Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
931
Views
0
Helpful
6
Replies

Gateway redundancy ASA - FPR

ashleybabajee
Level 1
Level 1

‎07-03-2019 06:00 AM

Hi,

 

Currently i have an ASA firewall on HO which is also the gateway for the users/servers etc... have a dark fiber connected to DR, we will have same subnet there and will have new firewall Cisco Firepower 4120.

 

in the event the ASA goes down , how can i direct traffic to Firepower 4120, keeping different IP but on same subnet.

is it possible like clustering ASA with Firepower 4120.

If we use 2 different IP on the firewalls ,will configuring 2 gateway on user devices help ?

Labels:
0 Helpful
6 Replies 6

Karsten Iwen
VIP
VIP

‎07-03-2019 06:48 AM

Both failover- and cluster setups are not available with different devices.

And I would not try to solve this problem on the user-side. That just does not scale.

 

The best solution would be to have two identical devices and use HA or clustering. That would be the "native" way of achieving redundancy. If you can not go for a second identical device, perhaps you can monitor the existence of the primary device and in case of failure just change the interface-addresses of the new device to the gateway of the users. That could also be scripted/automated.

0 Helpful

ashleybabajee
Level 1
Level 1
In response to Karsten Iwen

‎07-03-2019 06:59 AM - edited ‎07-03-2019 09:55 PM

Hi Karsten,

 

Unfortunately for the time being we have to use unidentical device, i agree at user-side that would not be the best solution.

 

Would appreciate if you can help or guide on the script that would automate the change of interface address on the other device.

 

Note that the HO have ASA 5545-X and on DR Firepower 4120.

 

Edit:

Karsten,

 

If we somehow change the interface ip address of the DR firewall via script , then we would need to change the gateway of the DR servers as well, isnt it ?

 

Suppose HO server have  gw 192.168.1.1 and DR server have gw 192.168.1.2, if we change the ip of the DR firewall then the DR server gateway need to be changed as well.

 

Thanks

0 Helpful

fnguyen
Level 1
Level 1
In response to ashleybabajee

‎07-03-2019 09:53 AM

You won't be able to do HA with two different model of firewall.  If you have a L3 switch or router behind, you could configure OSPF with different priority weight to achieve the failover via routing.

0 Helpful

ashleybabajee
Level 1
Level 1
In response to fnguyen

‎07-03-2019 09:52 PM

Hi fnguyen,

 

Unfortunately we cant have identical device and routing is being done at firewall level.

Both firewalls would be on the same subnet , like 192.168.1.1 and 1.2 , kindly advise

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to fnguyen

‎07-04-2019 07:49 AM

I agree with @Karsten Iwen and @fnguyen - the right and most practical way to do this is to by purchasing an identical device at your head office and creating an HA pair with the DR site.

The next most viable solution is to move the gateway address (and internal routing function) onto your core switch and create a new transit VLAN between it and both firewalls. Run a dynamic routing protocol between them to automate the path selection.

Trying to hack together some kind of script is incurring way too much technical debt and I would not advise it for any production environment.

0 Helpful

ashleybabajee
Level 1
Level 1
In response to Marvin Rhoads

‎07-04-2019 09:25 PM

Hi @Marvin Rhoads , i agree with @Karsten Iwen and @fnguyen  too, but right now it's not possible to have indentical device and we cant move routing on the core switch also, we need a temporary solution until we get the identical firewalls.

 

Thanks

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card