I have 2 connections to the internet via BGP. I need to place firewalls for border security. I need to use the FWSM modules on the 6506 that are also acting as my dual core.
These firewalls will also do NAT. My problem is with load-balancing. I want to be able to load balance & provide redundancy over the firewalls but dont know what my options are.
If I inject 0.0.0.0 default routes into my OSPF on the BGP routers, my core will have 2 default routes and traffic will pass over both firewalls. I believe that if return traffic takes a different path the return firewall will not have session or xlate information and will drop the traffic. Ok so I can use "tcp bypass" to fix the session problem, but what about the xlate when using PAT?
What is the best design strategy when implementing 2 firewalls and load-balancing them in this fashion.
Attached is my network setup. I can subnet IPs if needed to, etc.