Design Considerations for ASA5545X Implementation

I am looking for some advice on a new network design and implementation. We are looking to implement two Cisco ASA 5545X's as well as a core layer, server layer and access layer on the network. The core layer will be made up of two Cisco 3945E devices, the server stack of 2 x WSC3650-48 switches (from which the WiFi, PBX and Servers hang off) with the access layer being made up of 2 stacks of 3 x WSC3650-48 on two different floors.

My question is, we have two different ISP's who will be providing two separate circuits, with the ASA's in Active/Active mode where will the users VPN's terminate? I don't see any routers detailed in the diagram which sit outside the ASA's. Is this a normal configuration to have the routers sit inside the network? I believe if you setup ASA's in HA mode with them being Active/Active they can't provide VPN services?

I'm a little confused with it all. Could anyone advise? This solution has been recommended by two different Cisco partners, so presuming this will work but what are the disadvantages, if any? Thanks
itbirdAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

AkinsdNetwork AdministratorCommented:
Yes your setup is correct.

Bear in mind that the ASA has route features.
A simple analogy is to view a Firewall as a router that's dedicated to security. That will help your understanding.


See page 81
http://www.cisco.com/c/en/us/td/docs/security/asa/asa94/config-guides/cli/vpn/asa-94-vpn-config.pdf

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Pete LongTechnical ConsultantCommented:
Having redundant ISP, and Active/Standby ASA's is entirely possible Ive done it for many clients.

OK - I understand why (because Ive had this question asked of me many times) why you are asking for Active/Active, but thats not what you want (because active/active does not support VPN for the very reasons you are asking the question. There is only ever a case for Active/Active firewalls in a 'mutli-tenancy environment' where there is not a requirement for VPN.

Your redundant ISP setup would keep one ISP as primary (in use most of the time), and failover to the secondary ISP if the first one fails, (you CANT load balance with an ASA, it's not a load balancer).

So, deploy your first firewall and setup/test your redundant ISP setup
Cisco ASA/PIX Redundant or Backup ISP Links with VPNs

Then deploy Active/Standby;
Deploy Cisco ASA 55xx in Active / Standby Failover

Pete
frankhelkCommented:
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.

I have recommended this question be closed as follows:

Split:
-- Akinsd (https:#a40886840)
-- Pete Long (https:#a40887505)


If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.

frankhelk
Experts-Exchange Cleanup Volunteer
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.