07-17-2023 05:26 AM
Hi,
i have a couple of questions about an issue with a backup firewall, ill try to explain but am new to this so let me know if somthing is not clear.
i have set up 2 ASA one default and one backup the deafult one is working and i can ping from inside to the ISP router but on the backup i cant ping from inside to the ISP router. the config is exactly the same beside the IP addresses.
the packet tracer file is attached here.
the other question i have is, should a backup server be in the same dmz zone as a web server or should it be in the internal network.
Solved! Go to Solution.
07-17-2023 07:01 AM
On the topology attached you are able to ping from PCs to ISP1 and ISP2. Take a close look and let me know.
Now, we can discus about other option in the diagram if you want.
07-17-2023 05:30 AM
Hi @lomai
I can not see your file attached.
About the server, it is up to you. DMZ is meant for device who can be reached from the Internet and local network. If you believe the backup server falls in this situation, put it on the DMZ. But, if only internal device can access it, it does not need to be on the DMZ.
07-17-2023 05:32 AM
07-17-2023 05:39 AM
the password to get inn to the routers are exam on all of them
07-17-2023 06:04 AM
Hi @lomai
The problem is that on the router Core-R1, you have a default route sending to Firewall :
ip route 0.0.0.0 0.0.0.0 192.168.10.25
And then, you have the command "default-information originate" on the OSPF. Which means, this router is default gateway for the whole network and as it has a default route to firewall, all traffic coming from local networl will be sent to Firewall ASA1.
IF you run traceroute from the PC you can confirm that. So, either you remove this config on the router or you add a connection from firewall ASA1 to ISP-5G
07-17-2023 06:19 AM
when i remove ip route 0.0.0.0 0.0.0.0 192.168.10.25 then its not possible to ping from pc anymore...
and the tracert on pc shows:
C:\>tracert 10.10.20.2
Tracing route to 10.10.20.2 over a maximum of 30 hops:
1 0 ms 0 ms 0 ms 192.168.20.3
2 0 ms 0 ms 0 ms 192.168.10.22
3 0 ms 0 ms 0 ms 192.168.20.2
4 0 ms 0 ms 0 ms 192.168.10.22
5 0 ms 0 ms 0 ms 192.168.20.2
6 0 ms 0 ms 0 ms 192.168.10.22
7 0 ms 0 ms 0 ms 192.168.20.3
8 0 ms 0 ms 0 ms 192.168.10.22
9 0 ms 0 ms 0 ms 192.168.20.2
10 0 ms 0 ms 0 ms 192.168.10.14
11 0 ms 0 ms 0 ms 192.168.20.3
12 0 ms 1 ms 0 ms 192.168.10.18
13 0 ms 0 ms 0 ms 192.168.20.3
14 0 ms 0 ms 0 ms 192.168.10.22
15 0 ms 0 ms 1 ms 192.168.20.2
16 0 ms 0 ms 0 ms 192.168.10.18
17 0 ms 0 ms 1 ms 192.168.20.3
18 0 ms 0 ms 0 ms 192.168.10.6
19 0 ms 17 ms 0 ms 192.168.20.2
20 10 ms 0 ms 0 ms 192.168.10.6
21 10 ms 0 ms 0 ms 192.168.20.2
22 0 ms 0 ms 10 ms 192.168.10.6
23 1 ms 0 ms 0 ms 192.168.20.3
24 0 ms 0 ms 0 ms 192.168.10.6
25 0 ms 0 ms 0 ms 192.168.20.2
26 10 ms 10 ms 1 ms 192.168.10.18
27 10 ms 10 ms 0 ms 192.168.20.3
28 10 ms 10 ms 10 ms 192.168.10.14
29 10 ms 10 ms 10 ms 192.168.20.3
30 10 ms 10 ms 10 ms 192.168.10.6
Trace complete.
C:\>ping 10.10.20.2
Pinging 10.10.20.2 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
C:\>tracert 10.10.10.2
Tracing route to 10.10.10.2 over a maximum of 30 hops:
1 0 ms 0 ms 0 ms 192.168.20.3
2 0 ms 0 ms 0 ms 192.168.10.6
3 0 ms 0 ms 0 ms 192.168.20.2
4 0 ms 0 ms 0 ms 192.168.10.22
5 0 ms 0 ms 0 ms 192.168.20.2
6 0 ms 0 ms 0 ms 192.168.10.22
7 0 ms 0 ms 0 ms 192.168.20.3
8 0 ms 0 ms 0 ms 192.168.10.22
9 0 ms 0 ms 0 ms 192.168.20.2
10 0 ms 0 ms 0 ms 192.168.10.18
11 0 ms 0 ms 0 ms 192.168.20.3
12 0 ms 0 ms 0 ms 192.168.10.14
13 0 ms 0 ms 7 ms 192.168.20.3
14 0 ms 0 ms 0 ms 192.168.10.22
15 0 ms 0 ms 0 ms 192.168.20.2
16 0 ms 0 ms 0 ms 192.168.10.14
17 1 ms 0 ms 0 ms 192.168.20.3
18 0 ms 0 ms 1 ms 192.168.10.6
19 0 ms 0 ms 0 ms 192.168.20.2
20 0 ms 0 ms 0 ms 192.168.10.6
21 0 ms 1 ms 10 ms 192.168.20.2
22 10 ms 0 ms 0 ms 192.168.10.6
23 0 ms 0 ms 1 ms 192.168.20.3
24 0 ms 0 ms 0 ms 192.168.10.6
25 0 ms 1 ms 10 ms 192.168.20.2
26 10 ms 10 ms 10 ms 192.168.10.14
27 10 ms 10 ms 10 ms 192.168.20.3
28 10 ms 10 ms 10 ms 192.168.10.18
29 10 ms 10 ms 10 ms 192.168.20.3
30 10 ms 10 ms 10 ms 192.168.10.6
the same withe tracert to 10.10.20.2:
if i add a link from ASA1 to ISP-5G then it has to be in outside vlan is that correct ?
07-17-2023 06:29 AM
Just a second, let me fix and share the file here.
07-17-2023 06:56 AM
thank you! appreciate it.
07-17-2023 06:41 AM
my intention in this topology is that; if ISP-cable router is down the network will use the ISP-5G
in ASA the dual ISP function is disabled on the OS so i cant use that function..
will it be esear to only use on ISP connections and have the redundancy only on firewall?
07-17-2023 06:55 AM
Let´s make it work this way first and then we can see if the other solution is better.
07-17-2023 07:01 AM
On the topology attached you are able to ping from PCs to ISP1 and ISP2. Take a close look and let me know.
Now, we can discus about other option in the diagram if you want.
07-17-2023 07:08 AM
i just have to update my Packet tracer verison to be able to open your file and ill get back ti you. tnx so much
07-17-2023 07:28 AM
i tested and it works perfectly
i see that you added a route on bouth core-routers :
core-1: ip route 10.10.10.0 255.255.255.252 192.168.10.25
core-2: ip route 10.10.20.0 255.255.255.252 192.168.10.42
then added
redistribute static subnets on the ospf
and finaly removed
default-information originate
i have been hopping from article to article and video to video and did not find any explanation for that but it seems like i did not look for the right ting.
but for the question i had if we consider redundanscy is this a good setup or as i asked befor is it enoufg with one isp and have the redundancy in the firewall?
what is the best solution in your opinion?
07-17-2023 07:45 AM
It is good and the exercise you need to to is if you shutdown one firewall what would happen, or if you shutdown on router what would happen.
But for better resilience I believe you can install the static route on the Dists switches and you can add two static routes like
ip route 10.10.20.0 255.255.255.252 R1 1
ip route 10.10.20.0 255.255.255.252 R2 2
On the other Dist you do
ip route 10.10.20.0 255.255.255.252 R2 1
ip route 10.10.20.0 255.255.255.252 R1 2
This way, if the router fail, the Dist will send the traffic for the other Router
07-17-2023 07:56 AM
that sounds good i will try impliment that Static routs and do the exercise to see what happens, am writing an exam report too so that would be nice to show on the report.
thanks again for so fast reply and good help!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide