dual asa active-standby - dual isp - dual router config

wright.simon · ‎08-17-2011

Hi

My configuration is as follows

ISP1 (primary) ISP2 (backup)

Cisco 800 series Cisco 800 series

| |

|___________ ________ |

| |

ASA 5510 (Security PLUS)

|

Local Network

We have implemented route tracking and our ASA switches over to backup route when primary is not available.

We have purchase another ASA 5510 now to implement active-standby configuration.

My idea was to use another interface on each routers and connect to the "standby" ASA, so when we have a failure standby unit can pick up automatically.I was wondering if this is at all possible and what needs to be configured on ISP routers? Backup interface maybe? Do we need a set of 4 new IP addresses?

Many thanks for any help.

WS

varrao · ‎08-17-2011

Hi Wright,

You can follow ths thread, it should answer most of your questions:

https://supportforums.cisco.com/message/3400021#3400021

Let me know if you ahve any more questions.

Thanks,

Varun

Thanks,
Varun Rao

wright.simon · ‎08-17-2011

Hi Varun

Many thanks for that. I've checked link you have provided but it does not answer my questions.

Configuring ASAs in active-standby is not a problem. I seek solution for not having switch between firewalls and ISP routers (as per below) but connect firewalls directly with ISP routers, by using extra interface on each router. I wonder if this is possible for example by configuring backup interface on router side. Ideally I would like to not use any additional IP addresses from our ISP pool to configure this scenario.

ISP1 ISP2

Cisco 800 Cisco 800

|______________________|

|

SWITCH

__________|____________

| |

ASA1 ASA2

Thanks

WS

varrao · ‎08-17-2011

Hi Simon,

you

Sorry for the delay, had a busy day today

Well yes what youare suggesting is very much possible, you would need to connect both the routers on the both the ASA, what would happen is, if the Primary ISP on the Primary ISP goes down, then the Secondary ISP would takeover, if the Primary Firewall goes down then the Secondary firewall would take over and traffic would still go through Primary ISP line.

What I suggest is you would definitely need a switch between the ASA's in failover, so y not terminate the two routers as well on the switch, you can keep the outside interfacesof the ASA and the routers in the same vlan, and you would hence not require any more interfaces on the router.

Let me know if you have any queries.

Thanks,

Varun

Thanks,
Varun Rao

wright.simon · ‎08-18-2011

Hi Varun

Many thanks for your help so far.

I appreciate that using switch between firewalls and isps will be much easier but I'm vournable to situation when switch goes down and I'm disconnected regardles redundant isps and firewalls. I think using additional interfaces is the only way out from this. Am I wrong?

Thanks

SW

varrao · ‎08-18-2011

Well if that is the situation that you have then you can use the extra interface on router. Let me know if you have any other issues.

-Varun

Thanks,
Varun Rao