall

Answer: Still my  primary ASA is active and the Pairing of interface in IPS are vlan 100 (right) and vlan 120 (left) the pascket will be forwarded to standby ASA and the packet will be dropped.

Please correct me question 3

Thanks  once more to be patients and understanding my problem.

Hello Dear's

Can Anybody help me for above query.

Thanks

Hi

1-Not, even if they are on the same subnet, remember that the layer 2 vlan will separate them.

2-If the active fails the standby will take his mac-address, so the packet will be send via source and destination mac-address
the IPS wont change that.

3-If the packet is being sent from NIC B, it will take its correct path, will go from the NIC to vlan 100 and then forwarded
to the correct ASA based on his mac address once it is being forwarded from the IPS to the switch on the "outgoing vlan" (120)

Hope it helps

Mike

Hello Mike,

Thanks for ur reply,

Question: If the active fails the standby will take his mac-address, so the packet  will be send via source and destination mac-address
the IPS wont  change that.

SO the behaviour of IPS you mean to say will work on MAC-address,though the pairing of interface are not matching, incase of primary ASA fails the packet will be forwarded to standby ASA by port vlan120 on (left side) switch though the interface is not in pair with vlan100 (left side).

From User guide 7.0: What i have read is below: please see the link below.

http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/idm/idm_interfaces.html#wp1032013

In inline interface pair mode, a packet comes in through the first interface of the pair on the sensor and out the second interface of the pair. The packet is sent to the second interface of the pair unless that packet is being denied or modified by a signature.

Question-2  Do u mean to say Inline vlan pair or Inline interface pair.????? what i have read about inline interface pair is above.

Answer: Can we do inline vlan pair same vlan on different interface of IPS(on port 1 pair vlan 100 and vlan 120) and ( on port 2pair  vlan 100 and vlan 120)??????

Thanks Mike, i really appreciate for replies.

Hello Dear's,

Only the previous mail doubt, dear's,I know Mike is absolutely right logically but just need to clarify rather being a parrot engineer.

Thanks