Valid redundant dual-homed ISP config with ASA?????

Unanswered Question
Feb 22nd, 2008
User Badges:

Hey all,

A client for whom I have to configure only the switches wants the following:

There are two internet connections from two ISPs. The primary internet connection is the 'live' connection, the secondary is not used.

With the failure of a firewall or switch, the primary internet connection should still be used.

Only in an extreme case the secondary internet connection should be used.

The proposed config (not by me :)):

Internetconnection 1 > WAN-switch1 > ASA1 > DMZ-switch1 > ISA-server

Internetconnection 2 > WAN-switch2 > ASA2 > DMZ-switch2

WAN-switch 1 & 2 are interconnected

DMZ-switch 1 & 2 are interconnected

Only the DMZ-switch1 is connected to the ISA-server.

I 'm not familiar with DMZs, but to me this is not a solid configuration.

The redundancy looked for is not achieved.

If WAN-switch1 fails the secondary internet connection through WAN-switch2 has to be used.

If DMZ-switch1 fails the connection to the entire out-world connection is gone.

Ditto if the single ISA-server dies.

Your ideas please,


PS. Do you know any good sites for recent topology examples?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
Harald-Norvik Fri, 02/22/2008 - 08:19
User Badges:

Here is a suggestion - Assuming your two ASAs are in active/standby failover mode.

Physical connections: both ASAs will need two interface connection, one to Wan-switch 1 and another to WAN-Switch 2. Interface names outside and backup, both security level 0. Do NOT connect Wan-sw1 and Wan-sw2 together, they handle two different external networks (ISP1 and ISP2).

Search on the technical site for the document called "ASA/PIX 7.x: Redundant or Backup ISP Links Configuration example".

DMZ-sw1 and DMZ-Sw2 can be connected, and since the ISA probably have one interface card, you will have to configure the port on DMZ2 the same as the port on DMZ1. Thus if DMZ1 fails, you would manually move the connection to DMZ2.


jlaay-diode Sat, 02/23/2008 - 09:36
User Badges:

Hi Harald,

Thanks for your reply.

As an addition to the config

Does the following makes things more understandable (or worse):

The WAN-switches, the ASAs and the DMZ-switches are all int the same (private-address) subnet.

If added a .jpg.



or bad design?

Harald-Norvik Sat, 02/23/2008 - 23:18
User Badges:

Well, you cannot have all the devices in the same subnet unless the firewalls are in transparent mode. Here is the design I suggest you use:

Forget the two DMZ switches if you only have one device (the ISA) in the DMZ. Keep a cold spare switch in case the production switch fails.

I have attached a diagram of what I think you need to do. The two firewalls are in active/standby configuration. They both have one interface connected to each of the WAN switches. Since Wolk1 and Wolk2 is in two different subnets (external addresses) you should not connect the two WAN switches together.

To be able to manage the two WAN switches, you can just make eth0/0 a trunk with two VLANs, one is the switch management while the other is the outside (external) subnet. In fact you have to do this on eth0/3 as well to manage the other WAN switch.

You will end up with these subnets in this configuration, where everything except the two outside segments (outside and backup) can have private addresses (according to rfc1918).

Inside, DMZ, Failover, Outside, Backup, WAN-management1 and Wan-Management2.

With some static nat you can always map the 3 switch IP addresses to addresses in the same subnet on the inside, the same with the ISA (DMZ) host.

jlaay-diode Sun, 02/24/2008 - 01:46
User Badges:

Hi Harold,

Thanks again.

Could you resend the diagram.

I think something went wrong.

Only a little piece of eth0/3 is visible.



Harald-Norvik Sun, 02/24/2008 - 09:15
User Badges:

Sorry Jaap, didn't realize this.

This diagram should be more complete. Let me know if I can be of more assistance.


jlaay-diode Mon, 02/25/2008 - 01:18
User Badges:

Hello Harald,

Thanks for the diagram and advice. It 's quite helpfull for me as a novice in this area.

As a result of our advice/answers I 've dived into this forum further.

When I understand it correctly it is possible to have the same subnet for all devices but only when the ASs are in transparent mode. However the NAT/PAT translation should then be done somewhere on the edge of te internet cloud before traffic hit the WAN-switches.

Can you tell me if there is a (security) reason for not linking the ASAs (failover interface)?

Are my assumptions correct?

And :) are there then other matters to consider?

