Hello,
I have two(2) Cisco switches 9200 (with EtherChannel and trunk connection), two(2) cisco ASA firewalls ( with Active/passive failover), and 2 Servers. The two(2) Cisco ASA (5516-X) firewalls are connected to the Internet. Each server (has 2 ports) is connected to the switches. The two switches are connected to the ASA firewalls with a double connection (for High Availability). I have one DMZ connected to the 2 ASA firewalls. I also have 4 VLANs (VLAN1, VLAN2, VLAN3 & VLAN4).
The Servers have to be accessed from outside. Can you please give me an idea on how to configure the ASA Firewall et the two(2) switches (Switches are Cisco 9200)? What do I have to configure so that each server is reachable from outside? By the way, there are mail and FTP servers in the DMZ.
Here are a few principles and thoughts to keep in mind as you attempt to design a network that conforms to your description.
First of all, creating an active/passive failover can be achieved as described in the following lesson:
You can then modify this topology so that instead of one switch connecting the two ASAs on the inside network, you can have your two 9200s.
Secondly, you will have to create your DMZ on the ASAs. This can be done by either creating subinterfaces on the INSIDE physical interfaces of the ASAs, or by adding a separate physical connection on a different interface on each ASA to the switches. You can choose one of your VLANs on the 9200s to be your DMZ VLAN. Make sure that the servers are then connected to this DMZ VLAN.
Finally, using the principles in the following lesson, you can use NAT port forwarding to allow those servers to be reached from the outside. You must however apply this to both the active and passive ASA:
Alternatively, you can use static NAT to allow outside users to reach the servers as shown in this lesson:
These are some general guidelines that you can use to achieve what you describe. If you would like a whole lesson devoted to such a setup, I suggest you go to the following Member Ideas page and make a suggestion. You may find that others have already suggested a similar topic, and you can add your voice to theirs.
Hi Lagapides,
Thank you a lot for your feedback. I have done some configurations and I want to share them with you and the rest of the networklessons community. It’s not complete, I’m still doing the configuration. I haven’t finished the config yet, but I want everyone to be able to look and tell me if they have any configuration errors.
It remains the 4 points below :
I want to configure inter Vlan routing with eigrp of the
network 10.210.0.0 0.0.255.255
I want to Configure the connection ports to the other access switches in no switchport with the 10.210.1.0/24 subnet divided into mask / 30 (255.255.255.252)
Configurer le spanning-tree ?
Is the connection Switch to ASA is correct?
My Congigs below:
Configuration des ASA
ASA1
!-----Cisco ASA 5516-X configuration ASA1 ---------!
ciscoasa(config)#enable password cisco1234
ciscoasa(config)#username admin password cisco1234 privilege 15
ciscoasa(config)# aaa authentication ssh console LOCAL ciscoasa(config)# crypto key generate rsa modulus 1024
ciscoasa(config)#ssh 10.210.1.10 255.255.255.0 inside
ciscoasa(config)#ssh 105.235.108.53 255.255.255.248 outside
ciscoasa(config)#hostname ASA1
!---------------- OUTSIDE connection ----------------
ASA1/act# conf t
ASA1/act(config)# int Gi1/1
ASA1(config)# speed 1000
ASA1(config)# duplex full
ASA1/act(config-if)# nameif OUTSIDE
ASA1/act(config-if)# ip address 105.235.108.53 255.255.255.248 standby 105.235.108.54
ASA1/act(config-if)#security-level 0
ASA1/act(config-if)# no shut
ASA1/act(config-if)#exit
ASA1/act(config)# exit
ASA1/act# copy run start
!---------------- INSIDE connection ----------------
ASA1/act(config)# int GigabitEthernet1/2
ASA1/act(config-if)# no nameif
ASA1/act(config-if)# no ip address
ASA1/act(config-if)# exit
ASA1/act(config)# int GigabitEthernet1/3
ASA1/act(config-if)# no nameif
ASA1/act(config-if)# no ip address
ASA1/act(config-if)# exit
ASA1/act(config)# interface Redundant1
ASA1/act(config-if)# member-interface GigabitEthernet1/2
ASA1/act(config-if)# member-interface GigabitEthernet1/3
ASA1/act(config-if)# nameif INSIDE
ASA1/act(config-if)# security-level 100
ASA1/act(config-if)# ip address 10.210.1.10 255.255.255.0 standby 10.210.1.11
ASA1/act(config-if)#no shut
ASA1/act(config-if)#exit
!---------------DMZ CONNECTION ----------------
ASA1(config)# interface GigabitEthernet1/3
ASA1(config)# speed 1000
ASA1(config)# duplex full
ASA1(config-if)# nameif DMZ 50
ASA1(config-if)# ip address 10.210.2.1 255.255.255.0 standby 10.210.2.254
ASA1config-if) # security-level 50
ASA1(config-if) # no shutdown
------ static NAT of whole DMZ network & ACL ---------
ASA1(config)#object network mapped_static_range
ASA1(config-network-object)#subnet 10.210.2.0 255.255.255.0
ASA1(config)# object network dmz_network
ASA1(config-network-object)# subnet 192.168.1.0 255.255.255.0
ASA1(config-network-object)# nat (DMZ , outside) static mapped_static_range
ASA1(config)#access-list OUTSIDE extended permit ip any4 host 192.168.1.1
ASA1(config)#access-list OUTSIDE extended permit ip any4 host 192.168.1.2
ASA1(config)#access-list OUTSIDE extended permit ip any4 host 192.168.1.3
ASA1(config)# access-group OUTSIDE in interface outside
!---------------- Active/Standby Failover connection --------
ASA1(config)# failover
ASA1(config)# failover lan unit primary
ASA1(config)# failover lan interface FAILOVER GigabitEthernet1/8
ASA1(config)# failover key 666999
ASA1(config)# failover replication http
ASA1(config)# failover link FAILOVER GigabitEthernet1/8
ASA1(config)# failover interface ip FAILOVER 172.210.10.1 255.255.255.0 standby 172.210.10.2
ASA1(config)# monitor-interface inside
ASA1(config)# monitor-interface outside
ASA1(config)# int gi1/8
ASA1(config-if)# no shut
ASA1(config-if)# exit
ASA1(config)# exit
ASA1#write memory
!---------------- Active/Standby Failover connection --------
ASA1#conf t
ASA1(config)# route outside 0.0.0.0 0.0.0.0 105.235.108.49
ASA1(config)# route inside 0.0.0.0 0.0.0.0 10.100.10.0
ASA1(config)# route inside 0.0.0.0 0.0.0.0 10.100.20.0
ASA1(config)# route inside 0.0.0.0 0.0.0.0 10.100.30.0
ASA1(config)# route inside 0.0.0.0 0.0.0.0 10.100.40.0
ASA1(config)# write memory
CISCO ASA2
!-----Cisco ASA 5516-X configuration ASA2 ---------!
ciscoasa(config)#enable password cisco1234
ciscoasa(config)#failover
ciscoasa(config)#failover lan unit secondary
ciscoasa(config)#failover lan interface FAILOVER GigabitEthernet1/8
ciscoasa(config)#failover key 666999
ciscoasa(config)#failover replication http
ciscoasa(config)#failover link FAILOVER GigabitEthernet1/8
ciscoasa(config)#failover interface ip FAILOVER 172.210.10.1 255.255.255.0 standby 172.210.10.2
ciscoasa(config)# int gi1/8
ciscoasa(config-if)#no shut
ciscoasa(config-if)#exit
ciscoasa(config)#exit
ciscoasa#write memory
SWITCH CONGURATION
!------ Définition des Accès au switchs--------------------------
Switch#conf t
SW1(config)#hostname SW1
SW1(config)# username admin password cisco1234
SW1(config)# enable secret cisco1234
SW1(config)# service password-encryption
!---------- Console Access --------------------------
SW1(config)#line console 0
SW1(config-line)#password cisco1234
SW1(config)#login
!---------SSH/Telnet Access to the switch---------------------
SW1(config)#line vty 0 4
SW1(config-line)#transport input ssh
SW1(config-line)#transport telnet
SW1(config-line)#password cisco1234
!----- Adresse IP pour l’accès à distance au Switch------------- !
SW1#conf t
SW1(config-if)#interface vlan 1
SW1(config)#line 10.100.10.1 255.255.255.0
SW1(config)#exit
SW1#ip default-gateway 10.100.10.XX ?
!-----Setting Web-based interface for configuration----------!
SW1#conf t
SW1(config)#ip http server
SW1(config)#ip http port 80
SW1(config)# copy running-config startup-config
----- VLANs creation on Cisco Switch 1----
SW1(config)#vlan 10
SW1(config-Vlan)#name servers
SW1(config-Vlan)# exit
SW1(config)#vlan 20,30,40
SW1(config-Vlan)#exit
SW1(config)#exit
SW1(config)#
----------VLANs creation on Cisco Switch 2--------------
Switch(config)#hostname SW2
SW2(config)#vlan 10
SW2(config-Vlan)#name servers
SW2(config-Vlan)# exit
SW2(config)#vlan 20,30,40
SW2(config-Vlan)#exit
SW2(config)#exit
SW2(config)#
!------VLAN interfaces configuration using HSRP ----
!------------------ HSRP for VLAN 10 ------------------ !
SW1#conf t
SW1(config#
SW1(config)#int vlan 10
SW1(config-if)#ip address 10.210.10.2 255.255.255.0
SW1(config-if)#standby 40 ip 10.210.1.254
SW1(config-if)#standby 40 pri 150
SW1(config-if)#
SW1(config-if)#exit
SW1(config)#int Gi0/23
SW1(config-if)#switchport trunk encap dot1q
SW1(config-if)#switchport mode trunk
SW1(config-if)#
Sw2(config)#
SW2(config)#int vlan 10
SW2(config-if)#ip address 10.210.10.3 255.255.255.0
SW2(config-if)#standby 40 ip 10.40.1.254
SW2(config-if)#standby pri 90
SW2(config-if)#exit
SW2(config)#int Gi0/23
SW2(config-if)#switchport trunk encap dot1q
SW2(config-if)#switchport mode trunk
SW2(config-if)#
!----- HSRP for VLAN 20------- !
SW1#conf t
SW1(config#
SW1(config)#int vlan 20
SW1(config-if)#ip address 10.210.20.2 255.255.255.0
SW1(config-if)#standby 40 ip 10.210.1.254
SW1(config-if)#standby 40 pri 150
SW1(config-if)#
SW1(config-if)#exit
SW1(config)#int Gi0/23
SW1(config-if)#switchport trunk encap dot1q
SW1(config-if)#switchport mode trunk
SW1(config-if)#
Sw2(config)#
SW2(config)#int vlan 20
SW2(config-if)#ip address 10.210.10.3 255.255.255.0
SW2(config-if)#standby 40 ip 10.40.1.254
SW2(config-if)#standby pri 90
SW2(config-if)#exit
SW2(config)#int Gi0/23
SW2(config-if)#switchport trunk encap dot1q
SW2(config-if)#switchport mode trunk
SW2(config-if)#
!----- HSRP for VLAN 30------- !
SW1#conf t
SW1(config#
SW1(config)#int vlan 30
SW1(config-if)#ip address 10.210.30.2 255.255.255.0
SW1(config-if)#standby 40 ip 10.210.1.254
SW1(config-if)#standby 40 pri 150
SW1(config-if)#
SW1(config-if)#exit
SW1(config)#int Gi0/23
SW1(config-if)#switchport trunk encap dot1q
SW1(config-if)#switchport mode trunk
SW1(config-if)#
Sw2(config)#
SW2(config)#int vlan 30
SW2(config-if)#ip address 10.210.30.3 255.255.255.0
SW2(config-if)#standby 40 ip 10.40.1.254
SW2(config-if)#standby pri 90
SW2(config-if)#exit
SW2(config)#int Gi0/23
SW2(config-if)#switchport trunk encap dot1q
SW2(config-if)#switchport mode trunk
SW2(config-if)#
!----- HSRP for VLAN 40------- !
SW1#conf t
SW1(config#
SW1(config)#int vlan 40
SW1(config-if)#ip address 10.210.40.2 255.255.255.0
SW1(config-if)#standby 40 ip 10.210.1.254
SW1(config-if)#standby 40 pri 150
SW1(config-if)#
SW1(config-if)#exit
SW1(config)#int Gi0/23
SW1(config-if)#switchport trunk encap dot1q
SW1(config-if)#switchport mode trunk
SW1(config-if)#
Sw2(config)#
SW2(config)#int vlan 40
SW2(config-if)#ip address 10.210.40.3 255.255.255.0
SW2(config-if)#standby 40 ip 10.40.1.254
SW2(config-if)#standby pri 90
SW2(config-if)#exit
SW2(config)#int Gi0/23
SW2(config-if)#switchport trunk encap dot1q
SW2(config-if)#switchport mode trunk
SW2(config-if)#
!-------------- Connexion du Switch to le ASA 1 ----- !
SW1(config)#int Gi0/1
SW1(config-if)#switchport mode access
SW1(config-if)#switchport access vlan 10
SW1(config-if)#exit
SW1#
SW2(config)# int Gi0/1
SW2(config-if)#switchport mode access
SW2(config-if)#switchport access vlan 10
SW2(config-if)#exit
SW2(config)#exit
SW2#
It’s not always easy to examine the correctness of a topology from the configs, without having access to the active topology itself to test out its operation. However, for the most part your setup looks good. The addition of the diagram helps out a lot.
For the EIGRP routing, it’s quite straightforward as you would enable EIGRP on all Layer 3 devices and simply add the approprate networks
The addition of routed ports on the access switches (with no switchport) is also straightforward, and you can add those subnets to the EIGRP routing as well.
Spanning tree should not need to be adjusted, as by default it should function correctly.
The connections between the switch and the ASA look correct. One thing that you may want to do is to “harmonize” the configuration of the HSRP with that of the ASA active device. In other words, make sure that the HSRP configuration is aware of the failover ASA configuration using object tracking and IP SLAs. Take a look at this Cisco community thread for more details:
Did you get it work? I am working on a similar config but the connect from the switch to ASA is not working right. I tried to make a routed port on my switch but it doesn’t support it, Dell N4032, cannot do a “no switchport” so trying to use a vlan like you did.
Also with ASA 9.17.1 interface Redundant1 doesn’t work
Hi Laz
I mean that command is not available, FP2110 running ASA 9.17
I wanted to use that for the redundant connections to the switches, but am trying port-channel instead and having problems with that. I will add that to my other post
Ah, I see, I understand. Yes, that command is not available in firepower. This is because it is not an ideal solution. It is much preferable to use some other high availability features, such as EtherChannel as you are doing, or VSS, or vPC, or a switch stack.