HSRP and ASA Firewall

Answered Question
Jul 25th, 2009

Hi Experts,

I request your expertised help to give solution to the issue I am encountering here. The detailed explanation is below

I have 2 Cisco Router connecting to ISP-1 & ISP-2 as shown it the diagram attached.

I want to use both the ISP actively. so the solution is opted is

1. HSRP with 2 instances

2. My customer strictly said GBLP should not be implemented for various reasons. So I cannot use GBLP.

3. When i created 2 instances, I get 2 Virtual IP address. say for example 192.168.1.100 & 192.168.2.100

4. But the restriction is in ASA FIREWALL only one default gateway (the first entry) is active. The other default gateway are dormant.

Hope my explanation is clear to the point. Please guide me is there any other industry practice to solve this case.

Thanks in advance

Sairam

I have this problem too.
0 votes
Correct Answer by Roman Rodichev about 5 years 11 months ago

this is right from Cisco's ASA 8.0 config guide:

-----------------------------

"Next Hop Selection Process

After selecting egress interface using any method described above, an additional route lookup is performed to find out suitable next hop(s) that belong to previously selected egress interface. If there are no routes in routing table that explicitly belong to selected interface, the packet is dropped with level 6 error message 110001 "no route to host", even if there is another route for a given destination network that belongs to different egress interface. If the route that belongs to selected egress interface is found, the packet is forwarded to corresponding next hop.

Load sharing on the security appliance is possible only for multiple next-hops available using single egress interface. Load sharing cannot share multiple egress interfaces."

---------------------------

"load sharing" is possible only for "multiple next-hops" on the "single egress interface"

two 0.0.0.0 routes to two next-hops on the same outside interface will load share.

unless there is a bug that TAC knows about. Did you try it and it didn't behave this way?

TAC might be talking about load balancing across two separate interfaces. You have one interface. Yes, if you have two outside interfaces, then one default is on standby using IP SLA

If this is really not possible, then turn your outside switch into L3 switch (hopefully it's at least 3550). Configure /30 between ASA and the L3 switch. Configure /30 between L3 switch and first router. Configure /30 between L3 switch and second router. Enable OSPF, RIP or EIGRP. Your ASA will see one dynamic 0.0.0.0 pointing to L3 switch, and L3 switch will load balance.

Regards,

Roman

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Roman Rodichev Sat, 07/25/2009 - 20:14

You don't need HSRP here. If you just want to load balance, simply configure two static default routes on the ASA:

route outside 0.0.0.0 0.0.0.0 192.168.0.1

route outside 0.0.0.0 0.0.0.0 192.168.0.2

ASA will load balance across these two gateways.

To achieve failover, you could do some things on the routers. Configure IGP between them, configure static defaults to the outside, inject those defaults. If outside interface fails, static will disappear and one router will reroute to the other router.

You could also configure OSPF/EIGRP/RIP routing between ASA and two routers. It will receive two defaults and load balance.

Bigger question is where are you NATing? On the ASA or the routers? If NATing on the ASA are both ISP connections to the same ISP. Is BGP involved?

Regards,

Roman

snarayanaraju Sat, 07/25/2009 - 20:40

Hi Roman,

Thanks for your prompt reply.

you said,

route outside 0.0.0.0 0.0.0.0 192.168.0.1

route outside 0.0.0.0 0.0.0.0 192.168.0.2

ASA will load balance across these two gateways.

But I have made enough testing and also got confirmation from CISCO TAC (some months back for a different case) that ASA will use the first default route (in our case "route outside 0.0.0.0 0.0.0.0 192.168.0.1") and keep the second default route in sleeping mode.

That where the issue started. Please clarify this point.

Moreover I am not using BGP or IGP as of now. NAT will be done on Router only.

Thanks roman. looking forward for your expertised comment

Sairam

Correct Answer
Roman Rodichev Sat, 07/25/2009 - 20:46

this is right from Cisco's ASA 8.0 config guide:

-----------------------------

"Next Hop Selection Process

After selecting egress interface using any method described above, an additional route lookup is performed to find out suitable next hop(s) that belong to previously selected egress interface. If there are no routes in routing table that explicitly belong to selected interface, the packet is dropped with level 6 error message 110001 "no route to host", even if there is another route for a given destination network that belongs to different egress interface. If the route that belongs to selected egress interface is found, the packet is forwarded to corresponding next hop.

Load sharing on the security appliance is possible only for multiple next-hops available using single egress interface. Load sharing cannot share multiple egress interfaces."

---------------------------

"load sharing" is possible only for "multiple next-hops" on the "single egress interface"

two 0.0.0.0 routes to two next-hops on the same outside interface will load share.

unless there is a bug that TAC knows about. Did you try it and it didn't behave this way?

TAC might be talking about load balancing across two separate interfaces. You have one interface. Yes, if you have two outside interfaces, then one default is on standby using IP SLA

If this is really not possible, then turn your outside switch into L3 switch (hopefully it's at least 3550). Configure /30 between ASA and the L3 switch. Configure /30 between L3 switch and first router. Configure /30 between L3 switch and second router. Enable OSPF, RIP or EIGRP. Your ASA will see one dynamic 0.0.0.0 pointing to L3 switch, and L3 switch will load balance.

Regards,

Roman

snarayanaraju Sat, 07/25/2009 - 21:37

Hi Roman,

It is indeed a great information you provided for me. Thanks and appreciate you.

When I was searching for GBLP with SNAT, i saw your post telling you have some tricks to configure GBLP with SNAT. If it is not a problem can you share those ideas with me

THANKS

Sairam

Actions

This Discussion