BGP Router and ASA5500 Redundancy with two separate offices

Unanswered Question

I have several business objectives that I would like to accomplish. They are: Business Objectives:

#1 Provide redundant many-to-one NAT Internet access from both Edison and Montvale such that the outside source IP address remains in the same Class C address space and ideally using the same virtual IP address.

#2 Provide redundant one-to-one NAT's for external clients to access hosts in a shared Edison/Montvale DMZ

#3 Provide redundant client F/W to F/W IPSEC Tunnel allowing client access to DMZ assets .

#4 Provide redundant F/W to F/W stateful inspection synchronization. The primary method if via the 100MB TLS circuit using switch to switch 802.1Q trunking. The alternate method is an Internet IPSEC F/W to F/W tunnel.

#5 Provide a redundant and secure backup of the private 100MB TLS circuit via an Internet router-to-router GRE tunnel. (Note!!! Overlap of #4 and #5)

Please see the attached Visio 2007 document as and the identical BMP file for those w/o Visio. Getting FULL BGP routes into the 7204's. Can use GLBP for Active / Active on the load balancing. Using OSPF as my interior routing protocol. Not sure if I need to carry OSPF inside of the ASA5500, nor if I can construct an Active / Active ASA5550 senario. Been a while since I played with PIX's. So, basically I don't know what I don't know, and am very concerned about having a failure that orphans both sites. Any lessons learned to help me with this design would be greatly appreciate.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
drolemc Sat, 11/15/2008 - 19:23

While you are designing failover configuration please verify the features. The security appliance supports two failover configurations, Active/Active Failover and Active/Standby Failover. Each failover configuration has its own method to determine and perform failover. With Active/Active Failover, both units can pass network traffic. This lets you configure load balancing on your network. Active/Active Failover is only available on units that run in multiple context mode. With Active/Standby Failover, only one unit passes traffic while the other unit waits in a standby state. Active/Standby Failover is available on units that run in either single or multiple context mode. Both failover configurations support stateful or stateless (regular) failover.

Multiple context mode does not support these features:

Dynamic routing protocols & Security contexts support only static routes. You cannot enable OSPF or RIP in multiple context mode.

For further information click this link.

Mohamed Sobair Sun, 11/16/2008 - 22:35


I would choose design it as follows:

1- Setting HSRP Multiple Groups MHSRP or 2 HSRP groups making One of the FWs is the primary GW for Edisons' backbone, and the Second FW is the primary GW for Montvale's Backbone. (This will ensure GW redundancy as well as load balancing the traffic).

2- Making both ASAs as Active/Active in multiple context mode since you have Services on both needs to be accessed and you want redundant design with load sharing. (Making sure both have identical hardware & Software capabilities). supported ver started from 6.2 (appropriate is 7.0).

3- having at least subnet of 16 , /28 bit mask of Public IP addresses, those will be used to connect the FWs Outside Interfaces with their respective GWs 7204 on both routers, besides the redundant One-to-One NAT's for the Servers at the DMZs. both of The FWs should have primary 7204 GW and the second 7204 as Secondary GW by configuring ( 2 default routes with one as Backup interface). This will ensure if one of the GWs fails, the Secondary takes over.

3- Having IBGP session between both 7204 routers, this would ensure if one of the Wan links to both 7204 fails, the Traffic is rerouted through the Second GW.

4- configuring IPsec Tunnel between both FWs allowing access to both DMZ assets for the clients.




This Discussion