Redundant Transparant ASA between Redundant Routed Links
Aparently the Security/Compliance team didn't review my network design before it was submitted and built, and now I have to shoe horn a firewall somewhere there was never supposed to be one.
I have my two current DC Cores (Nexus 5548UP), that currently are Layer 3 only, with no L2 configuration at all. I understand these aren't the best switches for this role, but the BoM was put in place and gear ordered, long before I came onboard, and the DC design had been completed. From these two Cores, i connect directly to a vendor's clustered Fortinet FW, via a /30 from each core to each node of their cluster, and connected via eBGP, one link with a path prepend, due to the vendor not able to figure out how to load balance on their firewall. Due to numerous vendor problems, and lack of knowlege, I cannot get them to change their design in a timely manner, to meet our timelines, and this has to be up yesterday to be PCI compliant (so our security people say) prior to go live in 1 week. The vendor took 3 weeks just to figure out how to aggregate routes to me!.
So I want to drop a transparent pair of firewalls inline on the two links, but due to the Active/Standby limitation of ASA's, I am not sure this will be that easy given the /30 L3 interfaces being used. Secondly the lack of L2 between the two upstream cores may be a concern, at least from past expiriences. I know if I was using some other vendor's clustered FW, this wouldn't be a problem, but I definately don't want to join the Dark side again, or do I have time to procure any other equipment other than the 5520's I currently have laying around. Someone please tell me I have overlooked something simple, and the design listed below will be simple to implement!!!!
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :