configuring Active/Standby with dual ISP on one Active and other

kiran kumar Chamakura · ‎01-13-2013

Hi Experts,

Can we achive this :

1. We have Two 3900 Router on the core layer which are terminated with one ISP on one Router and Secondary ISP on Second Router.

2. Can we configure my ASA 5520 with Active/Standby termenating two IPS providers one on Active ASA 5520 and Other ISP on Standby ASA 5520, so that when Active ISP fail ASA Secondary can become Active and send the Traffic throough Secandary ISP.

3. The reasion behind giveing Public IP on Firewall is to Terminate VPN on our Firewall i.e. SSL and IPSEC VPN.

Few Clarification If we can achive the above:

1. How will the DMZ Servicec nated with my Primary ISP on my Primary ASA will be routed when the Secondary ASA is acting as Active Firewall.

2. Can Web SSL and Client To Site IPSEC VPN users access service via the Secondary ISP- ASA when my Primary ASA and ISP is down.

Please find the Attached Over view of my Network Diagram which we would like to achive.

Karsten Iwen · ‎01-13-2013

That's not how the ASA works with Active/Standby. Also the Fail-over-system will behave the same way as a single ASA would do, it's just redundant. So if the first ASA fails, the second ASA will take over with the same routes and NAT as the first one has. Only when the attached provider fails, then the second provider can become active on the ASA.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

kiran kumar Chamakura · ‎01-13-2013

Hi

So Secondary ASA can route only Internet Traffic that HTTPS and ... what access we have given for that VLAN in ASA.. Except DMZ nated Trafficfor which the ISP is down.

So only option is BGP correct.

Thanks and Regards

Kiran Kumar CH

Karsten Iwen · ‎01-13-2013

So Secondary ASA can route only Internet Traffic that HTTPS and ... what access we have given for that VLAN in ASA.. Except DMZ nated Trafficfor which the ISP is down.

The standby ASA won't process any traffic while the primary ASA is working. With that both ASAs need to reach both ISPs.

So only option is BGP correct

That's not the only solution, but probably the best.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

kiran kumar Chamakura · ‎01-13-2013

Hi

As you have mentioned that "That's not the only solution" is ther any other configuration from which we can achive to route all traffic via Secondary ASA when Primary ASA or Primary ISP Goes Down other then BGP, If so could you please help with reference doc or method to use.

Please help me

Thanks and Regards

Kiran Kumar CH

Kureli Sankar · ‎01-13-2013

Hello Kiran,

Pls. refer this document that I wrote a while ago to utilize both ISPs.

https://supportforums.cisco.com/docs/DOC-13015

and another document written by one of our VPN engineers.

https://supportforums.cisco.com/docs/DOC-15622

-Kureli

https://supportforums.cisco.com/community/netpro/expert-corner#view=webcasts

Upcoming Live Webcast in English: January 15, 2013
Troubleshooting ASA and Firewall Service Modules

Register today for this Cisco Support Community live webcast.

kiran kumar Chamakura · ‎01-14-2013

Hi,

I would like to use 2 ASA in Active/Standby Mode, and like to route Traffic via Secondary ASA when Primary ASA or ISP Goes Down.

Thanks and Rehards

Kiran Kumar CH

Karsten Iwen · ‎01-14-2013

no, the secondary ASA takes over when the primary ASA or a connection on the primary ASA fails. Not when the first ISP fails. You have to think of the ASA FO as one logical unit with one set of routing-policies.

Sent from Cisco Technical Support iPad App

configuring Active/Standby with dual ISP on one Active and other Standby ISP on standby ASA 5520