DR Firewall Config Help

cisnetadmin · ‎11-19-2018

Hello,

Looking for the best solution to this problem.

Currently we have our main site as ISP-ISR-Firepower-ASA-InternalNetwork, and DR is as ISP-ISR-ASA(to be replaced by firepower)-ASA-InternalNetwork. We replicate the configs for the two primary ASA over to the DR site as changes are made over a macsec point-to-point connection in our management vlan 100. We are using static routes across the board except for the egress of the ISR which has BGP. In order to prevent improper routing we have all the data interfaces disabled on the two (external and internal) DR firewalls.

Our current DR plan is to call the DR site and tell them to start accept our BGP packets and then someone has to physically go into the DR and console into both DR ASA and enable the interfaces. Obviously this isn't the greatest solution. Here is a diagram for reference:

Any solutions appreciated! (the firepowers are going to behave the same way, but they aren't at the DR yet. They connect to the management VM) I will provide any information as needed, thanks!

Steven Williams · ‎11-24-2018

So you are running FTD's and ASA's in the same traffic line?

cisnetadmin · ‎11-26-2018

Yes, it will be FTD->ASA in the DR as well.

Cezar Fistik · ‎11-24-2018

I would enable some sort of access from outside to the DR. It can be a VPN service on the ISR for example, from where you should be able to access all management ports on all needed devices. Going to the DC just to enable the interfaces is too extreme, imo.

Marius Gunnerud · ‎11-26-2018

ISP and ISP x 2, are these the same provider?

--
Please remember to select a correct answer and rate helpful posts