Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Standalone Cisco ASA5585 Gateway Resiliency

hi

i have a 4900M pair of switches at my collapsed access/core network with only a single ASA5585 chassis firewall as the [layer 3] gateway.

The ASA chassis has a firewall SSP and an IP SSP and [x16 Gb] interfaces across the firewall and IPS SSP Modules.

The 4900 will be configured in layer 2 mode with no inter vlan routing.

My first thoughts are that the setup would probably have to look something like this:

  ASA

    |

    |

--4900a----4900b--

    |            |

    |            |

[where 4900a connects to the firewall ssp on asa]

If 4900a fails, all hosts connected to 4900b lose connectivity; likewise; if the Gb interface or firewall SSP on the ASA fails, the whole network is lost.

What i would like is this:

    __ASA__

    |            |

    |            |     

--4900----4900--

    |            |

    |            |

..where connections from each 4900 terminate at nic's on each SSP at the single ASA5585.

Clearly the ASA is in itself a single point of failure, however...

Without using intelligent Layer 3; what would be the most straightforward way to provide extra robustness in this setup? [before then considering the impact on the firewall rulebase and functionality]

Is there a layer 2 solution, with a single gateway IP [at my single gateway firewall]

I can see a potential dot1q solution where the two physical links up to the firewall are each dot1q; and i could perhaps create an additional vlan that layer- 3 terminates at the firewall with an IP address on a fastethernet dot1q trunk.

However, i believe this will require a unique IP address on each VLAN that maps to the firewall layer3 ?

Also the latest version of ASA firmware now supports Port Channelling; i will research if this is a possibility as well; not sure if you can multi-chassis port channel across the x2 4900 devices [very unlikely].

Can somebody validate/ confirm if there is a straightforward solution to this  ?

thanks

677
Views
0
Helpful
0
Replies
CreatePlease to create content