Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1088
Views
16
Helpful
8
Replies

Single default gateway required

ohareka70
Level 3
Level 3

‎03-24-2017 04:43 AM - edited ‎03-08-2019 09:54 AM

Hello,

I have two switches connected at layer 2 with internet facing applications on them.  But both switches have different default gateways to get out to the internet.

is it possible to have these switches coupled in some sort of HSRP so that I can have a single default gateway for both.  In the event that either firewall is unavailable I want all the applications to route out the other direction.

I know this is not an easy task and I am looking at Loadbalancers as a separate way of doing this but would prefer to do it with Cisco equipment

any advice is welcome.  I have attached a diagram

regards,

Kevin

Labels:
Preview file
137 KB
0 Helpful
8 Replies 8

Reza Sharifi
Hall of Fame
Hall of Fame

‎03-24-2017 02:42 PM

Hi,
You could run the firewalls as a cluster in active/stand-by mode. This way you only have one gateway and if one firewall fails all traffic should go to the other firewall.

HTH

Julio E. Moisa
VIP Alumni
VIP Alumni
In response to Reza Sharifi

‎03-24-2017 02:55 PM

Hi

I agree with Reza, I have implemented that scenario many times and works perfectly. Attached you will see a basic scheme. Basically the cluster will be seen as 1 firewall one gateway for the Internal network.

Hope it is useful

:-)




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<
Preview file
26 KB

ohareka70
Level 3
Level 3
In response to Julio E. Moisa

‎03-25-2017 01:21 PM

What about inbound traffic.  At the moment i have at the NAT address at the Firewall on site A (for inbound servers on the dmz).  If they have to get to site B instead how do i do the NAT

Also if site A firewall is offline that means the dmz and servers are offline.  So how do i land on the servers in Site B dmz?

0 Helpful

Reza Sharifi
Hall of Fame
Hall of Fame
In response to ohareka70

‎03-25-2017 01:53 PM

Hi,

Configuring the ASA as a cluster should make the devices logically act as one device. So, when one firewall fails all the config including NAT will be on the other firewall and so it should take over traffic forwarding inbound and outbound.

Also if site A firewall is offline that means the dmz and servers are offline.  So how do i land on the servers in Site B dmz?

You would have to connect the DMZ switch to both firewalls.

HTH

Julio E. Moisa
VIP Alumni
VIP Alumni
In response to Reza Sharifi

‎03-25-2017 03:27 PM

That is correct, basically the standby firewall will be a mirror of the primary firewall, once the primary firewall fails the standby will have the same configuration like the primary.

As Reza mentioned, you should have the DMZ switches connected to both firewall. 




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

ohareka70
Level 3
Level 3
In response to Julio E. Moisa

‎03-26-2017 03:41 AM

So i have a server in one dmz with a gateway of 192.168.180.1 but if that firewall goes offline the other firewall has a gateway of 192.168.180.199 - How will it route?

i already tried a multi context cluster and it worked for about an hour and fell over. Not sure why but seemed to have sync problems.  i dont think clustering cisco firewalls works.

i just need a single default gateway of 192.168.180.x on my dmzs i think but not sure how to do this - maybe two layer 3 switches and HSRP?

any advice is welcome - i have 1000 users so i need to get it right next time.  not sure i trust clustering 

0 Helpful

Julio E. Moisa
VIP Alumni
VIP Alumni
In response to ohareka70

‎03-26-2017 06:03 AM

Hi

For example, the primary firewall will be configured with the IP 192.168.180.1 so the other firewall will have the same IP 192.168.180.1 basically when you have a cluster of firewalls in active-standby, the secondary firewall (standby) creates an exact copy from the primary firewall (active)

The secondary firewall will have the same configuration like the primary firewall. 

This is a little example:

http://www.cioby.ro/2016/07/11/configuring-cisco-asa-active-standby-failover/

:-)




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<
0 Helpful

ohareka70
Level 3
Level 3
In response to Julio E. Moisa

‎03-31-2017 02:14 PM

I have attached a cisco router to each dmz switch and am using IP SLA to poll the dmz interface of each cisco asa and also upstream to both internet facing IP's.  I have that working.  I have setup HSRP on each router.

interface FastEthernet0/0

ip address 192.168.180.5 255.255.255.0

standby 1 ip 192.168.180.6

standby 1 priority 110

standby 1 preempt

standby 2 ip 192.168.180.8

standby 2 preempt

i have a default route to cisco asa site a

interface FastEthernet0/0

ip address 192.168.180.4 255.255.255.0

standby 1 ip 192.168.180.6

standby 1 priority 110

standby 1 preempt

standby 2 ip 192.168.180.8

standby 2 priority 110

standby 2 preempt

i have a default route to cisco asa site b 

Q.  What do you think?  

0 Helpful
Customers Also Viewed These Support Documents