08-17-2011 03:08 AM - edited 03-11-2019 02:13 PM
Hi
My configuration is as follows
ISP1 (primary) ISP2 (backup)
Cisco 800 series Cisco 800 series
| |
|___________ ________ |
| |
ASA 5510 (Security PLUS)
|
Local Network
We have implemented route tracking and our ASA switches over to backup route when primary is not available.
We have purchase another ASA 5510 now to implement active-standby configuration.
My idea was to use another interface on each routers and connect to the "standby" ASA, so when we have a failure standby unit can pick up automatically.I was wondering if this is at all possible and what needs to be configured on ISP routers? Backup interface maybe? Do we need a set of 4 new IP addresses?
Many thanks for any help.
WS
08-17-2011 03:19 AM
Hi Wright,
You can follow ths thread, it should answer most of your questions:
https://supportforums.cisco.com/message/3400021#3400021
Let me know if you ahve any more questions.
Thanks,
Varun
08-17-2011 04:43 AM
Hi Varun
Many thanks for that. I've checked link you have provided but it does not answer my questions.
Configuring ASAs in active-standby is not a problem. I seek solution for not having switch between firewalls and ISP routers (as per below) but connect firewalls directly with ISP routers, by using extra interface on each router. I wonder if this is possible for example by configuring backup interface on router side. Ideally I would like to not use any additional IP addresses from our ISP pool to configure this scenario.
ISP1 ISP2
Cisco 800 Cisco 800
|______________________|
|
SWITCH
__________|____________
| |
ASA1 ASA2
Thanks
WS
08-17-2011 08:54 AM
Hi Simon,
you
Sorry for the delay, had a busy day today
Well yes what youare suggesting is very much possible, you would need to connect both the routers on the both the ASA, what would happen is, if the Primary ISP on the Primary ISP goes down, then the Secondary ISP would takeover, if the Primary Firewall goes down then the Secondary firewall would take over and traffic would still go through Primary ISP line.
What I suggest is you would definitely need a switch between the ASA's in failover, so y not terminate the two routers as well on the switch, you can keep the outside interfacesof the ASA and the routers in the same vlan, and you would hence not require any more interfaces on the router.
Let me know if you have any queries.
Thanks,
Varun
08-18-2011 04:21 AM
Hi Varun
Many thanks for your help so far.
I appreciate that using switch between firewalls and isps will be much easier but I'm vournable to situation when switch goes down and I'm disconnected regardles redundant isps and firewalls. I think using additional interfaces is the only way out from this. Am I wrong?
Thanks
SW
08-18-2011 04:28 AM
Well if that is the situation that you have then you can use the extra interface on router. Let me know if you have any other issues.
-Varun
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide