ASA - Primary/Failover Network Design to one internet router

p-allen · ‎11-11-2007

We have two 6509 on the inside network hooked to our two asa fiewalls configured as primary and back up. Then both of them are hooked to a cheap network switch and then connected to our ISP's router. Is this best-practice or what is the best way to do this? Could we create a non-routed vlan on our cores 6509's and hook one up to one asa to one 6509 and the other asa to the other asa? Then hook the ISP router to one of the 6509's. The problem I see with this is that if the 6509 that the ISP router is hooked to goes down then the internet is down. Looking for suggestions and ideas to make our current design better. thanks in advance

Jon Marshall · ‎11-11-2007

Hi

Your current setup sounds fine to be honest. If you are concerned with the "cheap" network switch you could use your 6500 to have a non-routed vlan but as you say if the 6500 that goes down is the one connected to the ISP router then you have lost the Internet.

Couple of things

1) If you could run 2 connections from the ISP router one to each 6500 then you have overcome that problem but this may not be possible.

2) The main issue with collapsing your external ASA interfaces and in the internal ISP router interface onto the 6500 is you are now more vulnerable to a misconfiguration on the 6500 opening up your internal network. You should also look into vlan-hopping which is an argument for physcially separating your switches.

If the main concern is the "cheap" switch you could look to replace with a couple of 2960's for example but even then the ISP router is still a single point of failure.

Jon