Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
463
Views
0
Helpful
2
Replies

Reg:ASA DMZ

vasuramnet
Beginner
Beginner

‎06-22-2011 11:30 PM - edited ‎03-11-2019 01:49 PM

Dear ALL,

Iam Facing a strange problem is

I  have two ISP links terminated on two cisco 3845 routers from routers  two Lan switches from two switches to its came to two ASA-5580-20  firewalls,

in that firewalls i created one DMZ and MZ zones,In  that DMZ zone i have one application server and production server,For  application server i given one public ip to that server that ip belongs  to my ISP1 and production server i given one public IP that beongs to my  ISP2.

Now  the problem is when ever my ISP 1 is down my application server is not  accessing to the public users and when ever my ISP-2 is down my  production serveralso down

Plz let me know the automatic failover for this kind of problem

MY NETWORK DIAGRAM IS BELOW

Any tips will be appritiated

Labels:
Preview file
69 KB
0 Helpful
2 Replies 2

Anu M Chacko
Cisco Employee
Cisco Employee

‎06-23-2011 01:55 AM

Hi,

From what I understand this is expected. You are talking about the servers in the "trusted zone", right?

Could you clarify the issue that you're facing?

If you're trying to have the ASA load balace between the 2 ASAs, that is not possible. But if you're trying to have the ASA use one ISP when the other one is down, you can use SLA monitoring to do so. Here is a detailed document on how you can configure this:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

Let me know.

Regards,

Anu

P.S. Please mark this question as answered if it has been resolved. Do rate helpful posts. Thanks!

0 Helpful

mvsheik123
Rising star
Rising star
In response to Anu M Chacko

‎06-23-2011 07:07 PM

Hi,

Based on your posting..

"For  application server i given one public ip to that server that ip belongs  to my ISP1 and production server i given one public IP that beongs to my  ISP2."

So two servers got one public IP each from each ISP. When ISP1 goes down, as the public users still try to access the App server using ISP1 public IP ( or DNS name that resolves to ISP1 public IP), the access attempt will fail. Same is the case with production server. You need some kind of Dynamic DNS option to change the IP address of the servers so that the DNS resolves to the address of live ISP.

Other option - as you have 2 ISPs and 2 routers, you can go with BGP (setup procedure is little long but worth it) ;-). That way you can achieve automatic failover.

hth

MS

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers
Spotlight Award Nomination
Customers Also Viewed These Support Documents