Need help configuring ISP traffic through Cisco 2921interfaces with redunant Cisco ASA 5515-X firewalls

Posted on 2014-03-25
Last Modified: 2014-04-08
I have a Cisco 9221 sec/k9 that I am bringing fiber into via the sfp port from my ISP.

I also have redundant ASA 5515-X firewalls in active/standby mode that I'd like to feed from the 2921.

What would the interface configurations look like in this instance given the 2921 has three ports (unless you add expansion cards) and I will be receiving the fiber on Interface GigabitEthernet 0/1 and I will have to send a feed to each ASA 5515-X on the remaining two ports.

I've normally always ran the ISP into my firewalls in the past and I'm not sure how to configure the 2921 to interface with the firewall and still have it accessible from my LAN when there are no additional ports to connect to my Catalyst switches.

If I need to throw configs up I'm more than happy to but in this case I just need some help wrapping my mind around the interface configuration.

Thanks in advance.
Question by:ditobot
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
LVL 42

Expert Comment

ID: 39955782
You need a switch in between your router and the outside interfaces of your ASA cluster. If you don't want to dedicate an entire switch to this, you can use a VLAN where the only devices on the VLAN are the one interface on your router and the outside interface from each ASA.

I am not sure what you mean to have the router accessible from the LAN. Your Router will only have public IP addresses, and you need to go through your firewall to get to it.
LVL 17

Accepted Solution

pergr earned 250 total points
ID: 39955872
As mentioned, the FW cluster ports needs to be in the same VLAN.

When the FW fail over, both the MAC address and IP address are transferred to the second chassis, which means both FW and the 2921 needs to be on the same VLAN.

The 2921 can not switch between the ports it has on the chassis. You would need to buy a "Cisco Enhanced EtherSwitch Service Module" for it, and connect the two firewalls there.

It is probably better to take 3 ports from any other switch you have, and put those in a VLAN.

In theory, you can also add another "management VLAN" to the port on the 2921, if you do not want to use the traffic port for management.

Author Comment

ID: 39957749
From what I understand the 4 port ethernet module that can be added to the 2921 is layer 2 and couldn't handle any routing but I was thinking about ordering an additional 1GBe + SFP module which would then give me the additional port to manage my router from my LAN and still be able to route the ISP traffic to each firewall in the Active/Standby configuration.

In this instance my firewalls are set up for high availability and they have the same IP address and configuration so I was hoping to avoid having to set up failover scenarios on the router along with the failover configuration for the firewalls. Since the ISP traffic would always be going through the same IP address for the firewall(s) is there a way to configure the router to use either the additional 4 port ethernet module or the additional GBe SFP module? My ISP isn't redundant only the firewalls in this scenario.

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

LVL 42

Assisted Solution

kevinhsieh earned 250 total points
ID: 39958131
A standalone switch or the L2 switchport module is what you need. You would connect the switchport interfaces to an L3 VLAN which is how you would route traffic from your firewalls to the ISP. I personally use an external switch, but you could use internal switchports on the router if you didn't have the rackspace or felt that the internal switchports would be more reliable than an external switch.

As far as your router is concerned, you only have 1 firewall. There is no failover scenario your router needs to be concerned with. I get the feeling that you are trying to make this more complicated than it is.

Author Comment

ID: 39968300
You make a good point on the firewall. The Active/Standby scenario utilizes only one IP address for the firewall so that makes sense.

Out of curiosity what kind of switch do you have between your router and firewall? A Cisco Catalyst seems like overkill but I also don't want to go cheap since I would be creating yet another single point of failure.

Lastly, If I use the L2 switchport module that should allow me to add a second ISP on the third native port on my 2921 correct? And I would still only need to run a cable to each firewall from the L2 module since the Router would be managing the ISP failover.

In the near future I'll probably pick up a less expensive 1900 router and put the secondary ISP ethernet connection into that and use the ASA 5515-x to handle the failover scenario.

I appreciate all of your advice. I think I'm going to go with the L2 switchport module but if you could give me a little more guidance I'd appreciate it. It's frustrating because my large retailer's Cisco specialist hasn't been able to offer any defnitive configurations only vague suggestions.
LVL 17

Expert Comment

ID: 39968557
If you are considering getting a second router later on, then it makes sense to get an extension switch instead of the switch module for the 2921. Otherwise you would not be fully redundant with a second router.

You need preferably a managed switch, although any cheap crap would probably work. For a small switch dedicated to this, I would use the Juniper EX2200-C but if you prefer a small catalyst go for that.
LVL 42

Expert Comment

ID: 39969525
I currently use a 3500XL switch which is probably about 15 years old. I will be replacing it with a used 48 port 2960 which I am getting for about $250.

Author Closing Comment

ID: 39987289
I have confirmed with Cisco that the ethernet module will work for my scenario just as added confidence since I might end up on the phone with them a some point. Thanks for all of you help.

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
You deserve ‘straight talk’ from your cloud provider about your risk, your costs, security, uptime and the processes that are in place to protect your mission-critical applications.
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

626 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question