InterVLAN Routing

Hello Surendra

If I understand correctly, you want two ASAs to provide connectivity to the same VLAN via at least one port on each ASA, and then to apply policies to this VLAN. In order to achieve this, you will have to connect the ASAs together, and enable switching (Layer 2) on these ports. That way the same VLAN can span both firewalls.

But then there’s a problem. The devices on this VLAN will all require the same default gateway. This must be an SVI interface on one of the two ASAs. If you configure one ASA to do this, then the other ASA is simply functioning as a switch, and you’re not using any of its firewall capabilities.

In order to correctly configure such a scenario, you must use the failover feature of the ASA. You can set up an Active/Standby failover, which is described in the following lesson:

or, you can apply an Active/Active failover, about which you can find out more at this post.

In any case, what the failover feature provides is two ASA devices that will, from the point of view of the hosts in the subnet, function as a single device. In the active/active scenario, the two devices will actually share the load of the traffic and the implementation of the policies.

Once the failover is set up, you can then apply any policies you like, but you have to ensure that the same policies are implemented in both devices in the same way, so you have consistent behaviour.

I hope this has been helpful!

Laz