Thanks for the time you put in answering my questions. I do appreciate it.



mikedelafield Mon, 02/25/2008 - 03:43
User Badges:


We have a setup similar to that described in this thread.

However I would like to know if such a configuration is possible with 2 different ISP providers?

How will the public address range on ISP1 switch over to ISP2 in the event of ISP1 being down?

Obviously we need our public addresses to be highly available?

jlaay-diode Mon, 02/25/2008 - 04:06
User Badges:

Hello Mike,

Concerning your question:

"How will the public address range on ISP1 switch over to ISP2 in the event of ISP1 being down?"

I can't answer because this is (not yet) my cup of tea.:)

But I'm just as curious as you about the answer.

Can it be done automatically or do we have to pick up the phone to arrange it with the providers and again if the cause of the problem has been solved?



Harald-Norvik Mon, 02/25/2008 - 07:04
User Badges:

Without using BGP you have a situation where you have to manage two different external IP addresses ranges from ISP1 and ISP2.


ISP1: (gateway .33 and ASA .34)

ISP2: (gateway .97 and ASA .98)

Your outside interface ip:

ip address

You backup interface ip:

ip address

For the outbound traffic it is easy:

global (outside) 1 interface

global (backup) 1 interface

nat (inside) 1

Follow the instructions in this link to set up the tracking process of the primary link and the default route:

Inbound services are not covered in the document, but you may want to have two MX records on your DNS, like

MX, 10, ISP1-ip

MX, 20, ISP2-ip

The use a static like this:

static(inside,outside) ISP1-ip local-smtpserver-ip

static(inside,backup) ISP2-ip local-smtpserver-ip

If traffic flows through ISP1, your email server will answer for these flows.

When your ISP1 is down, a well behaved smtp server will try ISP1-ip first, then IPS2-ip.

When it comes to www-services that you are hosting on the inside, you would have to manipulate DNS to be able to direct the traffic to the webserver on the active ISP link.

I hope this explains both yours and Mike's question?


mikedelafield Mon, 02/25/2008 - 07:16
User Badges:

thanks for the prompt answer.

the only problem we have is that our software from client sites attaches to a single IP address (not a DNS address)

we potentially need the public addresses to be available or advertised through both ISPs in some kind of active/passive setup.

we have a similar solution provided by a single ISP. Multi-homed public IP addresses but we would like to know if this is possible using separate ISPs?

i'm not sure how this can be achieved, if at all.


Harald-Norvik Mon, 02/25/2008 - 08:27
User Badges:

As far as I can see - only by using BGP.

This is a routing question and not really a firewall issue. The problem is that some device (a router) has to advertise the route with the subnet where your IP address resides to the different ISP routers on internet. When the primary link fails, you would advertise the same route through your backup ISP.

If you don't want to go down this path, ask your ISP if they can do something for you, however, your fault tolerance then depends on your ISPs availability.

Another way may be to rewrite the client application slightly, adding DNS name resolution and backup server addresses (like the Cisco VPN client).

Maybe you could have your clients use the Cisco VPN client instead? Then your clients would just attach to the inside IP - which stays the same always). A benefit would also be encryption of the data.


jlaay-diode Mon, 02/25/2008 - 23:45
User Badges:

Hi Harald,

Thanks for your help.

I will not pretend that I understand everything, but it might help to point my client in the right direction, offer alternatives.

Thanks again,


Harald-Norvik Mon, 02/25/2008 - 06:42
User Badges:

Hello Jaap


You are correct that you would need to address translate (NAT/PAT) at some point in this structure. If you use the ASAs in transparent mode, you need your NAT at a router towards the edge (like the WAN routers).

In your case, without any other devices than you have mentioned, you would need to NAT in the firewall, so transparent mode is not an option in this case.

2) Failover interface

The failover interface usually carries two different things: Failover notification messages/hello's and state information. You can split this on two different interfaces, but not recommended in your simple configuration here.

Security wise, you don't want anyone to be able to do a packet capture on the state info, since this also contains IPSEC encryption keys. You can add encryption to prevent this.

I may be possible to use a vlan on the inside interface, but then you have a scenario when the inside port/cable/switchport fails. It would behave like the failover interface failed. This is why I recommend using a separate interface for this.

So, you need to link the firewalls to have active/standby failover.

See below for the answer on the external IP addresses.



This Discussion