ASA - Primary/Failover Network Design to one internet router
We have two 6509 on the inside network hooked to our two asa fiewalls configured as primary and back up. Then both of them are hooked to a cheap network switch and then connected to our ISP's router. Is this best-practice or what is the best way to do this? Could we create a non-routed vlan on our cores 6509's and hook one up to one asa to one 6509 and the other asa to the other asa? Then hook the ISP router to one of the 6509's. The problem I see with this is that if the 6509 that the ISP router is hooked to goes down then the internet is down. Looking for suggestions and ideas to make our current design better. thanks in advance
Re: ASA - Primary/Failover Network Design to one internet router
Your current setup sounds fine to be honest. If you are concerned with the "cheap" network switch you could use your 6500 to have a non-routed vlan but as you say if the 6500 that goes down is the one connected to the ISP router then you have lost the Internet.
Couple of things
1) If you could run 2 connections from the ISP router one to each 6500 then you have overcome that problem but this may not be possible.
2) The main issue with collapsing your external ASA interfaces and in the internal ISP router interface onto the 6500 is you are now more vulnerable to a misconfiguration on the 6500 opening up your internal network. You should also look into vlan-hopping which is an argument for physcially separating your switches.
If the main concern is the "cheap" switch you could look to replace with a couple of 2960's for example but even then the ISP router is still a single point of failure.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :