Failover between ISP router and cisco ASA 5520

krolrun974 · ‎08-25-2011

Hi all,

I'm facing a difficulty. I'd like to configure HA between an ISP router and a firewall ASA like shown in the document. I was thinking about HSRP but can I use HSRP between a router and a firewall?Another information :

I have 1 asa 5520 on my site connected to an ISP 1, and a second asa 5520 at a second ISP's datacenter. My aim is that if the 2nd ISP is not available, all trafic go through the asa on site and to the first ISP.

I tried to explain with a diagram attached

Thanks a lot for your help

Marwan ALshawi · ‎08-25-2011

i am not sure why you have one ISP link link pass trough a firewall while the other not

but i think one of the ways that you can use assuming that both router are Cisco is to configure the Firewall in transparent mode in this case the ASA will looks like a L2 Device and have both Routers LAN interfaces in the same subnet and configure HSRP between then ( make sure yo permit this communications between the routers through the firewall )

and clients HSRP VIP can be used directly without the need to involve the ASA

but be aware that ASA in transparent mode will not support VPN

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008089f467.shtml

HTH

if helpful Rate

krolrun974 · ‎08-25-2011

thanks! but the fact is that I also need VPN on the ASA. I'm just looking for the best way to do while I have a firewall at my ISP and one on my site locally; I need to implement high availability between the 2 ISP and I don't know how to do it

thanks again

Marwan ALshawi · ‎08-25-2011

you can configure routing between the ISP routers and 3750 including the firewall

injuct default route from both ISP routers with higher mertic/;ess preference form ISP2

configre IPSLA in both routers if the internet link is down the default route will be withdrwon

example

assuming you will configre rip in the network

ISP1 router:

lets say the nxt hope of ISP1 to the internt is 1.1.1.1 ( your ISP IP )

LAN subnet is 10.1.1.1/24

ip sla monitor 10
type echo protocol ipIcmpEcho 1.1.1.1
timeout 1000
frequency 3
threshold 2

ip sla monitor schedule 1 life forever start-time now

router RIP

no auto-summary

passive interface default ---- asusming the swithces are L2 swithces only no need for this routr to know other netowks

network 10.1.1.0

redistribute static metric 1

track 10 rtr 1 reachability

ip route 0.0.0.0 0.0.0.0 1.1.1.1 track 10 --- if 1.1.1. is not reachable the link means is down and the static defaulte route will be down and the other static route supposed to be used thorugh ISP2

ISP2 router:

next hope of ISP2 to the internt is 2.2.2.2 ( your ISP IP )

LAN subnet is 11.1.1.1/24

ip sla monitor 10
type echo protocol ipIcmpEcho 2.2.2.2
timeout 1000
frequency 3
threshold 2

ip sla monitor schedule 1 life forever start-time now

router RIP

no auto-summary

passive interface default

no passive-interface fax/x --- this lan interface has to exchange route with the ASA in ISP2 router

network 11.1.1.0

redistribute static metric 3 --- higher metric than the redistributed route in ISP1 router

distribute-list 2 in Fax/x --- where x/x is the LAN interface this is to make sure the defaulte route not beig received from the LAN side to avoid looping

access-list 2 permit host 0.0.0.0

track 10 rtr 1 reachability

ip route 0.0.0.0 0.0.0.0 2.2.2.2 track 10

and you need to enable RIP in the ASA and the 3750 ( you can use BGP if ASA support it, EIGRP or OSPF for faster convergence time ) also prmit RIP thorugh the ASA from the outside interface to inside

HTH

Marwan ALshawi · ‎08-25-2011

forgot to mention if you go with the routing suggestion above you need to have the default L3 gateway for the hosts as the a L3 interface SVI in the 3750 and you might use HSRP between the 3750 if there are other access switches connected to it

and the 3750 will autimaticly route the traffic using the routing protocol as described above

HTH