ASA's and BGP

Unanswered Question
Jun 18th, 2009
User Badges:

This is more of a design question than a technical question. I have inherited a network that uses BGP with two ISP's. Each ISP has an individual firewall (context) assigned to incoming traffic. We have a 6509 in our core that routes internal traffic to one firewall's internal interface.

My question is--what happens if the ISP fails that has the 6509 routing default traffic to it? Is there a way to use some protocol (HSRP-esque) so both ASA's have only one internal IP and the 6509 can route all traffic to either one if an ISP fails? Would it be better to use one firewall with two external interfaces and one internal interface? Are there any whitepapers from Cisco with a similar configuration to this?

Any help would be greatly appreciated. Thanks!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
sigmacisco Thu, 06/18/2009 - 07:36
User Badges:

So if we were to redesign the ASA's, would it make sense to have ONE context pointing to both VIP's in BGP with one internal interface? Is that even possible? Seems like there would be more documentation out there for situations like this.

Collin Clark Thu, 06/18/2009 - 07:46
User Badges:
  • Purple, 4500 points or more

Can you post a diagram? I want to make sure I understand your topology.

sigmacisco Thu, 06/18/2009 - 08:08
User Badges:

Sure, here is the basic design. I changed the IP's to private IP's, but you will get the idea.

We get default routes from ISP2 because we do not own a full class C for that connection, we do for the other (ISP1)

Collin Clark Thu, 06/18/2009 - 10:26
User Badges:
  • Purple, 4500 points or more

Here's what I would do-

Remove the contexts or if you need multiple contexts, use a single one for the internet access. Since there are two VIP's on the internet routers, you can point the default route on the ASA to either VIP. Luckily you're running iBGP which will take care of any ISP failures. If you must keep this current design, check the IPSLA link I sent earlier for routing around a firewall failure.

sigmacisco Thu, 06/18/2009 - 12:44
User Badges:

That makes sense, thanks for the advice!

Any other ideas?

Collin Clark Thu, 06/18/2009 - 12:47
User Badges:
  • Purple, 4500 points or more

We had a design similiar to this and I finally fixed it last weekend. The real kicker is usually people don't run iBGP between their routers, but you are, so that covers the big ticket items. I also have two HSRP groups, which makes no sense to me, but I can't afford the outage if I removed one of them.


This Discussion