Improve company productivity with a Business Account.Sign Up

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 677
  • Last Modified:

Lan extension with two ASAs

Hi Experts,

Just looking for some design guidance - Here is the scenario I have:

I have two sites - A and B - each site has it's own subnet, dhcp, dns, etc.
In each site I have one vlan for voice and one vlan for data.
Sites A and B are connected together via VPN L2L.
Site A has a pair of Cisco ASA 5510 running 8.2(5) in active/standby mode
Site B has a pair of Cisco ASA 5505 running 8.2(5) in active/standby mode

There is an access list in place defining the traffic.
1 - Voice can talk to Voice across the link
2 - Data can talk to Data across the link
3 - Certain IPs on Data can access Certain IPs on the voice accross the link and vice versa.

Each site has their own internet connection - these are the same connections the VPN travels through.

Site A looks a bit like this.

PC connects to the distribution switches - Default gateway for the network is a pair of 3560G running HRSP. This switch routes between the local voice and data vlan - This switch has a gateway of last resort that is the cisco ASA 5510.

PC------ 3560G Gateway ----- ASA 5510 Gateway ----- Internet

Site B looks a bit like this - Same idea as above

PCs connects to the distribution switches - Default gateway for the network is ONE HP ProCurve J9089A Switch 2610-48-PWR (this is a layer 3 device) - this switch does routing between voice and data local vlans - this switch has a gateway of last resort that is the Cisco ASA 5505.

Gateway switch and Cisco ASA (in both sites) have the same ip subnet meaning the connection between gateway and asa is a layer 2 connection.

So the challenge starts now, and it is more of a design challenge than anything else

I recently acquired a Lan Extension between these two sites. The purpose of this lan extension is to substitute the VPN L2L between sites. This lan extension is 100Mbps full duplex.

My ideal scenario was to replace the VPN L2L by connecting the two endpoints of the lan extension via spare ports i have on both ASA devices (Site A and Site B). This would help me leverage my knowledge of the Cisco ASA platform in creating and managing access lists.

One of the challenges i face is due to the fact that i am not able to QoS the traffic and i would have to hope that 100mpbs would be enough. Just for your knowledge Site B voice mail application is on Site A and there are some extension to extension calls going on. On a 10mbps link ( slowest link between the two sites) i have never had problems with these calls or the calls to voice mail.

Ideally for the future i would like to establish some internet redundancy between the two sites: If site A looses internet, please route through site B's internet connection - and vice versa. However this is not my immediate goal.

1 - What do you think about my idea ?
2 - Do you see any challenges with this ?
3 - If i tackle the job of only replacing the vpn l2l with the lanX - do you think i would have problems failing over the internet between sites in the future ?

Much appreciated.
  • 2
1 Solution
I can't speak to the HP's ability to do ACL's, but I know the 3560 can do ACL's. If you are ok with some simple ACL's to control traffic going between Data/Voice at the sites, you should be able to control this on the L3 switches. From there, create one additional vlan on the L3 switches for the purposes of routing. Configure OSPF on all devices - L3 switches and ASA's. The ASA's can advertise the default routes and any client VPN subnets, and the switches will exchange their locally configured subnets. The ASA's will need to be configured with route tracking or they will never remove the default route from advertisements. Also, the NAT on the ASA's will need to include the additional subnets for outbound internet traffic.

In the above scenario you will have direct site-to-site connectivity, site-to-site vpn backup, and internet backup assuming that both the internet and LAN extension aren't down at the same time.
ifredAuthor Commented:
Hi Rauenpc,

Thank you for taking the time to post your suggestion, here are my thoughts:

First - just a reminder that likely i would have to do this in stages, meaning first substitute the functionality of the L2L VPN with the Lanx. Later in time (could be months) achieve the internet redundancy.

Sounds like what you are suggesting is to have the layer 3 devices perform the routing. I understand this is doable however you talk about interactions with the the ASA from these layer 3 switches.

From there, create one additional vlan on the L3 switches for the purposes of routing. Configure OSPF on all devices - L3 switches and ASA's.

I would think that unless you are addressing the whole ideal scenario i would like to have in the end (routing, failover, etc), for using the layer 3 devices, i would probably be better to have these layer 3 devices directly connected to each other bypassing the firewalls entirely. Straight lanx with a /29 between the devices. Default route points to the ASA, specific routes point to the gateway accross the wan (/29).

So my point was really to not touch the current gateway devices as they will send all routes unknown to them to the ASA, which in return, would know how to handle the traffic over the interface where the LANX is connected too.

I envisioned these interfaces in both ASAS across the wan to have a /29 but now thinking about it, since both sites have pairs of ASAs i would need something like a /28 at least.

What do you think ?
If you want to do this in stages, then start with just running OSPF or do static routing on the L3 switches. Each will still have a static default route to the local ASA for internet traffic.

You are correct with the direct connection, and that's what I was trying to describe.

 I would leave the ASA's out of the LANX since it is a private connection and shouldn't need the security of an ASA, and only use them for internet and vpn failover in the future. This means you will only require a /30 for routing, but it will be up to you to look forward to predict if you will have any additional sites on the LANX. It might not be a bad idea to just make a /24 and just have the two devices in it. I know it seems like overkill for the time being, but you probably won't ever need to worry about adding additional devices to the mix such as additional sites, and since you're only using a handful of subnets as it is you won't be risking running out of addresses.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now