cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1310
Views
5
Helpful
14
Replies

Internet Traffic suggestion

jack samuel
Level 1
Level 1

Dear Please find the attached topology ,

i want to connect 2 internet routers to two number isp routers with private ip addressing scheme and i want to achieve active/passive scenario or an Active/Active if possible

I have a public IP addressing between the internet router and firewall i want to terminate VPN on the fortigate firewall is it possible.

How i can achieve both.

thanks

1 Accepted Solution

Accepted Solutions

Hi

Yes it is correct and respect one the best practice design.

The other way to handle that with 2 ISP routers could be dynamic routing. But as you're getting only a default route and using HSRP between routers for redundancy your design make sense.

Thanks

PS: Please don't forget to rate and mark as correct answer if this answered your question


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

14 Replies 14

Francesco Molino
VIP Alumni
VIP Alumni

Hi 

First of all what type of firewall clustering do you have? 

If it's a standard active/standby then you can't do active/active traffic flow for internet.

For active/standby, if i understand your requirement is to have ISP A working when firewall A is active and ISP B passing traffic when firewall B is active (that means firewall A is down). If it's correct, and if your using ASA firewalls you can set 2 default-routes with a tracking --> this is one solution.

The second solution: 

what I'll say maybe not applies as i don't have a full view of you're infrastructure. You can setup a hsrp address between your 2 internet routers on their lan interfaces and have 1 route on your firewalls pointing to this VIP address. In this solution the final nat to access internet will  be done on Internet routers.

As you see you can handle that task in multiple ways then you maybe need to give more inputs on actual configurations. 

Thanks 

PS: Please don't forget to rate and mark as correct answer if this answered your question


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Dear francesco

you have seen my topology, please suggest me best practice,how to route a traffic in active/passive scenario.

I need active /passive scenario, i will run hsrp on the interface which are facing towards firewall so that my firewall will point towards VIP IP but what about upstream from the internet routers towards ips routers how i can point to one IP so that any router fails the other will take over,

Question 2

Also  i m planning to have a private addressing between the router and public ip between the firewall and router for my VPN connection so that it should be terminated on fortigate firewall,is it possible.

thanks

Hi

It doesn't matter that you have private IP between your Internet router and your ISP router as soon as routing is done correctly and your ISP is forwarding traffic to your Public IPs by using this private interconnection subnet.

What you can do in terms of config to be sure that redundancy is achieved correctly:

- On your Internet router, have a tracking of different objects like 8.8.8.8 and 8.8.4.4 and maybe another one (to ensure that you're triggering failover in the right case when internet on ISP A is down and not only when a public server is down). When this track goes down, you can trigger a shutdown of your interface facing your firewall.

- on Firewall, have 2 routes. 1 going to ISP A with a prefered distance and tracking and the 2nd going to ISP B with a highest distance. The tracking on the firewall should track Your internet router.

- In terms of NAT, as you have 2 ISPs and I guess you're not doing full BGP and announcing your public IP, when traffic goes through ISP2 you public IP will change that means you'll 2 outside interface; this will allow you to do NAT on the firewall. The other solution, is doing HSRP using public IP between the 2 Internet routers and in this case on your firewall, you'll have only 1 route without any tracking. However, on your Internet router 2, as you'll use private IP to do a peering with your ISP2, you'll need to create a loopback with your public IP and do the nat on the router 2 itself. 

Hope that's clear enough.

For my part, for simplicity and avoiding multiple tracking on internet routers and firewall, to allow people to troubleshoot, I will use VIP public between routers and do a NAT for ISP B on Internet router 2.

Thanks 

PS: Please don't forget to rate and mark as correct answer if this answered your question


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Dear francesco

thanks for the reply

i made a mistake in topology i have also 2 no's of switches between firewall and internet router. and i have only 1 isp with 2 links separated with 2 routers.

Please correct me if i m wrong,

Firewall will point default route to the VIP (public IP) of Internet router

Active HSRP router will received the traffic

i will ask ISP to run HSRP on his both routers which will be connected to my switches between the internet router and isp routers.

My Internet router will point a default route to the VIP of HSRP of ISP routers and my 2 no's internet routers will act as a PC to ISP routers

Also i will point my public pool to fortigate.on both internet routers to route the traffic.

Please suggest what complication i will meet in this design

 

Hi

The switches don't matter as there aren't participating to routing but are there I guess only for Layer 2 connectivity.

If you only have 1 ISP with 2 routers then yes your minding is correct. Just setup a VIP on ISP routers and on your firewall, the default route will point to VIP address.

Thanks

PS: Please don't forget to rate and mark as correct answer if this answered your question


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Dear Francesco,

I thought only outgoing traffic passing to the internet but what about the incoming traffic from the ISP routers, when the traffic comes to the ISP routers it should route to my internet routers incase of any one of them fails,

how i can achieve those.

