cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
620
Views
0
Helpful
3
Replies

two firewalls and two different ISP failover setup

juan-ruiz
Level 1
Level 1

I would like to configure two firewalls on two different ISP as a failover setup.

I normally set the firewalls as primary and standby.

The goal would be to detect the outage and failover to the secondary but I do not want the configurations sync because of different network IP settings from the different firewalls.

Active Active would be fine but I only want to use one block of routable IP addresses which is through the primary. BGP is not an option or configuration of the internet routers.

Can someone please provide me some failover options that I can use in this setup?

Is a partial primary / standby configuratiuon an option?

In a shutshell I only want the inside interface to sync

Thanks,

Juan

3 Replies 3

resoares
Cisco Employee
Cisco Employee

Hi Juan,

Try to use the OSPF internally between your two ASAs and redistribute the default route with different metrics.

Best Regards,

Hi Renato,

I think I will connect ISP A Firewall to ISP B firewall over a dedicated Ethernet interface and use SLA to monitor the WAN IP of ISP A and send the default route to ISP B if the ISP A WAN is not reachable.

For the servers I will configure multiple gateways and workstations use DHCP to deploy multiple gateways.

The primary Gateway will be ISP A and secondary will be ISP B.

The high-level design is dual ISP, dual Firewalls, and dual internal switches.

The switches do not support OSPF, only basic routing, and no gateway redundancy such as HSRP or VRRP.

My main concern is the gateway redundancy for the access devices internally.

Any thoughts?

Thanks,

Juan

Hi Juan,

As your switches don't have L3 support, it is mandatory the usage of a L3 equipment between your ASAs and your L2 switches.

Br,

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: