Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


Catalyst 3750 and Cisco ASA 5510 Failover Routing / ICMP Redirects Query

Posted on 2011-04-19
Medium Priority
Last Modified: 2012-06-27
HI THere,

PLease take a look at the attached JPG. Schematic Overview
What I need to be able to set up is a scenario where if the LES goes down, routing between the subnets is automatically achieved by the VPN tunnel configured between the ASA devices (I haven't actually configured it yet, but I'm comfortable with this part).

Additionally, if the Internet connection goes down at either site, I need Internet traffic to be re-routed to the alternative ASA via the LES circuit.

I can provide configs if necessary, but they are fairly standard. The query is not how to execute this as I'm quite comfortable with configruing ASA's and Catalysts (I think) but more around the design aspect.

1. Can this be done with the equipment shown here.
2. Can someone point me towards some relevant examples (I can't find any).

My initial thoughts were:

- Set the default gateway to be the switches at each site (.250 HSRP address)
- Set up an RTR / TRACK to send pings to a known device on each of the alternate networks
- If the RTR fails, then re-route to the ASA using a secondary route statement

For the Internet failover.

- Have a separate RTR pinging google or bbc or something on each of the switches.
- When that RTR fails, send traffic over the LES switch port instead of redirecting it to the ASAs

My only thoughts about this are that, of course, with HSRP setup, both subnets are directly connected to each of the Switches, so how do I go about enforcing a route statement and an ICMP redirect through to the ASA at each site - is there a value I can assign this, or some command I can execute that will ignore the directly connected VLANs and route externally?

We set up the LES with HSRP and Inter-VLan routing on both switches as, if I am honest,  I couldn't get the Catalysts to route using switchports in the standard manner (i.e. like a router). So for instance, sending any traffic for over switchport 1 on and vice-versa on the alternate switch didn't work for some reason. I spent ages trying to figure this, and eventually realised that HSRP with both VLANs present at each site was actually a better way to set it up anyway, however now I'm presented with this additional challenge.

Any pointers on the design greatly appreciated.

I should add that the ASAs are running 8.3(1) and I read that these now support ICMP redirects, however actually trying to get them to issue ICMP redirects seems to be a bit of a black art! I wonder if what the documentation means is that the ASAs themselves will accept ICMP redirects and route accordingly.? Any clues as to this greatly appreciated.

Question by:prodriveit
  • 3
  • 2

Expert Comment

ID: 35423382
Sorry, but the design won't work. The switches will have no reason to route the traffic to the opposing side, because the ip subnet is already directly connected.
I think you need to go back to having only the actual subnet present on each side, and not run HSRP. It should work without a problem, so we need to dig into why it didn't work the first time around.
When you get that part working, you can move on to getting a routing protocol up and running. The ASA supports only RIP and OSPF.

Accepted Solution

kellemann earned 2000 total points
ID: 35423478
I just reread your question, and think I know where it went wrong. Did you have an extra ip subnet for routing purposes between the two sites on the LES side of things? You need a third subnet/vlan in order for the switches to do the routing. For example 192.168.100.x
I found an example that describes the configuration you need. The only difference is that your switches (interchangeable with routers from the example in your case) have an extra direct link between them.


Author Comment

ID: 35424000
Thanks for your help - that's really useful!

I didn't have the third subnet, so I will go back and re-configure with that in place and disable HSRP e.t.c.

From there, I will have a go at sorting the RIP / OSPF my self, but if I get stuck, may post another question on this and will send you a message (if that's possible) through EE if I may?

Thanks again. I'll close the question unless you think I should leave it open for any reason?


Author Closing Comment

ID: 35424187
Thanks for the prompt response.

Expert Comment

ID: 35424199
You're welcome. I think there is a link on my profile page to contact me directly, but I haven't used that feature before.

Featured Post

NEW Veeam Backup for Microsoft Office 365 1.5

With Office 365, it’s your data and your responsibility to protect it. NEW Veeam Backup for Microsoft Office 365 eliminates the risk of losing access to your Office 365 data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A 2007 NCSA Cyber Security survey revealed that a mere 4% of the population has a full understanding of firewalls. As business owner, you should be part of that 4% that has a full understanding.
How to fix a SonicWall Gateway Anti-Virus firewall blocking automatic updates to apps like Windows, Adobe, Symantec, etc.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question