topic Re: DR Firewall Config Help in Network Security

DR Firewall Config Help

cisnetadmin — Fri, 21 Feb 2020 16:29:15 GMT

Hello,

Looking for the best solution to this problem.

Currently we have our main site as ISP-ISR-Firepower-ASA-InternalNetwork, and DR is as ISP-ISR-ASA(to be replaced by firepower)-ASA-InternalNetwork. We replicate the configs for the two primary ASA over to the DR site as changes are made over a macsec point-to-point connection in our management vlan 100. We are using static routes across the board except for the egress of the ISR which has BGP. In order to prevent improper routing we have all the data interfaces disabled on the two (external and internal) DR firewalls.

Our current DR plan is to call the DR site and tell them to start accept our BGP packets and then someone has to physically go into the DR and console into both DR ASA and enable the interfaces. Obviously this isn't the greatest solution. Here is a diagram for reference:

Any solutions appreciated! (the firepowers are going to behave the same way, but they aren't at the DR yet. They connect to the management VM) I will provide any information as needed, thanks!

Re: DR Firewall Config Help

Steven Williams — Sun, 25 Nov 2018 00:07:14 GMT

So you are running FTD's and ASA's in the same traffic line?

Re: DR Firewall Config Help

Cezar Fistik — Sun, 25 Nov 2018 02:43:40 GMT

I would enable some sort of access from outside to the DR. It can be a VPN service on the ISR for example, from where you should be able to access all management ports on all needed devices. Going to the DC just to enable the interfaces is too extreme, imo.

Re: DR Firewall Config Help

cisnetadmin — Mon, 26 Nov 2018 14:00:02 GMT

Yes, it will be FTD->ASA in the DR as well.

Re: DR Firewall Config Help

Marius Gunnerud — Mon, 26 Nov 2018 21:55:13 GMT

ISP and ISP x 2, are these the same provider?