Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Two ASA 5510 High Availability, Two 3560x with HSRP.

I have two ASA 5510 working on High Availability, and I need to connect them withc two switchs 3560x working with HSRP.  What is the better way to connect them? I try to take High Availability. Do I need to make some aditional configuration?

Everyone's tags (5)
1 ACCEPTED SOLUTION

Accepted Solutions

Hi Luis , Are you going to

Hi Luis ,

 Are you going to use same 3560X switch for connecting your ASA outside and interface ?? , Are you talking about only inside interface . 

if you are talking about only one segment , they configuration is pretty simple . 

Create Common subnet between ASA & Switches (like 192.168.100.0/28)

ASA primary : 192.168.100. 5 ASA standby :192.168.100.6

Switch 1 : 192.168.100.2 

Switch 2 : 192.168.100.3

VIP address : 192.168.100.1

From 3560 : Point default route/specific which passes via ASA to active IP address of ASA 192.168.100.5 (Primary ASA interface IP address)

From ASA : Point reverse route for network/subnets available on 3560 switch to HSRP IP address of your SVI VLAN : 192.168.100.1

As given below , if your ASA fails or failover traffic will be pointed back to HSRP VIP address (Switch1)

on your switch 1 under HSRP track the interface connecting to ASA 1 , if the connectivity fails you can bring down HSRP Priority and make switch 2 as active , similarly ASA as failover .  

 

ASA (Primary)----->Failover---> ASA(Standby)

|                                                               |

|                                                               |

Switch1----------> L2 Link---------> Switch 2

HSRP VIP

 

HTH
Sandy

1 REPLY

Hi Luis , Are you going to

Hi Luis ,

 Are you going to use same 3560X switch for connecting your ASA outside and interface ?? , Are you talking about only inside interface . 

if you are talking about only one segment , they configuration is pretty simple . 

Create Common subnet between ASA & Switches (like 192.168.100.0/28)

ASA primary : 192.168.100. 5 ASA standby :192.168.100.6

Switch 1 : 192.168.100.2 

Switch 2 : 192.168.100.3

VIP address : 192.168.100.1

From 3560 : Point default route/specific which passes via ASA to active IP address of ASA 192.168.100.5 (Primary ASA interface IP address)

From ASA : Point reverse route for network/subnets available on 3560 switch to HSRP IP address of your SVI VLAN : 192.168.100.1

As given below , if your ASA fails or failover traffic will be pointed back to HSRP VIP address (Switch1)

on your switch 1 under HSRP track the interface connecting to ASA 1 , if the connectivity fails you can bring down HSRP Priority and make switch 2 as active , similarly ASA as failover .  

 

ASA (Primary)----->Failover---> ASA(Standby)

|                                                               |

|                                                               |

Switch1----------> L2 Link---------> Switch 2

HSRP VIP

 

HTH
Sandy

399
Views
0
Helpful
1
Replies
CreatePlease login to create content