Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
777
Views
0
Helpful
7
Replies

ASA's and BGP

sigmacisco
Level 1
Level 1

‎06-18-2009 05:51 AM - last edited on ‎03-25-2019 03:24 PM by Community Manager

This is more of a design question than a technical question. I have inherited a network that uses BGP with two ISP's. Each ISP has an individual firewall (context) assigned to incoming traffic. We have a 6509 in our core that routes internal traffic to one firewall's internal interface.

My question is--what happens if the ISP fails that has the 6509 routing default traffic to it? Is there a way to use some protocol (HSRP-esque) so both ASA's have only one internal IP and the 6509 can route all traffic to either one if an ISP fails? Would it be better to use one firewall with two external interfaces and one internal interface? Are there any whitepapers from Cisco with a similar configuration to this?

Any help would be greatly appreciated. Thanks!

Labels:
0 Helpful
7 Replies 7

Collin Clark
VIP Alumni
VIP Alumni

‎06-18-2009 06:23 AM

Interesting design. Without completely overhauling the ASA and internet edge (may be the best solution?), you could use IP SLA.

https://packetpros.com/cisco_kb/IP_SLA.html

0 Helpful

sigmacisco
Level 1
Level 1
In response to Collin Clark

‎06-18-2009 07:36 AM

So if we were to redesign the ASA's, would it make sense to have ONE context pointing to both VIP's in BGP with one internal interface? Is that even possible? Seems like there would be more documentation out there for situations like this.

0 Helpful

Collin Clark
VIP Alumni
VIP Alumni
In response to sigmacisco

‎06-18-2009 07:46 AM

Can you post a diagram? I want to make sure I understand your topology.

0 Helpful

sigmacisco
Level 1
Level 1
In response to Collin Clark

‎06-18-2009 08:08 AM

Sure, here is the basic design. I changed the IP's to private IP's, but you will get the idea.

We get default routes from ISP2 because we do not own a full class C for that connection, we do for the other (ISP1)

Preview file
24 KB
0 Helpful

Collin Clark
VIP Alumni
VIP Alumni
In response to sigmacisco

‎06-18-2009 10:26 AM

Here's what I would do-

Remove the contexts or if you need multiple contexts, use a single one for the internet access. Since there are two VIP's on the internet routers, you can point the default route on the ASA to either VIP. Luckily you're running iBGP which will take care of any ISP failures. If you must keep this current design, check the IPSLA link I sent earlier for routing around a firewall failure.

0 Helpful

sigmacisco
Level 1
Level 1
In response to Collin Clark

‎06-18-2009 12:44 PM

That makes sense, thanks for the advice!

Any other ideas?

0 Helpful

Collin Clark
VIP Alumni
VIP Alumni
In response to sigmacisco

‎06-18-2009 12:47 PM

We had a design similiar to this and I finally fixed it last weekend. The real kicker is usually people don't run iBGP between their routers, but you are, so that covers the big ticket items. I also have two HSRP groups, which makes no sense to me, but I can't afford the outage if I removed one of them.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card