Redundant Network Config with two ASA's and two switches
I'm hoping some can critique a very basic redundant ASA configuration. Currently, we have rackspace at our provider. The provider provides us two uplinks to their cores. I have one ASA5520 and one 3560 switch, so both uplinks (fiber) are on the same switch. I would like to introduce another ASA and another 3560 (or 3750). I envision that one provider uplink will go into one switch, and the other uplink will go to our new switch. I can simply run spanning tree and will not need a routing protocol. We do not have an internet router. The outside interface of our ASA is placed into the same VLAN as the provider uplinks, and we "go out" from there. Our provider routes us a netblock to our ASA outside interface IP. I then NAT to our internal servers which are also plugged into the same switch, and VLAN appropriately. You can see we have all our eggs in one basket with the switch and ASA.
I can only introduce two more devices into our rack, so one more switch and one more ASA is all I have to work with. Please see the attached pic to see if I've thought this out.
1. I am confused if the two switches need to be connected together via an etherchannel and HSRP or anything like that. The ASA is the default gateway for all the devices on the network, so the switches really aren't routing.
2. Our current ASA is running some older 7.2 code. I obviously want to get it up to the 8.X series. This may have to be a phased implementation, since this is a production site and my downtimes can't be long. Is it difficult to bring a single, standalone ASA into an Active/Standby configuration with an entirely new ASA? I know they have to be the same hardware config, code rev, etc.
I've done one of these before, but it was from scratch and I had the luxury of time.
The goal here (obviously) is to keep our servers available in the event we lose one ASA or one switch. Please look at the pic and offer any suggestions. Thanks very much.
Re: Redundant Network Config with two ASA's and two switches
1. If you will config 2 ASAs as Active/Standby, you just need a trunk between two switches. ASA failover need a layer 2 connectivity for all related interface.
2. My suggestion for the implementation would be:
a. Map your current config to the new ASA with 8.x code and configure it as Primary unit in Failover.
b. Take down the previous ASA and bring the new ASA on line to test the connectivity during a maintenance window. In this way, if anything goes wrong, you can still bring back the previous ASA. If you use the same IP on the new ASA as that on the previous ASA, remember to clear ARP table on its neighbor devices since it still points to the previous ASA's mac address.
c. upgrade the previous ASA and configure it as secondary Unit in Failover, then bring it back on line.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...