According to the design attached from cisco we should run bgp between the isp and corporate internet routers.

thanks

Hi

If you're running BGP between your internet routers and ISP, do you announce a network statement of your public IP or it's just to receive routes from your ISP?

If you announce your network, then you can prepend this network on your 2nd router.

No matter what, the most important is that traffic is passing inbound and outbound on the same firewall. That means, if you have a bgp peering with your ISP, the traffic can go over internet router 1 or router 2 but at the end it will flow to your active ASA and you won't face any issue.

If everything is static, then you'll need to have an HSRP on your side as well and your ISP will forward the traffic to that VIP address.

Hope that's clear.

Thanks

PS: Please don't forget to rate and mark as correct answer if this answered your question


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Dear Fracesco

As we have 1 ISP we don't require BGP, if i am not wrong.

Scenario 1 Traffic Inbound/outbound towards internet

VPN or user internet traffic initiating from the firewall, It hits to the VIP (public IP on the Internet router A) , Firewall outside interface will be used as a PAT, Firewall will route to the VIP ip address of the internet router.

Firewall will point default route to the VIP (public IP) of Internet router, If the firewall is configured in multiple context then multiple hsrp groups/interfaces has to be configured on the Internet routers for different contexts.

Run ospf between the isp routers and internet routers ( private IP's)

ISP router A will advertise default information originate with less metric and isp router A will be preferred from internet router A ( direct link will be connecting to the routers no need of switches in between)

ISP router B will advertise default information originate with higher metric and isp router B will be preferred incase of link or router failure on primary link ( isp router A or internet router A).

Traffic will pass to the ISP ROUTER A and then ISP will take care of further routing

RETURN TRAFFIC PATH

When traffic come to the ISP Router A or B

ISP routers has a static route to my public ip pool pointing to my Internet routers ip address it should be 2 routes , 1 will be pointing to internet router A with IP sla tracking the next hop and the other with higher metric to internet router B  OR isp routers can get my public ip address block by configuring redistribute connected on internet routers A and B which will advertise my public block to ISP

Once the traffic reached to the Internet Routers it will be an ARP request to the firewall.

Scenario 2 Traffic Inbound/outbound towards internet without OSPF

VPN or user internet traffic initiating from the firewall, It hits to the VIP (public IP on the Internet router A) , Firewall outside interface will be used as a PAT for user internet traffic.

Firewall will point default route to the VIP (public IP) of Internet router, If the firewall is configured in multiple context then multiple hsrp groups/interfaces has to be configured on the Internet routers for different contexts.

Active HSRP router will received the traffic

i will ask ISP to run HSRP on his both routers which will be connected to my switches between the internet routers and isp routers.

My Internet router will point a default route to the VIP of ISP routers and my 2 no's internet routers will act as a PC to ISP routers.

RETURN TRAFFIC PATH

When  ISP Router A or B receives the traffic.

ISP routers has a static route to my public ip pool pointing to my Internet routers ip address it should be 2 routes , 1 will be pointing to internet router A with IP sla tracking the next hop and the other with higher metric to internet router B.

Once the traffic reached to the Internet Routers it will be an ARP request to the firewall.

Please validate my design as you'll are experts in community.

Question 3

if i m doing redistribute connected for my public ip interface on my internet routers in ospf process and the interface goes down it will be notified to the isp routers or still they need a IP sla tracking

thanks

Hi 

I'm not saying you need bgp just that we were talking about bgp. Even if you have 1 ISP you can run bgp. 

Anyway, your statement address correct and how ISP will announce the default-route is it's business. 

You can ask them to have 2 routes with sla tracking on 1 of them. 

If you're redistributing you're connected interfaces and if they're going down, OSPF won't advertise them to its peer.

Thanks


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Dear Francesco

so the above design which i have mentioned is it seem to be a best practice for the internet edge.

also you have mentioned

Anyway, your statement address correct and how ISP will announce the default-route is it's business.

i didn't understood your above lines, you mean to say why isp will advertise a default route to me ??, if they are not then i have to route statically by tracking ip sla.

thanks

Hi 

I meant if you're doing ospf with isp, how your isp is advertising the default-route to you it's their business. 

Sorry if it wasn't clear


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Dear Francesco

No i will ask them to advertise. but what about the design is it best practices or there is another better design to do redundant connection for internet

Thanks

Hi

Yes it is correct and respect one the best practice design.

The other way to handle that with 2 ISP routers could be dynamic routing. But as you're getting only a default route and using HSRP between routers for redundancy your design make sense.

Thanks

PS: Please don't forget to rate and mark as correct answer if this answered your question


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Kuat Bakenov
Level 1
Level 1

router in this design not need. put router internal asa(use as dmvpn hub....). asa cluster as internet edge.

asa-outside switch stacked-ispa,b

if need RA. put 2asa or other device, private nerwork.(permit from IE, internet edge).

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: