10-18-2019 03:56 PM
Hello,
You can see my topology on the file picture.
I will say i am a beginner and i want to make a site-to-site VPN with two Cisco ASA (Active/standby) using Failover. The NAT will be done on Firewalls
I need also to keep a redundant gateway for my internal network so i decided to use two routers with HSRP before the ASAs (this is the cricital point for me).
Please, anyone can tell me if my topology is correct or not, also if i can optimize it.
My second question is that my internal network contains two http servers, what can i use (on this topology or an optimized one) to load balance on those two servers.
Thank you in advance
Louey
10-18-2019 04:23 PM
Personally i do not see an requirement for Router here for only GW redundancy (until you doing anything else here in this devices)
1. You can have stack the 2960 for the hardware redundency.
2. you already have HA pair for the FW for redundancy to falover.
3. Load-balance Web Service you need any Load balancers for this work. (or you can do DNS load-balance to test - but not as good as Loadbalancer.
10-19-2019 04:09 AM
10-19-2019 04:39 AM
Hello,
actually, your design looks by the book. The ASA cannot do any LAN redundancy, so you need something like HSRP or GLBP. GLBP might actually be the better option, check if your routers support it.
If your ASAs run in multiple context mode, you can do active/active HA, otherwise you need to do active/standby.
As for the HTTP server load balancing, another option would be IOS Server Load Balancing (SLB). Check the link below:
https://www.cisco.com/c/en/us/td/docs/ios/slb/configuration/guide/slb_cg_book/slb_cg_xmp.html
10-20-2019 10:44 AM
I agree with @balaji.bandi that I do not see the point of the pair of routers. It seems to me that Louey is not understanding the way that active/standby failover works on ASA. There is an IP on the active ASA (251) and an IP on the standby (252). If there is some event that triggers failover on the ASA then the standby ASA becomes active and it takes on the address of 251. When the other ASA comes back in service it will use the address of 252. So the gateway for the Lan devices moves from one ASA to the other without needing the HSRP on the routers.
HTH
Rick
10-20-2019 11:15 PM
Is your statement correct "The ASA cannot do any LAN redundancy, so you need something like HSRP or GLBP. GLBP might actually be the better option, check if your routers support it"?
I am confused with your statement.
10-21-2019 12:29 AM
To my best knowledge, neither of the ASAs (5500/X/Firepower) can do HSRP, GLBP, or VRRP. If that is a criticial requirement as OP says, you need an external device (router or switch) that supports it. GLBP is an evolvement to HSRP because of the load-balancing, so that would be the preferred option.
I could be wrong, but I haven't seen any roadmaps for the ASA to support these protocols...
Personally, and that of course is a matter of opinion, I don't think it's a good idea to take the routers (or any other layer 3 device) out and let the ASA function as a router (and for LAN redundancy with directly attached hosts). Simply because the ASA blocks everything by default. The ASA is designed to be an edge device for threat defense. If you want to use it for routing, you explicitly need to allow all traffic. Even ICMP is not allowed by default. So I would stick with the original design as posted by OP.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide