11-19-2018 12:48 PM - edited 02-21-2020 08:29 AM
Hello,
Looking for the best solution to this problem.
Currently we have our main site as ISP-ISR-Firepower-ASA-InternalNetwork, and DR is as ISP-ISR-ASA(to be replaced by firepower)-ASA-InternalNetwork. We replicate the configs for the two primary ASA over to the DR site as changes are made over a macsec point-to-point connection in our management vlan 100. We are using static routes across the board except for the egress of the ISR which has BGP. In order to prevent improper routing we have all the data interfaces disabled on the two (external and internal) DR firewalls.
Our current DR plan is to call the DR site and tell them to start accept our BGP packets and then someone has to physically go into the DR and console into both DR ASA and enable the interfaces. Obviously this isn't the greatest solution. Here is a diagram for reference:
Any solutions appreciated! (the firepowers are going to behave the same way, but they aren't at the DR yet. They connect to the management VM) I will provide any information as needed, thanks!
11-24-2018 04:07 PM
11-26-2018 06:00 AM
Yes, it will be FTD->ASA in the DR as well.
11-24-2018 06:43 PM
I would enable some sort of access from outside to the DR. It can be a VPN service on the ISR for example, from where you should be able to access all management ports on all needed devices. Going to the DC just to enable the interfaces is too extreme, imo.
11-26-2018 01:55 PM
ISP and ISP x 2, are these the same provider?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide