Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
623
Views
5
Helpful
3
Replies

Cisco ASA Multi context mode - Stretched DMZ

Go to solution
ohareka70
Level 3
Level 3

‎06-26-2016 12:08 PM - edited ‎03-12-2019 12:56 AM

Hello,

I have two Cisco 5585 Firewalls across a stretched DMZ.  I was hoping to create high availability by creating the two firewalls into Multi context mode.  It failed miserably.  Don't know if it was a configuration issue or just a bad idea but had to roll back both firewalls to stand alone again.

Has anyone done this sort of project before?

Is their a simple way of doing this like using two load balancers instead?

I really just want to create high availability for the servers & applications on the DMZ off both firewalls.  Its a pity cisco firewalls dont just do HSRP or something like that.

Could i use routers to do this?

any ideas appreciated

Kevin

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni
In response to ohareka70

‎06-28-2016 12:43 PM

You need to extend the LAN at layer 2.  You could buy a layer 2 circuit (preferably QinQ) form your service provider and let them do it.

If you have routers you could also built an L2TPv3 tunnel between the sites and do it yourself.

View solution in original post

3 Replies 3

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni

‎06-26-2016 01:33 PM

I have done it many times, using stretched VLANs between DC's.  Works fine.

I recommend having redundant layer 2 patches, to prevent the "split brain" issue.

And make sure you stretch the failover network between them as well.

0 Helpful

Go to solution
ohareka70
Level 3
Level 3
In response to Philip D'Ath

‎06-28-2016 08:40 AM

What I want to do is have one subnet 192.168.180.x/24 running across two sites.  I already have the physical subnet in place but each side has a different gateway on the 192.168.180.x network otherwise is would have a loop

What I then tried to do was have the Cisco 5585 firewalls in Multi context mode so they would replicate across the subnet.  It seems to work ok for a few hours but then I had sync issues.

I just want to have high availability across the subnet for the servers but maybe I don't need to change the firewalls to be in multiple context mode

any ideas?

Maybe use load balancers instead - between the two firewalls?

0 Helpful

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni
In response to ohareka70

‎06-28-2016 12:43 PM

You need to extend the LAN at layer 2.  You could buy a layer 2 circuit (preferably QinQ) form your service provider and let them do it.

If you have routers you could also built an L2TPv3 tunnel between the sites and do it yourself.

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card