Solved

ASA integration with LAN & WAN

Posted on 2008-10-20
14
484 Views
Last Modified: 2012-05-05
implementation solution required for integrating LAN with WAN.
2 4500s working as core+distribution switch. hsrp shall be implemnted in the core for access. both the switches shall be connected to 2 ASA5510 integrating LAN. WAN set up consisting of 2 2800s shall cater to Internet & MPLSWAN  connected to both the ASAs. (ASAs with security license are sandwiched betn LAN & WAN).

can you help me to come up with robust solution consideration for the above set up please.
0
Comment
Question by:nocss
  • 7
  • 7
14 Comments
 
LVL 32

Expert Comment

by:rsivanandan
ID: 23070972
What exactly are you looking for? Solution wise you already have it?

Cheers,
Rajesh
0
 

Author Comment

by:nocss
ID: 23313899
i have some doubts..
1. hsrp would be implemented for access switch rings. odd vlans primary for cs1 & even vlans primary for cs2. both the switches would be uplinked thru ASA5510. should both the FWs be configured in A/A or A/P mode for failover.
2. will hsrp tracking towards FW be reqd for better convergence.
3. could the etherswitch NM modules integrated with 2811 ISRs for consolidating layer2 links coming out of FWs and entering respective router interface.
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 23334872
1. It really doesn't matter much unless you have like more than 100Mbps of internet link. Say you put it in;

active/active -> The maximum throughput you get is only the maximum of your internet bandwidth, so pushing through both the boxes at the same time won't get anything increased for you.

active/passive -> Again same, your active one is more than enough to push the traffic.

2. It is recommended to use tracking for end to end.

3. I do not understand the question.

Cheers,
Rajesh
0
 

Author Comment

by:nocss
ID: 23335293
1. agree. asa5510 comes with a/a default. so change the set up to a/p and run lan-based failover?

2. end to end set up would be "access swt --- core switch(collapsed core)---asa5510---ISR2811". i assume end to end for hsrp tracking would be between cs & fw or anything else?

3. there would be total 2 outside interface (one of each fw) which should be consolidated in one L2 vlan in order to connect to either of the ISR. this is what i guess. now does ether switch modules which comes integrated with ISRs can be made to behave like a normal 2950 switch?
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 23336572
1. Either way it is fine.

2. Correct.

3. L2 part is correct, but I don't know about the integrated stuff on ISR, never worked with an ISR.

Cheers,
Rajesh
0
 

Author Comment

by:nocss
ID: 23337873
Thanks Rajesh. i'll get back with some more queries tomorrow.hope yu wouldn.t mind.
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 23342399
It is a rule of EE that you can't overload the question, however if it is related to what you've asked then post back.

Cheers,
Rajesh
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 

Author Comment

by:nocss
ID: 23351841
Sure Rajesh. last posting..

users will have their dg as the floating hsrp ip of that particular vlan. wish to know what should be the dg for the access switches.

i wish to have vlan1 as L3 vlan for acc swt as well as core swt for their identification/telnet purpose. any consideration in regards to hsrp for vlan1 in the core switches.
0
 
LVL 32

Accepted Solution

by:
rsivanandan earned 500 total points
ID: 23352127
The active ip address of ASA would be used. When the active goes down, the secondary assumes the active ip. Hope that is clear.

Usually VLAN 1 is kept for management traffic only, it is deemed best.

Cheers,
Rajesh
0
 

Author Comment

by:nocss
ID: 23352196
Thanks Rajesh. will build the configuration.
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 23352518
You could assign the points by yourselves, don't you know how to do it?

Cheers,
Rajesh
0
 

Author Comment

by:nocss
ID: 23352927
NO
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 23353499
Ok, you should have the accept button on each answer and you can do it by selecting any of the answer. Also the help on this site would help you find it.

Cheers,
Rajesh
0
 

Author Closing Comment

by:nocss
ID: 31507874
satisfied with the answers provided. will help me building requisite configurations. THANKS..
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Suggested Solutions

I recently had the displeasure of buying a new firewall at one of the buildings I play Sys Admin at. I had to get a better firewall than the cheap one that I had there since I was reconnecting the main office to the satellite office via point-to-poi…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now