Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
595
Views
5
Helpful
4
Replies

active/active mode firewall designing

nitass
Level 1
Level 1

‎03-31-2006 08:28 AM - edited ‎03-09-2019 02:28 PM

Hi everybody,

I’ve a few questions about firewall (ASA) designing. Attached is my connection diagram.

1. Can I use L3 switch as default gateway for PC and add 2 default static routes to both firewalls on it? Does it have any problem about route back packets?

2. Which switch layer should I use on the upper side of firewalls? How does it different?

3. How about inbound traffic from the Internet? Can it pass through both firewalls such as round robin?

Please advice.

Thanks for advance,

Nitass

Labels:
0 Helpful
4 Replies 4

nitass
Level 1
Level 1

‎03-31-2006 08:30 AM

This's diagram.

Preview file
18 KB
0 Helpful

haithamnofal
Level 3
Level 3

‎04-01-2006 06:34 PM

Hi,

Let me be honest and open with you on this, in PIX/ASA version 7.x there’s still no real Active-Active setup (one simple justification to this is that you can’t configure the same NAT configuration on the different contexts, … etc), although I heard this will change in version 7.2 which is going to be released soon but this is still not the case. So, I don’t see any real added-value from complicating your network with such a setup, but instead you can just deploy your FW cluster in Active-Passive and that’s it. Now back to your points:

1.You can have on your L3 switch 2 statistic routes for example with different metrics pointing to the different internal interfaces of your ASA units. You shouldn’t worry about the traffic back since the 2 ASA units will know the route back and in terms of session information they share the state table and your session should be replicated between the 2 units. I didn’t try this but theoretically it should work.

2.Usually a L2 switch is deployed in the perimeter subnet (i.e. between the router and the perimeter FW which is in this case your ASA cluster). L3 switches are needed to configure VLANs and do routing from within the same switch between them and I don’t think you need this on your external subnet, unless you have a real need for having a L3 switch in the outside subnet, just go with deploying a L2 switch in between your router and ASA cluster.

3.To have you inbound internet traffic be balanced between the 2 ASA units, you probably need a load-balancer on which you can configure a VIP. In turn the Balancer will be redirecting the traffic between the 2 different external IP addresses of your ASA units in a round-robin basis or on whichever load-balancing algorithm the Balancer has, this is usually configurable.

Hope this helps, and please let me know if you still have any questions.

Best Regards,

Haitham

0 Helpful

nitass
Level 1
Level 1
In response to haithamnofal

‎04-01-2006 07:57 PM

Hi Haitham,

Thanks for reply. I’m not an expert on ASA. So could you please advice me more?

1.

"One simple justification to this is that you can’t configure the same NAT configuration on the different contexts"

Do you mean I can’t configure the same dynamic or static NAT on both firewalls? Do I have to configure static route to correctly firewall interface on the Internet router?

2.

"In terms of session information they share the state table and your session should be replicated between the 2 units."

Do you mean it doesn’t have any problem even if the request and reply packet will traverse on different firewall e.g. request through firewall A and reply through firewall B?

3.

Can I configure VIP on the Catalyst 3750? I didn’t find any information but would like to confirm.

Thanks a lot,

Nitass

0 Helpful

haithamnofal
Level 3
Level 3
In response to nitass

‎04-02-2006 04:39 AM

Hi Nitass,

1. Well, I'll tell you what happened with me from my previous experience.. I had a similar setup as yours and I managed to have the same NAT on both FW contexts. When I tried to configure the same DMZ out of the 2 firewalls, I was receiving errors regarding static overlap with the other security context. When I consulted with Cisco at that time, they confirmed to me that the main idea behind Active-Active in version 7.0 is to do load balancing for 2 separate subnets and not the same internal subnet.

Now on your router, yes since the external interfaces of your ASA devices will have 2 different IP addresses then either you need another layer to create a VIP and route all the traffic to this VIP or you will need to have different static routes to the 2 outside interfaces of the ASA devices.

2. Yes, theoritically since the 2 units share state info between them then you should not have a problem. Again, I didnt test that personally and I'm honestly concerned that this might be a limitation between the different contexts.

3. I'm not sure but as far as I know is that the 3750 is a normal switch and switches usually cant fo load balancing. For this you need a load balancer, something like CSS product I guess.

Hope this helps!

Regards,

Haitham

Customers Also Viewed These Support Documents