Solved: Re: ASA 5520 supporting dual connections

ksvy_ksvy · ‎01-06-2009

I have a quick question;

if one was to enable HSRP on two routers (same subnet address), could a ASA support/uplink the dual connections from both routers?

correct me if I'm wrong, but wouldn't one have to enable a dynamic routing protocol on the ASA in order to support this type of solution?

sachinraja · ‎01-06-2009

SLA with RTR tracking is a good solution, but basically complicates the whole setup ! Even if he has to run BGP, let it terminate on the external routers, and internally there can be a local route to reach the LAN, through the firewall.. Basically the routers can have a back-to-back connection to decide where to forward/receive packets from internet, through BGP or any other means.. The firewall's responsibility is just to forward the traffic onto a particular router, designated primary, which can be achieved thro simple HSRP !

my 2 cents...

Raj

View solution in original post

Jon Marshall · ‎01-06-2009

Kevin

Not quite sure what you mean. Is there a switch between the ASA and the 2 routers or do you mean connect into 2 interfaces on the ASA.

HSRP is not intended for utilising both links so it's not entirely clear what you mean.

Jon

ksvy_ksvy · ‎01-06-2009

Jon, sorry, yes, a switch will be connecting both routers and firewall

Jon Marshall · ‎01-06-2009

Still a little unclear as to your question. As Collin says you can just allocate the ASA into the same subnet and then point the ASA route to the HSRP address.

Am i misunderstanding your question ?

Jon

Collin Clark · ‎01-06-2009

If you're running HSRP across two interfaces, you would just point the ASA to the virtual address. Is this how your setup is?

INTERNET

|.......|

RTR.... RTR

|_______| <--HSRP running here

.....|

....ASA

Ignore the dots, I used them to fix the ACSII art.

sachinraja · ‎01-06-2009

Kevin

The way ASA primary/failover works is quite different from having 2 switches connecting to external routers, for HSRP.. I havent seen any scenario to have HSRP between external firewall and routers.. The issue here is, there is no layer 2 forwarding between the ASA's, unlike switches which can forward information over the trunk ! Hence.. have two static routes, or as u said, a routing protocol running between the ASA and router, to forward L3 traffic...

Failure can happen in the following ways:

1) Incase the first router goes down, ASA's interface goes down, and the traffic is flapped onto the failover firewall in a stateful way..

2) Incase the link on the primary router goes down the ASA primary will forward traffic to the primary router.. primary router should be connected back to back with failover router, to forward traffic through the secondary link...

3) same applies on the failure of ASA's too ..

Hope this helps. all the best..

Raj

sachinraja · ‎01-06-2009

If it is just a single ASA, and a switch inbetween, then it makes sense to run HSRP on the routers.. as Jon said, you can point the default gateway on the ASA, to the VIP of the routers..

there should be some L2 connectivity between the HSRP neighbors, for the keepalives to flow.. since you have a layer 2 switch, it is very much possible.. as per my previous post, if you have the routers, directly connected to two different ASA's, then it would have been difficult, and L3 routing would have been the only solution...

HTH

Raj

kylerossd · ‎01-06-2009

Is your second connection just for redundancy or do you have your own ASN and both routers are BGP peers to your ISPs?

If you have 2 different external networks I would use ip sla and tracking statements. Then apply the track to the defualt route so it can be removed when the ip sla is no longer true.

josephp · ‎01-06-2009

I agree with kylerossd, sla monitor with rtr tracking is the better solution.

sachinraja · ‎01-06-2009

SLA with RTR tracking is a good solution, but basically complicates the whole setup ! Even if he has to run BGP, let it terminate on the external routers, and internally there can be a local route to reach the LAN, through the firewall.. Basically the routers can have a back-to-back connection to decide where to forward/receive packets from internet, through BGP or any other means.. The firewall's responsibility is just to forward the traffic onto a particular router, designated primary, which can be achieved thro simple HSRP !

my 2 cents...

Raj

kylerossd · ‎01-06-2009

So what happens when the primary HSRPs internet connection dies? It is still advertising the mac address of the gateway to the ASA and your dead in the water.

It gets even worse if the connection doesn't go down. Your CE routers copper is up but thier fiber is down your sitting there UP/UP.

ksvy_ksvy · ‎01-06-2009

true, but I think the network people were thinking only router failure, not ISP

that'll be a fault in their design ... but I will remind them, thanks

kylerossd · ‎01-06-2009

No problem, Good luck!

sachinraja · ‎01-06-2009

Kyle.. ISP redundancy has to be taken care at the router level.. when we speak about multihoming, we might need more than a rtr command to make it work.. The solution that we were referring would take care of the following:

1) if the primary HSRP internet connection dies, packets would be forwarded to the primary router from FW, through HSRP VIP.. the primary router can run IBGP or any dynamic routing protocol to forward the traffic to the back up router, through a dedicated backtoback connection..

2) if the primary router fails, HSRP will take care of alternate routing thro secondary router..

3) If the Ethernet doesnt go down, and the link remains up/up, BGP reachability on the primary router will go down, and an alternate path, through IBGP will be available thro secondary router..

all these will be considered only if multihoming is necessary.. This design is more from the WAN router point of view, than the firewall.. I think the firewall should do more of packet filtering, IPS etc, and do very less routing.. whats say ??

Nothing to offend your design.. it is a good one, but the scenario here is different i guess..

Raj

m_zabetian · ‎01-07-2009

Because in EDGE design you don't what firewall get involve with a lot of routing you just need default gateway for your firewalls. So HSRP will provide you one redundant default gateway and then you can take care of routing and ISP redundancy in route level with BGP and one internal routing protocol.