cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1194
Views
0
Helpful
6
Replies

site-to-site VPN using Cisco ASA with two routers (HSRP)

Louey
Level 1
Level 1

Hello,

 

You can see my topology on the file picture. 

 

I will say i am a beginner and i want to make a site-to-site VPN with two Cisco ASA (Active/standby) using Failover. The NAT will be done on Firewalls

 

I need also to keep a redundant gateway for my internal network so i decided to use two routers with HSRP before the ASAs (this is the cricital point for me).

 

Please, anyone can tell me if my topology is correct or not, also if i can optimize it.

 

My second question is that my internal network contains two http servers, what can i use (on this topology or an optimized one) to load balance on those two servers.

 

Thank you in advance

 

Louey

6 Replies 6

balaji.bandi
Hall of Fame
Hall of Fame

Personally i do not see an requirement for Router here for only GW redundancy (until you doing anything else here in this devices)

 

1. You can have stack the 2960 for the hardware redundency.

2. you already have HA pair for the FW for redundancy to falover.

3. Load-balance Web Service you need any Load balancers for this work. (or you can do DNS load-balance to test - but not as good as Loadbalancer.

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Hello Balaji,

Thank you for your answer.

But you mean having the 2 FW on failover as a default gateway ? I think
that hsrp is not possible on cisco ASA, so what would be the GW of my
servers ?
If the GW is the active FW interface, what would happen if this interface
is down, i think that the standby FW will be active, but the default GW
still the first on my servers.

BR

LOUEY

Hello,

 

actually, your design looks by the book. The ASA cannot do any LAN redundancy, so you need something like HSRP or GLBP. GLBP might actually be the better option, check if your routers support it.

If your ASAs run in multiple context mode, you can do active/active HA, otherwise you need to do active/standby.

 

As for the HTTP server load balancing, another option would be IOS Server Load Balancing (SLB). Check the link below:

 

https://www.cisco.com/c/en/us/td/docs/ios/slb/configuration/guide/slb_cg_book/slb_cg_xmp.html

I agree with @balaji.bandi that I do not see the point of the pair of routers. It seems to me that Louey is not understanding the way that active/standby failover works on ASA. There is an IP on the active ASA (251) and an IP on the standby (252). If there is some event that triggers failover on the ASA then the standby ASA becomes active and it takes on the address of 251. When the other ASA comes back in service it will use the address of 252. So the gateway for the Lan devices moves from one ASA to the other without needing the HSRP on the routers.

 

HTH

 

Rick

HTH

Rick

Hi @Georg Pauwen 

Is your statement correct "The ASA cannot do any LAN redundancy, so you need something like HSRP or GLBP. GLBP might actually be the better option, check if your routers support it"?

I am confused with your statement.

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

To my best knowledge, neither of the ASAs (5500/X/Firepower) can do HSRP, GLBP, or VRRP. If that is a criticial requirement as OP says, you need an external device (router or switch) that supports it. GLBP is an evolvement to HSRP because of the load-balancing, so that would be the preferred option.

 

I could be wrong, but I haven't seen any roadmaps for the ASA to support these protocols...

 

Personally, and that of course is a matter of opinion, I don't think it's a good idea to take the routers (or any other layer 3 device) out and let the ASA function as a router (and for LAN redundancy with directly attached hosts). Simply because the ASA blocks everything by default. The ASA is designed to be an edge device for threat defense. If you want to use it for routing, you explicitly need to allow all traffic. Even ICMP is not allowed by default. So I would stick with the original design as posted by OP.

Review Cisco Networking for a $25 gift card