I am new to these forums and hope you can help me.
We currently have one Cisco ASA 5540 firewall with one public network cable into it. It includes one line that is live and if it fails the route switches automatically to the second line so it works in a failover configuration.
We just purchased a secondary Firewall for redundancy incase the first firewall fails and I am not sure the best way to set this up given we only have one ISP feed that is already doing redundancy.
Any help or advice would be greatly appreciated.
There are many designs that one can implement to achieve Internet redundancy - and then several variations of those same designs. Without knowing all the details it would be impossible to provide you a recommendation.
Starting from the beginning you mentioned that you have (1) ISP. Are they providing you (2) physical connections (ie. cables)?
If so - then you could configure your (2) ASA 5540s to act as an Active/Standby (or Active/Active) firewall pair/cluster. This would allow you to perform the following:
"Active/Standby failover lets you use a standby security appliance to take over the functionality of a failed unit. When the active unit fails, it changes to the standby state while the standby unit changes to the active state. The unit that becomes active assumes the IP addresses (or, for transparent firewall, the management IP address) and MAC addresses of the failed unit and begins passing traffic. The unit that is now in standby state takes over the standby IP addresses and MAC addresses. Because network devices see no change in the MAC to IP address pairing, no ARP entries change or time out anywhere on the network. "
Look for 'Configuring Failover' on the Cisco website, under the ASA category, to obtain more information.
Hi El Jefe
Thank you for replying, it is only one physical connection they are providing us. The failover to the redundant link is done at their backend.
I thought active/standby would be the easiest option, but the above one physical connection is confusing me (unnecessarily I fear).
Do I need to ask if they can provide two physical cables instead of one?
In my opinion - if I was the Network Admin. - to keep the complexity on the side of the ISP.
For example, I would request that the ISP provide a demarcation device that has multiple copper interfaces - and request that they provide me (2) copper RJ45 connections. That way you don't have to extend any more equipment past your firewalls (ie. cost, single point of failure, administration).
Worst case scenario is that you put a switch between your ISP demarc and your firewall. Then you have (2) connections.
Thank you again, I will see if they can provide 2 RJ45 connections.
If not, we could put a switch between the ISP and both firewalls as you say, but we will have to weigh the pros and cons of it being a single point of failure.
They may charge you something for the (2) RJ45 connections - but the ongoing maintenance and responsibility moved to the ISP would be well worth the money IMHO.
Please rate helpful posts.