ASA Failover and Layer 3 (3560-X)

Home Forums Networking Cisco Security – PIX/ASA/VPN ASA Failover and Layer 3 (3560-X)

This topic contains 4 replies, has 3 voices, and was last updated by Avatar [BT]Black V 4 years, 2 months ago.

Viewing 5 posts - 1 through 5 (of 5 total)
  • Author
    Posts
  • Avatar
    Highl1
    Member
    #161513

    Here is my setup https://dl.dropboxusercontent.com/u/16923193/asa%20failover.JPG As you can see, we have dual ASA 5512-X used for Internet access, VPN and so on, and L3 3560-X behind them, that’s connected to L2 access switches.

    ASA config is ok so far. Failover is working between ASAs (when primary fails, the secondary takes the config of the primary, and also the IPs of inside/outside addresses), but I don’t know how to configure GE 0/2 on 3560-X that’s behind the ASA?

    I wanted to put it also with no switchport command, and ip address 10.101.0.4 255.255.255.0 but that overlaps GE 0/1 and L3 won’t let me do what. Is there a workaround with this one, so I can the L3 automatically switches over to GE 0/2 if primary ASA fails (in other words, if the connection with P-ASA to GE 0/1 L3 fails)

    Thanks in advance!

    Avatar
    Anonymous
    #373724

    Re: ASA Failover and Layer 3 (3560-X)

    Should be able to do HSRP on the L3 switch and track objects (IP SLA). Should be able to google for an example.

    Avatar
    Highl1
    Member
    #313591

    Re: ASA Failover and Layer 3 (3560-X)

    I googled a bit, but seems like HSRP needs two devices two participate in group. Here I have only one L3 switch, with two GE ports that are connected to two ASA, and I want to monitor them

    Sorry to bother you, but if you can clarify this a little bit more to me, it would be great

    Thanks in advance!

    Avatar
    Anonymous
    #373728

    Re: ASA Failover and Layer 3 (3560-X)

    Search for ASA High Availability on google and/or check out the configuration guide for your ASA model.

    Avatar
    [BT]Black V
    Participant
    #391192

    I know this is an old post but this still might help someone looking for an answer… what you want is a VLAN or BVI interface on the switch in the same VLAN as the ports to the ASA. Otherwise it’s like connecting the two ASA’s to two different routers :)

Viewing 5 posts - 1 through 5 (of 5 total)

You must be logged in to reply to this topic.