Default Route to 0.0.0.0 via to GWs

TurnersID · ‎03-16-2015

I have a 3750 core switch connected to 2 ASA firewalls inside interface. Each firewall has a separate internet connection (outside interface)

I have put in 2 static routes as follows:

ip route 0.0.0.0 0.0.0.0 172.16.30.253 (.253 inside interface IP of ASA1)

ip route 0.0.0.0 0.0.0.0 172.16.30.254 (.254 inside interface IP of ASA2)

Note: Both Internet connection has been checked before being connected to the Firewalls

My issue is that the traffic only passes through 1 GW. ie through 172.16.30.253. It fails to connect to internet when I disconnect connection to ASA.

What I want to do is for the connectivity to be maintained on either FWs incase of a failure of a ASA. I have even tried the below routes

ip route 0.0.0.0 0.0.0.0 172.16.30.253

ip route 0.0.0.0 0.0.0.0 172.16.30.254 100 (Metric 100)

Note

Both ASAs have exact same configuration except for the interface IPs.

The two internet connection routers have HSRP configured between them so the default route on the firewalls point to the hsrp address

Please add if am missing something

Cisco Freak · ‎03-16-2015

Can you please post a diagram of the setup?

Which one is the HSRP active internet router? The traffic will always flow through that HSRP active router.

CF

TurnersID · ‎03-17-2015

Note:

The default route on the FW points to the HSRP IP between the gateways. Both the Gateways have active internet connection. (2 separate circuits used)

The issue is not on the internet side of things. What I want is that is the inside interface of the FW1 fails, the traffic should flow through the inside interface of FW2.

I added 2 static routes on the core switch:

0.0.0.0 0.0.0.0 x.x.x.1

0.0.0.0 0.0.0.0 x.x.x.2

When I disconnect FW1 inside interface, the traffic doesn't flow through the second FW.

Am I missing something??

Jon Marshall · ‎03-17-2015

You show HSRP on the outside of the firewalls as well.

Is this to the same ISP on both connections ?

If so are the outside interfaces in a common IP subnet as well ?

Are you testing a client on the inside going out to the internet ?

Do the firewalls point to an HSRP VIP on the outside ?

Jon

TurnersID · ‎03-17-2015

Yes the Internet circuit is from the same ISP. The outside interfaces are connecting to the GW and are on the same subnet.

eg

FW1 outside int is: 202.x.y.1/28

FW2 outside int is: 202.x.y.2/28

GW1 connecting to FW1 outside is: 202.x.y.3/28

GW2 connecting to FW2 outside is 202.x.y.4/28

Jon Marshall · ‎03-17-2015

How are you testing this ie. from the internet to your LAN or from the LAN to internet ?

Jon

TurnersID · ‎03-17-2015

Testing from inside LAN to internet

The test PC has access to internet when going through FW1 inside interface.

When FW1 inside is disconnected it should flow through FW2 inside interface

This is what is not happening.

The internet side of setup is fine I guess on the outside interfaces

Jon Marshall · ‎03-17-2015

Okay, just wanted to check because if it was from the internet it might be coming in on one firewall and going out the other if you had two equal cost routes.

Are you doing NAT for all internal IPs to the outside interface IPs of each firewall ?

Are the default routes on each firewall pointing to their respective gateways ?

Finally when you disconnect the first firewall do you see the route disappear from the routing table on the 3750 ?

Jon

TurnersID · ‎03-17-2015

Will check this in testing this evening.

Jon Marshall · ‎03-17-2015

Are the firewalls configured as a pair or are they standalone firewalls ?

Jon

TurnersID · ‎03-17-2015

They are stand alone firewalls