08-25-2011 02:57 AM - edited 03-04-2019 01:24 PM
Hi all,
I'm facing a difficulty. I'd like to configure HA between an ISP router and a firewall ASA like shown in the document. I was thinking about HSRP but can I use HSRP between a router and a firewall?Another information :
I have 1 asa 5520 on my site connected to an ISP 1, and a second asa 5520 at a second ISP's datacenter. My aim is that if the 2nd ISP is not available, all trafic go through the asa on site and to the first ISP.
I tried to explain with a diagram attached
Thanks a lot for your help
08-25-2011 03:37 AM
i am not sure why you have one ISP link link pass trough a firewall while the other not
but i think one of the ways that you can use assuming that both router are Cisco is to configure the Firewall in transparent mode in this case the ASA will looks like a L2 Device and have both Routers LAN interfaces in the same subnet and configure HSRP between then ( make sure yo permit this communications between the routers through the firewall )
and clients HSRP VIP can be used directly without the need to involve the ASA
but be aware that ASA in transparent mode will not support VPN
HTH
if helpful Rate
08-25-2011 05:12 AM
thanks! but the fact is that I also need VPN on the ASA. I'm just looking for the best way to do while I have a firewall at my ISP and one on my site locally; I need to implement high availability between the 2 ISP and I don't know how to do it
thanks again
08-25-2011 06:13 AM
you can configure routing between the ISP routers and 3750 including the firewall
injuct default route from both ISP routers with higher mertic/;ess preference form ISP2
configre IPSLA in both routers if the internet link is down the default route will be withdrwon
example
assuming you will configre rip in the network
ISP1 router:
lets say the nxt hope of ISP1 to the internt is 1.1.1.1 ( your ISP IP )
LAN subnet is 10.1.1.1/24
ip sla monitor 10
type echo protocol ipIcmpEcho 1.1.1.1
timeout 1000
frequency 3
threshold 2
ip sla monitor schedule 1 life forever start-time now
router RIP
no auto-summary
passive interface default ---- asusming the swithces are L2 swithces only no need for this routr to know other netowks
network 10.1.1.0
redistribute static metric 1
track 10 rtr 1 reachability
ip route 0.0.0.0 0.0.0.0 1.1.1.1 track 10 --- if 1.1.1. is not reachable the link means is down and the static defaulte route will be down and the other static route supposed to be used thorugh ISP2
ISP2 router:
next hope of ISP2 to the internt is 2.2.2.2 ( your ISP IP )
LAN subnet is 11.1.1.1/24
ip sla monitor 10
type echo protocol ipIcmpEcho 2.2.2.2
timeout 1000
frequency 3
threshold 2
ip sla monitor schedule 1 life forever start-time now
router RIP
no auto-summary
passive interface default
no passive-interface fax/x --- this lan interface has to exchange route with the ASA in ISP2 router
network 11.1.1.0
redistribute static metric 3 --- higher metric than the redistributed route in ISP1 router
distribute-list 2 in Fax/x --- where x/x is the LAN interface this is to make sure the defaulte route not beig received from the LAN side to avoid looping
access-list 2 permit host 0.0.0.0
track 10 rtr 1 reachability
ip route 0.0.0.0 0.0.0.0 2.2.2.2 track 10
and you need to enable RIP in the ASA and the 3750 ( you can use BGP if ASA support it, EIGRP or OSPF for faster convergence time ) also prmit RIP thorugh the ASA from the outside interface to inside
HTH
08-25-2011 07:24 AM
forgot to mention if you go with the routing suggestion above you need to have the default L3 gateway for the hosts as the a L3 interface SVI in the 3750 and you might use HSRP between the 3750 if there are other access switches connected to it
and the 3750 will autimaticly route the traffic using the routing protocol as described above
HTH
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide