Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2759
Views
5
Helpful
6
Replies

How can we connect ASAs in HA to two ISPs?

Go to solution
Praveen Kumar
Level 1
Level 1

‎07-18-2021 08:47 AM

How can we connect ASAs in HA to two ISPs?

Details

We have two (HA pair- active/standby) ASA 5525s with Firepower running FTD codes and services as the internet-edge firewall and L2L VPN gateway. In HA pair, the active firewall will use the primary IP, in other works, primary and secondary firewalls use the same IP depending on which one is active. Since these firewalls terminate L2L VPN tunnel, we will have to use public IPs provided by the ISPs.

 

Question

How do we configure the outside interface of these firewalls and connect to the internet circuit? 

1 Accepted Solution

Accepted Solutions
6 Replies 6

Go to solution
Praveen Kumar
Level 1
Level 1
In response to Chakshu Piplani

‎07-19-2021 08:14 AM

Thanks for your response. We have two firewalls in HA mode (active/standby). 

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎07-19-2021 04:49 AM 

Question

How do we configure the outside interface of these firewalls and connect to the internet circuit?

there is 2 ways can do this, some design directly terminate to ASA interface, some does Layer 2 Switch between ISP Link and FW,

 

you can PBR for route the traffic respected ISP, and do Failover with IP SLA here.

BB

=====Preenayamo Vasudevam=====

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
Praveen Kumar
Level 1
Level 1
In response to balaji.bandi

‎07-19-2021 08:13 AM

Let's pretend these are public IPs provided by ISPs. 

ISP-A 10.10.10.10

ISP-B 10.20.20.20

 

We have FTDs in HA (active/standby) mode. I will configure the outside interface like this "interface Gi0/0 (outside) ip address 10.10.10.10 255.255.255.0 standby 10.20.20.20. ISP-A is connected to primary FTD and ISP-B is connected to secondary FTD. 

 

If ISP-A fails, the secondary FTD will try to take over as active and use 10.10.10.10 as active IP and 10.20.20.20 as standby IP, but 10.10.10.10 will down. 

 

Key Points

1. The public IPs will be provided by ISPs and these firewalls terminate L2L VPNs, so I don't think we can have layer 2. 

2. There are two different ISPs.

3. ASA5525 with Firepower are running FTD and are in high-availability mode. It would be easier if it was one firewall, but for high-availability we have two firewalls in HA (active/standby). 

 

Thanks for your response. 

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to Praveen Kumar

‎07-19-2021 09:38 AM

Thats not the how high availability works.

 

If you do not have any Layer 2 Switch =

 

You need to configure 2 outside interface towards ISP1 and ISP2 ( example Gi 0/1(ISP1)  Gi 0/2(ISP2)

 

Above post have detailed steps - for informationa gain :

 

https://integratingit.wordpress.com/2020/08/14/ftd-dual-isp-failover/

https://www.cisco.com/c/en/us/support/docs/security/firepower-management-center/212699-configure-ftd-high-availability-on-firep.html

 

 

 

BB

=====Preenayamo Vasudevam=====

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
Chakshu Piplani
Cisco Employee
Cisco Employee
In response to Praveen Kumar

‎07-19-2021 11:18 AM

As mentioned by Balaji, this is not how HA works, you can have two ISPs and through SLA monitoring config. do an auto switch between ISPs (connected on diff ports) without failover of FTD units.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card