two firewalls and two different ISP failover setup

Unanswered Question
Dec 7th, 2009
User Badges:

I would like to configure two firewalls on two different ISP as a failover setup.

I normally set the firewalls as primary and standby.

The goal would be to detect the outage and failover to the secondary but I do not want the configurations sync because of different network IP settings from the different firewalls.

Active Active would be fine but I only want to use one block of routable IP addresses which is through the primary. BGP is not an option or configuration of the internet routers.

Can someone please provide me some failover options that I can use in this setup?

Is a partial primary / standby configuratiuon an option?

In a shutshell I only want the inside interface to sync



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
resoares Tue, 12/08/2009 - 09:37
User Badges:
  • Cisco Employee,

Hi Juan,

Try to use the OSPF internally between your two ASAs and redistribute the default route with different metrics.

Best Regards,

juan-ruiz Tue, 12/08/2009 - 10:04
User Badges:

Hi Renato,

I think I will connect ISP A Firewall to ISP B firewall over a dedicated Ethernet interface and use SLA to monitor the WAN IP of ISP A and send the default route to ISP B if the ISP A WAN is not reachable.

For the servers I will configure multiple gateways and workstations use DHCP to deploy multiple gateways.

The primary Gateway will be ISP A and secondary will be ISP B.

The high-level design is dual ISP, dual Firewalls, and dual internal switches.

The switches do not support OSPF, only basic routing, and no gateway redundancy such as HSRP or VRRP.

My main concern is the gateway redundancy for the access devices internally.

Any thoughts?



resoares Tue, 12/08/2009 - 10:20
User Badges:
  • Cisco Employee,

Hi Juan,

As your switches don't have L3 support, it is mandatory the usage of a L3 equipment between your ASAs and your L2 switches.



This Discussion