Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


Lan extension with two ASAs

Posted on 2013-01-10
Medium Priority
Last Modified: 2013-02-05
Hi Experts,

Just looking for some design guidance - Here is the scenario I have:

I have two sites - A and B - each site has it's own subnet, dhcp, dns, etc.
In each site I have one vlan for voice and one vlan for data.
Sites A and B are connected together via VPN L2L.
Site A has a pair of Cisco ASA 5510 running 8.2(5) in active/standby mode
Site B has a pair of Cisco ASA 5505 running 8.2(5) in active/standby mode

There is an access list in place defining the traffic.
1 - Voice can talk to Voice across the link
2 - Data can talk to Data across the link
3 - Certain IPs on Data can access Certain IPs on the voice accross the link and vice versa.

Each site has their own internet connection - these are the same connections the VPN travels through.

Site A looks a bit like this.

PC connects to the distribution switches - Default gateway for the network is a pair of 3560G running HRSP. This switch routes between the local voice and data vlan - This switch has a gateway of last resort that is the cisco ASA 5510.

PC------ 3560G Gateway ----- ASA 5510 Gateway ----- Internet

Site B looks a bit like this - Same idea as above

PCs connects to the distribution switches - Default gateway for the network is ONE HP ProCurve J9089A Switch 2610-48-PWR (this is a layer 3 device) - this switch does routing between voice and data local vlans - this switch has a gateway of last resort that is the Cisco ASA 5505.

Gateway switch and Cisco ASA (in both sites) have the same ip subnet meaning the connection between gateway and asa is a layer 2 connection.

So the challenge starts now, and it is more of a design challenge than anything else

I recently acquired a Lan Extension between these two sites. The purpose of this lan extension is to substitute the VPN L2L between sites. This lan extension is 100Mbps full duplex.

My ideal scenario was to replace the VPN L2L by connecting the two endpoints of the lan extension via spare ports i have on both ASA devices (Site A and Site B). This would help me leverage my knowledge of the Cisco ASA platform in creating and managing access lists.

One of the challenges i face is due to the fact that i am not able to QoS the traffic and i would have to hope that 100mpbs would be enough. Just for your knowledge Site B voice mail application is on Site A and there are some extension to extension calls going on. On a 10mbps link ( slowest link between the two sites) i have never had problems with these calls or the calls to voice mail.

Ideally for the future i would like to establish some internet redundancy between the two sites: If site A looses internet, please route through site B's internet connection - and vice versa. However this is not my immediate goal.

1 - What do you think about my idea ?
2 - Do you see any challenges with this ?
3 - If i tackle the job of only replacing the vpn l2l with the lanX - do you think i would have problems failing over the internet between sites in the future ?

Much appreciated.
Question by:ifred
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
LVL 20

Expert Comment

ID: 38764337
I can't speak to the HP's ability to do ACL's, but I know the 3560 can do ACL's. If you are ok with some simple ACL's to control traffic going between Data/Voice at the sites, you should be able to control this on the L3 switches. From there, create one additional vlan on the L3 switches for the purposes of routing. Configure OSPF on all devices - L3 switches and ASA's. The ASA's can advertise the default routes and any client VPN subnets, and the switches will exchange their locally configured subnets. The ASA's will need to be configured with route tracking or they will never remove the default route from advertisements. Also, the NAT on the ASA's will need to include the additional subnets for outbound internet traffic.

In the above scenario you will have direct site-to-site connectivity, site-to-site vpn backup, and internet backup assuming that both the internet and LAN extension aren't down at the same time.

Author Comment

ID: 38764584
Hi Rauenpc,

Thank you for taking the time to post your suggestion, here are my thoughts:

First - just a reminder that likely i would have to do this in stages, meaning first substitute the functionality of the L2L VPN with the Lanx. Later in time (could be months) achieve the internet redundancy.

Sounds like what you are suggesting is to have the layer 3 devices perform the routing. I understand this is doable however you talk about interactions with the the ASA from these layer 3 switches.

From there, create one additional vlan on the L3 switches for the purposes of routing. Configure OSPF on all devices - L3 switches and ASA's.

I would think that unless you are addressing the whole ideal scenario i would like to have in the end (routing, failover, etc), for using the layer 3 devices, i would probably be better to have these layer 3 devices directly connected to each other bypassing the firewalls entirely. Straight lanx with a /29 between the devices. Default route points to the ASA, specific routes point to the gateway accross the wan (/29).

So my point was really to not touch the current gateway devices as they will send all routes unknown to them to the ASA, which in return, would know how to handle the traffic over the interface where the LANX is connected too.

I envisioned these interfaces in both ASAS across the wan to have a /29 but now thinking about it, since both sites have pairs of ASAs i would need something like a /28 at least.

What do you think ?
LVL 20

Accepted Solution

rauenpc earned 1000 total points
ID: 38764970
If you want to do this in stages, then start with just running OSPF or do static routing on the L3 switches. Each will still have a static default route to the local ASA for internet traffic.

You are correct with the direct connection, and that's what I was trying to describe.

 I would leave the ASA's out of the LANX since it is a private connection and shouldn't need the security of an ASA, and only use them for internet and vpn failover in the future. This means you will only require a /30 for routing, but it will be up to you to look forward to predict if you will have any additional sites on the LANX. It might not be a bad idea to just make a /24 and just have the two devices in it. I know it seems like overkill for the time being, but you probably won't ever need to worry about adding additional devices to the mix such as additional sites, and since you're only using a handful of subnets as it is you won't be risking running out of addresses.

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
Will you be ready when the clock on GDPR compliance runs out? Is GDPR even something you need to worry about? Find out more about the upcoming regulation changes and download our comprehensive GDPR checklist today !
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question