Working on a design to essentially deploy a secondary 4110 with FTD and another 5555-X for VPN HA. My current thought process is to simply use static routes from ASR down, and FTD up with SLAs since no dynamic routing is currently used within the stack. Doing so would allow me to update the L2 WAN switches depicted in the diagram I believe without issue. A few things I am trying to get a better grasp on:
-How would FTD react if traffic outbound left FTD1 E1/2.YY, I then upgrade WAN1 (goes down), ASR drops route per SLA to then use the path of ASR G0/3.YY-->WAN2-->FTD1? Is there an issue due to asynchronous routing here that I should be aware of?
-Inside traffic from core would just default to X.X.1.114 as depicted in diagram so I do not see any issues here from internal out, concur?
-Is a dedicated 10G connection between FTD1 and FTD2 sufficient for both failover and stateful link? Or is it best practice to use a single dedicated link for each?
-As mentioned no dynamic routing used currently in the stack so the thought is static routes with SLAs. Unless there is an easier way for providing two paths out for the 4110s?
-Pretty sure the certificates from the ASA will replicate over to VPN2 ASA for VPN front-end, correct?
Just trying to have a solid grasp on the design thoughts as I plan to lab this out soon.
Hi experts,I would like any suggestions on this topology. We are is the middle of replacing our old ASA5520 with the new FirePower. Our current firewall terminate our IPsec tunnels and the GRE is terminated on the first inside router's loopback on the sec...
Hi All, A customer wants to authenticate Anyconnect VPN users from an ASA using the client installed certificate and then with AD. i.e. Is this a corporate device?Would we recommend authenticating the cert on the ASA then passing the AD check to ISE ...
Hello Team, we are getting alert in FMC stating policy deployment failed, we are running on 6.2.0 version and not sure which version is stable version to re mediate this issue, in one event i have seen restart will resolve this issue but is it perman...
Threat Hunting 101
In the latest Cisco Cybersecurity report, we explore all there is to know about threat hunting and provide a how-to guide for creating a threat hunting team.
Here are some of th...
What Is Cisco Identity Services Engine?
Cisco Identity Services Engine (ISE) is an all-in-one enterprise policy control product that enables comprehensive secure wired, wireless, and Virtual Private Networking (VPN) access.
Cisco ISE offers...