04-18-2017 12:52 PM - edited 03-05-2019 08:22 AM
Dear Please find the attached topology ,
i want to connect 2 internet routers to two number isp routers with private ip addressing scheme and i want to achieve active/passive scenario or an Active/Active if possible
I have a public IP addressing between the internet router and firewall i want to terminate VPN on the fortigate firewall is it possible.
How i can achieve both.
thanks
Solved! Go to Solution.
04-24-2017 04:42 AM
Hi
Yes it is correct and respect one the best practice design.
The other way to handle that with 2 ISP routers could be dynamic routing. But as you're getting only a default route and using HSRP between routers for redundancy your design make sense.
Thanks
PS: Please don't forget to rate and mark as correct answer if this answered your question
04-18-2017 02:42 PM
Hi
First of all what type of firewall clustering do you have?
If it's a standard active/standby then you can't do active/active traffic flow for internet.
For active/standby, if i understand your requirement is to have ISP A working when firewall A is active and ISP B passing traffic when firewall B is active (that means firewall A is down). If it's correct, and if your using ASA firewalls you can set 2 default-routes with a tracking --> this is one solution.
The second solution:
what I'll say maybe not applies as i don't have a full view of you're infrastructure. You can setup a hsrp address between your 2 internet routers on their lan interfaces and have 1 route on your firewalls pointing to this VIP address. In this solution the final nat to access internet will be done on Internet routers.
As you see you can handle that task in multiple ways then you maybe need to give more inputs on actual configurations.
Thanks
PS: Please don't forget to rate and mark as correct answer if this answered your question
04-19-2017 02:20 AM
Dear francesco
you have seen my topology, please suggest me best practice,how to route a traffic in active/passive scenario.
I need active /passive scenario, i will run hsrp on the interface which are facing towards firewall so that my firewall will point towards VIP IP but what about upstream from the internet routers towards ips routers how i can point to one IP so that any router fails the other will take over,
Question 2
Also i m planning to have a private addressing between the router and public ip between the firewall and router for my VPN connection so that it should be terminated on fortigate firewall,is it possible.
thanks
04-19-2017 05:06 AM
Hi
It doesn't matter that you have private IP between your Internet router and your ISP router as soon as routing is done correctly and your ISP is forwarding traffic to your Public IPs by using this private interconnection subnet.
What you can do in terms of config to be sure that redundancy is achieved correctly:
- On your Internet router, have a tracking of different objects like 8.8.8.8 and 8.8.4.4 and maybe another one (to ensure that you're triggering failover in the right case when internet on ISP A is down and not only when a public server is down). When this track goes down, you can trigger a shutdown of your interface facing your firewall.
- on Firewall, have 2 routes. 1 going to ISP A with a prefered distance and tracking and the 2nd going to ISP B with a highest distance. The tracking on the firewall should track Your internet router.
- In terms of NAT, as you have 2 ISPs and I guess you're not doing full BGP and announcing your public IP, when traffic goes through ISP2 you public IP will change that means you'll 2 outside interface; this will allow you to do NAT on the firewall. The other solution, is doing HSRP using public IP between the 2 Internet routers and in this case on your firewall, you'll have only 1 route without any tracking. However, on your Internet router 2, as you'll use private IP to do a peering with your ISP2, you'll need to create a loopback with your public IP and do the nat on the router 2 itself.
Hope that's clear enough.
For my part, for simplicity and avoiding multiple tracking on internet routers and firewall, to allow people to troubleshoot, I will use VIP public between routers and do a NAT for ISP B on Internet router 2.
Thanks
PS: Please don't forget to rate and mark as correct answer if this answered your question
04-20-2017 01:39 PM
Dear francesco
thanks for the reply
i made a mistake in topology i have also 2 no's of switches between firewall and internet router. and i have only 1 isp with 2 links separated with 2 routers.
Please correct me if i m wrong,
Firewall will point default route to the VIP (public IP) of Internet router
Active HSRP router will received the traffic
i will ask ISP to run HSRP on his both routers which will be connected to my switches between the internet router and isp routers.
My Internet router will point a default route to the VIP of HSRP of ISP routers and my 2 no's internet routers will act as a PC to ISP routers
Also i will point my public pool to fortigate.on both internet routers to route the traffic.
Please suggest what complication i will meet in this design
04-20-2017 04:35 PM
Hi
The switches don't matter as there aren't participating to routing but are there I guess only for Layer 2 connectivity.
If you only have 1 ISP with 2 routers then yes your minding is correct. Just setup a VIP on ISP routers and on your firewall, the default route will point to VIP address.
Thanks
PS: Please don't forget to rate and mark as correct answer if this answered your question
04-21-2017 12:30 AM
Dear Francesco,
I thought only outgoing traffic passing to the internet but what about the incoming traffic from the ISP routers, when the traffic comes to the ISP routers it should route to my internet routers incase of any one of them fails,
how i can achieve those.
According to the design attached from cisco we should run bgp between the isp and corporate internet routers.
thanks
04-21-2017 05:24 AM
Hi
If you're running BGP between your internet routers and ISP, do you announce a network statement of your public IP or it's just to receive routes from your ISP?
If you announce your network, then you can prepend this network on your 2nd router.
No matter what, the most important is that traffic is passing inbound and outbound on the same firewall. That means, if you have a bgp peering with your ISP, the traffic can go over internet router 1 or router 2 but at the end it will flow to your active ASA and you won't face any issue.
If everything is static, then you'll need to have an HSRP on your side as well and your ISP will forward the traffic to that VIP address.
Hope that's clear.
Thanks
PS: Please don't forget to rate and mark as correct answer if this answered your question
04-21-2017 07:43 AM
Dear Fracesco
As we have 1 ISP we don't require BGP, if i am not wrong.
Scenario 1 Traffic Inbound/outbound towards internet
VPN or user internet traffic initiating from the firewall, It hits to the VIP (public IP on the Internet router A) , Firewall outside interface will be used as a PAT, Firewall will route to the VIP ip address of the internet router.
Firewall will point default route to the VIP (public IP) of Internet router, If the firewall is configured in multiple context then multiple hsrp groups/interfaces has to be configured on the Internet routers for different contexts.
Run ospf between the isp routers and internet routers ( private IP's)
ISP router A will advertise default information originate with less metric and isp router A will be preferred from internet router A ( direct link will be connecting to the routers no need of switches in between)
ISP router B will advertise default information originate with higher metric and isp router B will be preferred incase of link or router failure on primary link ( isp router A or internet router A).
Traffic will pass to the ISP ROUTER A and then ISP will take care of further routing
RETURN TRAFFIC PATH
When traffic come to the ISP Router A or B
ISP routers has a static route to my public ip pool pointing to my Internet routers ip address it should be 2 routes , 1 will be pointing to internet router A with IP sla tracking the next hop and the other with higher metric to internet router B OR isp routers can get my public ip address block by configuring redistribute connected on internet routers A and B which will advertise my public block to ISP
Once the traffic reached to the Internet Routers it will be an ARP request to the firewall.
Scenario 2 Traffic Inbound/outbound towards internet without OSPF
VPN or user internet traffic initiating from the firewall, It hits to the VIP (public IP on the Internet router A) , Firewall outside interface will be used as a PAT for user internet traffic.
Firewall will point default route to the VIP (public IP) of Internet router, If the firewall is configured in multiple context then multiple hsrp groups/interfaces has to be configured on the Internet routers for different contexts.
Active HSRP router will received the traffic
i will ask ISP to run HSRP on his both routers which will be connected to my switches between the internet routers and isp routers.
My Internet router will point a default route to the VIP of ISP routers and my 2 no's internet routers will act as a PC to ISP routers.
RETURN TRAFFIC PATH
When ISP Router A or B receives the traffic.
ISP routers has a static route to my public ip pool pointing to my Internet routers ip address it should be 2 routes , 1 will be pointing to internet router A with IP sla tracking the next hop and the other with higher metric to internet router B.
Once the traffic reached to the Internet Routers it will be an ARP request to the firewall.
Please validate my design as you'll are experts in community.
Question 3
if i m doing redistribute connected for my public ip interface on my internet routers in ospf process and the interface goes down it will be notified to the isp routers or still they need a IP sla tracking
thanks
04-21-2017 03:39 PM
Hi
I'm not saying you need bgp just that we were talking about bgp. Even if you have 1 ISP you can run bgp.
Anyway, your statement address correct and how ISP will announce the default-route is it's business.
You can ask them to have 2 routes with sla tracking on 1 of them.
If you're redistributing you're connected interfaces and if they're going down, OSPF won't advertise them to its peer.
Thanks
04-22-2017 12:14 AM
Dear Francesco
so the above design which i have mentioned is it seem to be a best practice for the internet edge.
also you have mentioned
Anyway, your statement address correct and how ISP will announce the default-route is it's business.
i didn't understood your above lines, you mean to say why isp will advertise a default route to me ??, if they are not then i have to route statically by tracking ip sla.
thanks
04-22-2017 03:28 PM
Hi
I meant if you're doing ospf with isp, how your isp is advertising the default-route to you it's their business.
Sorry if it wasn't clear
04-23-2017 12:22 PM
Dear Francesco
No i will ask them to advertise. but what about the design is it best practices or there is another better design to do redundant connection for internet
Thanks
04-24-2017 04:42 AM
Hi
Yes it is correct and respect one the best practice design.
The other way to handle that with 2 ISP routers could be dynamic routing. But as you're getting only a default route and using HSRP between routers for redundancy your design make sense.
Thanks
PS: Please don't forget to rate and mark as correct answer if this answered your question
04-19-2017 10:35 AM
router in this design not need. put router internal asa(use as dmvpn hub....). asa cluster as internet edge.
asa-outside switch stacked-ispa,b
if need RA. put 2asa or other device, private nerwork.(permit from IE, internet edge).
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: