Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Network Topology/Configuration Validation


We are implementing a Two-tier firewall architecture using Fortigate and cisco ASA-5500 series firewall for our internal network.

All the tiers will be redundant mode firewall (Active/Active)

First tier firewall (Fortigate) will host the WEB servers (Front end servers)

Second tier firewall (ASA-5520) will host the database (Back end servers) storage servers

Pls refer the attached security-setup-final PPT for actual topology.

Kindly Guide on the configuration in terms of :-

1) Routing protocol to be used (OSPF/RIP)

2) PRI dialup config (DDR) design for branches

3) Firewall design validation

4) IP Scheme validation (Attached)

5) Wan setup termination point

Pls suggest if the proposed setup and related IP scheme will work seamlessly


  • Other Security Subjects

Re: Network Topology/Configuration Validation


As per your network diagram,

1) A per DR router should connect to both 3845 routers which are kept in DMZ of ASA. It will give you redundancy. Routing protocol will take care of redundancy, so no manual intervention is required.

2) You have mentioned PIX in your IP schema, but there is no PIX in your diagram.

3) Routing protocol you should go for either EIGRP or OSPF. which ever you are comortable with. But if u r planning to run routing protocol between ASA and ruters, then you need to run OSPF/RIP because it doesn`t support EIGRP.

4) for branches, primary connectivity through CE1 and backup via PRI dialup is fine.configuration you can find here :

incase u have any further query, you may update the post.


aashish C


New Member

Re: Network Topology/Configuration Validation

Hi Aashish,

Thanx for the prompt reply.

As per attached IP Scheme it is ASA only..(No PIX).

Is this scheme ok.

Also should we run OSPF in branch router also or should we put a default route in branch routers.

Also we are planning to implement HSRP in the primary site ruters.

Pls suggest.


New Member

Re: Network Topology/Configuration Validation

Also can i get a configuration reflecting this setup, interms of Wan and Two-tier firewall.


New Member

Re: Network Topology/Configuration Validation

Hi all,

Any suggestions on this



New Member

Re: Network Topology/Configuration Validation

ASA in active/active mode means you are running multiple contexts, one context in primary mode on one ASA with the 2nd ASA as secondary. Vice versa for 2nd ASA. When running in multiple context mode you cannot use dynamic routing protocols (static only). If you will only need 1 firewall (i.e. not multiple contexts), then the ASAs will be running in active/standby mode (and can use dynamic routing).

Another note, if the client wants to use Intrusion Prevention (inline) versus Intrusion Detection (mirrored with acl blocking/shunning), the ASA IPS modules are much easier to maintain then inline 4215s. OS upgrades come out every couple of months. With ASA IPS cards, traffic will automatically bypass IPS during upgrades (reload of IPS card).