06-18-2009 05:51 AM - last edited on 03-25-2019 03:24 PM by ciscomoderator
This is more of a design question than a technical question. I have inherited a network that uses BGP with two ISP's. Each ISP has an individual firewall (context) assigned to incoming traffic. We have a 6509 in our core that routes internal traffic to one firewall's internal interface.
My question is--what happens if the ISP fails that has the 6509 routing default traffic to it? Is there a way to use some protocol (HSRP-esque) so both ASA's have only one internal IP and the 6509 can route all traffic to either one if an ISP fails? Would it be better to use one firewall with two external interfaces and one internal interface? Are there any whitepapers from Cisco with a similar configuration to this?
Any help would be greatly appreciated. Thanks!
06-18-2009 06:23 AM
Interesting design. Without completely overhauling the ASA and internet edge (may be the best solution?), you could use IP SLA.
06-18-2009 07:36 AM
So if we were to redesign the ASA's, would it make sense to have ONE context pointing to both VIP's in BGP with one internal interface? Is that even possible? Seems like there would be more documentation out there for situations like this.
06-18-2009 07:46 AM
Can you post a diagram? I want to make sure I understand your topology.
06-18-2009 08:08 AM
06-18-2009 10:26 AM
Here's what I would do-
Remove the contexts or if you need multiple contexts, use a single one for the internet access. Since there are two VIP's on the internet routers, you can point the default route on the ASA to either VIP. Luckily you're running iBGP which will take care of any ISP failures. If you must keep this current design, check the IPSLA link I sent earlier for routing around a firewall failure.
06-18-2009 12:44 PM
That makes sense, thanks for the advice!
Any other ideas?
06-18-2009 12:47 PM
We had a design similiar to this and I finally fixed it last weekend. The real kicker is usually people don't run iBGP between their routers, but you are, so that covers the big ticket items. I also have two HSRP groups, which makes no sense to me, but I can't afford the outage if I removed one of them.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide