Load balance between 2 routers and 2 firewalls

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-04-2017 12:20 PM - edited 03-05-2019 09:35 AM
What I have:
I have two ISPs and I want to load-balance between both providers. I have two ASA 5525X and two ISR4431 routers. I have an ASN already with a /24 address space.
What I want to do:
Use all equipment and load balance out of both ISPs to get use of each circuit. Both are sized appropriate to accommodate all traffic but I need to use both.
We have a VPN connection for external connections from some contractors and we have a VPN tunnel that connects to Amazon for authentication. From my understanding I cannot do Active/Active since the configuration will not support VPN.
What would be the best way to implement the solution?
- Labels:
-
Other Routing
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-04-2017 07:21 PM - edited 12-04-2017 07:22 PM
Hi
First of all, with latest ASA version, vpn client is supported in multi-contexts environment.
Here a list of what supported and not: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-firewalls/200353-ASA-Multi-Context-Mode-Remote-Access-A.html#anc5
For outbound:
You can ask your providers to build bgp peering with full table. Then you'll have load sharing to go outside.
Inbound load balancing would be more difficult as the routing decision will be made by remote client. But let's take an example. You have 2 DC : DC A and B. Internally you can split virtually your /24 public subnet in this way: assign the first half addresses of your /24 to DC A and second half at DC B.
Both routers at DC A and DC B will have a bgp peering and DC A will advertise to B the first half /25 of your /24 and DC B advertise the second half /25 to A.
In that case when DC A will receive traffic for DC B, it will forward the traffic to DC B router (and invert) and you won't have any asymmetric traffic on both ASAs.
Both DC A and B will advertise /24 to your ISPs.
Is that clear? Otherwise I'll try to make a quick sketch tomorrow when I'll have some time.
For client vpn anyconnect, you can configure your primary asa as vpn point and define a secondary vpn server.
For site to site, what type of firewall model you have on remote sites. If you have asa, then using the crypto command you'll be able to setup 2 IPs and ASA will use the first IP and failover to the second IP if the first one isn't reachable.
Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-11-2017 05:38 AM
Hi, Thank you for your reply. I have been thinking that maybe I was making it more complex than what it needed to be. If the design would be each ISR router interface 1 going to each respective ISP advertising the AS number I have, the interior interface of each router could do GLBP to load balance. The ASA could use the routers virtual IP as a default gateway. That would leave asymmetric routing out. The second ASA could be configured in a standby so the ASAs are Active/Standby. Both routers would share the load and I could track the ISP side connection for each router in the event one was unreachable.
Does that sound like a simpler solution. And thanks again for your prior response!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-11-2017 03:04 PM
Hi
Can you give more details on the design you're thinking?
Does the public IP will be hosted on WAN router interface and private IPs will be used to interconnect routers with ASA?
NAT will be handled by routers instead of ASA?
I just want to understand better you thoughts before saying that this solution is simpler and to validate if you'll have same complex issue with inbound traffic.
Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-12-2017 05:31 AM
Hi, Each ISP will give me a point to point connection from them to my routers. The routers will have a private IP address on each interface that connect in to switches on my LAN network. The routers will perform GLBP and advertise a virtual gateway of 172.16.1.1. The ASA will have a default route to 172.16.1.1. All NAT will be done on the ASA. The second ASA I can configure as a standby unit in case the Active unit goes down. I think that seems simpler to configure and the results are the same.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-12-2017 03:51 PM
Just to understand, your routers to ISPs will be in front of ASA, and ASA will do NAT of LAN to public ip. In that case, just need to be careful in terms of routing. For a simple design and also for a simple troubleshooting, I would keep the same design but doing NAT on routers instead of ASA.
Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
