08-22-2007 12:16 PM - edited 02-21-2020 01:39 AM
Thanks in advance!
We're setting up a web server farm consisting of web, SQL, FTP, and domain controller servers. The data centre provided us 2 10Mbps Ethernet connections with 3 public static IPs each on primary subnet, and additional 14 public static IPs on secondary subnet.
Would a single Cisco ASA 5510 be capable of all this?
REQUIREMENTS
- Firewall the network.
- Ability to VPN into the network.
- Ability to route secondary IPs traffic to servers' internal IPs.
- Multiple internal subnets, can create rules as to which resource on each subnet can access the other.
- Implement redundancy with the secondary Ethernet connection. So if primary connection drops web traffics automatically go through the secondary connection.
Greatly appreciated!Z
08-23-2007 12:18 AM
For the ASA -
I suggest you go for 2 ASAs for Redundancy -
Active - Standby / Active - Active.
They will do stateful failover.
Firewall - yes
VPN into the network - Yes
Multiple internal subnets, can create rules as to which resource on each subnet can access the other. - Yes
2 numbers 7200 Routers running I-BGP with HSRP & Running E BGP with the ISP
Redundancy for Secondary Internet - connection - Yes
Ability to route secondary IPs traffic to servers' internal IPs. - Yes
For BGP refer this url -
http://www.cisco.com/warp/public/459/27.html
http://www.cisco.com/warp/public/459/40.html
HTH - Pls rate if useful
08-23-2007 04:50 AM
Active/active failover does not support VPNs, so you'll have to use active/standby for redundancy.
08-23-2007 04:58 AM
That is true. Sorry i missed out that one
09-01-2007 04:43 AM
The answer is : it depends.
Is the Data Center operator doing any dynamic routing protocol with you (BGP, OSPF, RIP ...) ? Or are you going to need something else (like Cisco OER) ? Is the second line a "pure backup" or can you do some kind of load distribution across the two lines ?
Can both subnets be sent over the two lines or is the first subnet going to be feed only through the first one and the second subnet only through the second link ? In that case, can Global Load Balancing be a solution for you ?
I'll take some hypothesis :
- You need a firewall;
- You need to VPN (site-to-site or client-to-site) to your infra;
- You need to perform NAT;
- You need failover;
- Your provider offers you OSPF routing to switch between first and second link.
All that can be done with an ASA box (and - of course - much more), or even better, two ASAs failovering active/standby.
If possible, can you provide us a small network sketch of what you plan to do ?
My two cents ...
jF
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide