the password to get inn to the routers are exam on all of them

Hi @lomai 

 The problem is that on the router Core-R1, you have a default route sending to Firewall :

ip route 0.0.0.0 0.0.0.0 192.168.10.25

And then, you have the command "default-information originate" on the OSPF.  Which means, this router is default gateway for the whole network and as it has a default route to firewall, all traffic coming from local networl will be sent to Firewall ASA1.

  IF you run traceroute from the PC you can confirm that.  So, either you remove this config on the router or you add a connection from firewall ASA1  to ISP-5G

when i remove ip route 0.0.0.0 0.0.0.0 192.168.10.25 then its not possible to ping from pc anymore...

and the tracert on pc shows: 

C:\>tracert 10.10.20.2

Tracing route to 10.10.20.2 over a maximum of 30 hops:

1 0 ms 0 ms 0 ms 192.168.20.3

2 0 ms 0 ms 0 ms 192.168.10.22

3 0 ms 0 ms 0 ms 192.168.20.2

4 0 ms 0 ms 0 ms 192.168.10.22

5 0 ms 0 ms 0 ms 192.168.20.2

6 0 ms 0 ms 0 ms 192.168.10.22

7 0 ms 0 ms 0 ms 192.168.20.3

8 0 ms 0 ms 0 ms 192.168.10.22

9 0 ms 0 ms 0 ms 192.168.20.2

10 0 ms 0 ms 0 ms 192.168.10.14

11 0 ms 0 ms 0 ms 192.168.20.3

12 0 ms 1 ms 0 ms 192.168.10.18

13 0 ms 0 ms 0 ms 192.168.20.3

14 0 ms 0 ms 0 ms 192.168.10.22

15 0 ms 0 ms 1 ms 192.168.20.2

16 0 ms 0 ms 0 ms 192.168.10.18

17 0 ms 0 ms 1 ms 192.168.20.3

18 0 ms 0 ms 0 ms 192.168.10.6

19 0 ms 17 ms 0 ms 192.168.20.2

20 10 ms 0 ms 0 ms 192.168.10.6

21 10 ms 0 ms 0 ms 192.168.20.2

22 0 ms 0 ms 10 ms 192.168.10.6

23 1 ms 0 ms 0 ms 192.168.20.3

24 0 ms 0 ms 0 ms 192.168.10.6

25 0 ms 0 ms 0 ms 192.168.20.2

26 10 ms 10 ms 1 ms 192.168.10.18

27 10 ms 10 ms 0 ms 192.168.20.3

28 10 ms 10 ms 10 ms 192.168.10.14

29 10 ms 10 ms 10 ms 192.168.20.3

30 10 ms 10 ms 10 ms 192.168.10.6

Trace complete.

C:\>ping 10.10.20.2

Pinging 10.10.20.2 with 32 bytes of data:

Request timed out.

Request timed out.

Request timed out.

Request timed out.

C:\>tracert 10.10.10.2

Tracing route to 10.10.10.2 over a maximum of 30 hops:

1 0 ms 0 ms 0 ms 192.168.20.3

2 0 ms 0 ms 0 ms 192.168.10.6

3 0 ms 0 ms 0 ms 192.168.20.2

4 0 ms 0 ms 0 ms 192.168.10.22

5 0 ms 0 ms 0 ms 192.168.20.2

6 0 ms 0 ms 0 ms 192.168.10.22

7 0 ms 0 ms 0 ms 192.168.20.3

8 0 ms 0 ms 0 ms 192.168.10.22

9 0 ms 0 ms 0 ms 192.168.20.2

10 0 ms 0 ms 0 ms 192.168.10.18

11 0 ms 0 ms 0 ms 192.168.20.3

12 0 ms 0 ms 0 ms 192.168.10.14

13 0 ms 0 ms 7 ms 192.168.20.3

14 0 ms 0 ms 0 ms 192.168.10.22

15 0 ms 0 ms 0 ms 192.168.20.2

16 0 ms 0 ms 0 ms 192.168.10.14

17 1 ms 0 ms 0 ms 192.168.20.3

18 0 ms 0 ms 1 ms 192.168.10.6

19 0 ms 0 ms 0 ms 192.168.20.2

20 0 ms 0 ms 0 ms 192.168.10.6

21 0 ms 1 ms 10 ms 192.168.20.2

22 10 ms 0 ms 0 ms 192.168.10.6

23 0 ms 0 ms 1 ms 192.168.20.3

24 0 ms 0 ms 0 ms 192.168.10.6

25 0 ms 1 ms 10 ms 192.168.20.2

26 10 ms 10 ms 10 ms 192.168.10.14

27 10 ms 10 ms 10 ms 192.168.20.3

28 10 ms 10 ms 10 ms 192.168.10.18

29 10 ms 10 ms 10 ms 192.168.20.3

30 10 ms 10 ms 10 ms 192.168.10.6

the same withe tracert to 10.10.20.2:

if i add a link from ASA1 to ISP-5G then it has to be in outside vlan is that correct ?

Just a second, let me fix and share the file here. 

thank you! appreciate it.

my intention in this topology is that; if ISP-cable router is down the network will use the ISP-5G 

in ASA the dual ISP function is disabled on the OS so i cant use that function..

will it be esear to only use on ISP connections and have the redundancy only on firewall?

Let´s make it work this way first and then we can see if the other solution is better.

i just have to update my Packet tracer verison to be able to open your file and ill get back ti you. tnx so much

i tested and it works perfectly tnx!!

i see that you added a route on bouth core-routers :

core-1: ip route 10.10.10.0 255.255.255.252 192.168.10.25

core-2: ip route 10.10.20.0 255.255.255.252 192.168.10.42

then added 

redistribute static subnets on the ospf 

and finaly removed 

default-information originate

i have been hopping from article to article and video to video and did not find any explanation for that but it seems like i did not look for the right ting. 

but for the question i had if we consider redundanscy is this a good setup or as i asked befor is it enoufg with one isp and have the redundancy in the firewall?

what is the best solution in your opinion?

It is good and the exercise you need to to is if you shutdown one firewall what would happen, or if you shutdown on router what would happen.

 But for better resilience I believe you can install the static route on the Dists switches and you can add two static routes like

ip route 10.10.20.0 255.255.255.252 R1 1

ip route 10.10.20.0 255.255.255.252 R2 2

On the other Dist you do

ip route 10.10.20.0 255.255.255.252 R2 1

ip route 10.10.20.0 255.255.255.252 R1 2

This way, if the router fail, the Dist will send the traffic for the other Router

that sounds good i will try impliment that Static routs and do the exercise to see what happens, am writing an exam report too so that would be nice to show on the report.

thanks again for so fast reply and good help!