topic Two Firewalls on 2 Different Location One connected LAN in Network Security

Two Firewalls on 2 Different Location One connected LAN

Wajma_2 — Tue, 12 Mar 2019 06:20:49 GMT

Hello,

We currently have to ASA 5500 on two different locations each connected to the Internet, One firewall is the primary gateway for internet bound traffic and configured with OSPF and a static route 0 0 to the Border Router and 1 metric. The LAN is interconnected in the two locations by Fiber. The Firewall on the Secondary Location currently does not route traffic and is used as standby in case if failure on primary location. The secondary firewall also runs OSPF with static route 0 0 and metric of 200.

I would like to route one of the VLANs traffic through the Secondary Firewall. this VLAN will be connected on one of the firewall interfaces. (please see attached).

I need help configuring this.

Thank you and best regads

Hi,Could Policy Based Routing

Traian Bratescu — Tue, 28 Jul 2015 16:53:55 GMT

Hi,

Could Policy Based Routing be used?

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/15-0SY/configuration/guide/15_0_sy_swcg/policy_based_routing_pbr.html

You would have to specify an ACL matching the source subnet of that particular VLAN; define a route-map where you would match that traffic; set ip next-hop The IP address towards your secondary AS; apply the policy on the VLAN interface.

Router(config)# route-map map-tag permit

Router(config-route-map)# match ip address {access-list-number | name}

Router(config-route-map)# set ip next-hop ip-address [... ip-address]

Router(config-route-map)# interface interface-type interface-number

Router(config-if)# ip policy route-map map-tag

Hope this helps,

Traian

Thank you for the response on

Wajma_2 — Tue, 28 Jul 2015 21:45:51 GMT

Thank you for the response on this, however apparently route-map is redistricted by license. I do not have the set ip next-hop option. Is there any other way to do this.

Best regards

Sorry for the late reply... I

Traian Bratescu — Sun, 02 Aug 2015 21:32:23 GMT

Sorry for the late reply... I can't think of any elegant solution. If this is a must and have no other means of doing it (upgrade, replace, etc) you could try to create a VRF for that specific VLAN and another interface towards your backup site an within that VRF point the default route...)

It's not by far an "elegant" solution but at least it would work....

Traian