Internet Routing Setup Question

Unanswered Question
Apr 8th, 2010

Hi,


Currently I have two ASA's at teh edge of my network connecting to one ISP via a static route. Going forward I'm going to have two different ISP's with two routers sitting inbetween the firewalls and the ISP's. Ont he internal interface on the router's i.e those pointing towards the firewalls, I'm going to put an HSRP address. My question's are


1. shall I change the default route on the firewall to point to the HSRP address on the routers? What will the router do once it recieves something destined to the internet from teh firewall?


2. I have VPN's setup on the firewall, will they be impacted by the default route change?


Thanks for your help

Dan

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Thu, 04/08/2010 - 08:06

dan_track wrote:


Hi,


Currently I have two ASA's at teh edge of my network connecting to one ISP via a static route. Going forward I'm going to have two different ISP's with two routers sitting inbetween the firewalls and the ISP's. Ont he internal interface on the router's i.e those pointing towards the firewalls, I'm going to put an HSRP address. My question's are


1. shall I change the default route on the firewall to point to the HSRP address on the routers? What will the router do once it recieves something destined to the internet from teh firewall?


2. I have VPN's setup on the firewall, will they be impacted by the default route change?


Thanks for your help

Dan


Dan


Bit of a tricky one this. If your public addressing is ISP independant then this setup is relatively easy. But if you get one block of IPs from ISP1 and a different block from ISP2 which block will you use for your firewalls, for your Natted servers etc..


Also outbound traffic - if you have 2 ISPs do you want to NAT on the routers instead of the firewalls now ?


Jon

dan_track Thu, 04/08/2010 - 08:33

Ohh damn , I didn't think of the natting - well spotted. I don't have ISP independent IP'S, I've got two blocks. What's the best way to do this.


I'm thinking of leaving the setup as is as much as I can and only do enough changes to get the system to work, so maybe do natting on the new ISP ip's on the router. The firewalls will still remain on the original ISP setup if this is easy enough.


I'm sweating now, this looks like some serious hard work.


Thanks

Dan

Jon Marshall Thu, 04/08/2010 - 08:48

Dan


It is hard work


Problem you have is how to utilise the new ISPs addressing because you probably already have static NATs etc. setup in place with the existing ISPs addressing. So all traffic for these servers etc. will come in via the existing ISP link and not the new one.


There are a number of approaches but unfortunately because of VPNs you are restricted. ASA firewalls do not support active/active contexts which is nice approach when you use VPNs.


You could just use the new addressing for other servers etc. but without provider independant addressing you are not really providing any failover because if ISP1 goes down any servers etc. natted to their IPs will be unreachable because ISP2 is unlikely to advertise a small part of ISP1s address space out.


You also get asymmetric routing because traffic might come in via one ISP and go out via the other. Not necessarily a problem as long as you don't have any devices trying to keep state which you don't. The firewalls don't count because they are behind the routers.


Alternatively if you have a pair of ASA firewalls you could split them up and use one for one ISP and the second for the other ISP. This would allow you to control which traffic went where ie. outbound internet access goes via new ISP2 and inbound server traffic via ISP1 with the VPNs going to either one or the other. And the VPN client can usually be pointed to 2 gateways to try so you would get some level of redundancy.


But the big drawback is obviously that you have lost redudancy for your firewalls which is not insignificant.


First thing you need to do is decide what exactly you want to provide ie. redudancy, more bandwidth etc.


Sorry to be just listing problems but without advertising your addressing through both ISPs it is complex.


Jon

dan_track Thu, 04/08/2010 - 08:59

Hi Jon,


Many many thanks. I've set my self up here for some serious work, only plus side is I may learn quite a bit. With regards to VPN, if I do failover to the new ISP I can afford to lose the VPN's for a while without an issue. so let's take that out of the picture and deal with just the internet conneciton. What is the best way to do this?


I'm also going to apply for ISP independent IP's from RIPE so that later on I'll re-address this.


Thanks again.

Dan

Jon Marshall Thu, 04/08/2010 - 10:20

dan_track wrote:


Hi Jon,


Many many thanks. I've set my self up here for some serious work, only plus side is I may learn quite a bit. With regards to VPN, if I do failover to the new ISP I can afford to lose the VPN's for a while without an issue. so let's take that out of the picture and deal with just the internet conneciton. What is the best way to do this?


I'm also going to apply for ISP independent IP's from RIPE so that later on I'll re-address this.


Thanks again.

Dan


Dan


If you use HSRP on the routers you will always go out of the same router using the same ISP. You could run a routing protocol between the ASAs and the routers then the firewall would see 2 equal cost paths to the internet.


Alternatively you could use HSRP and point the ASAs to the HSRP VIP. Then have the outbound user internet traffic just go via the active HSRP router. Make the active HSRP router the new ISP and NAT the user traffic on your firewall to one of the new ISP addresses. The default route on your firewall would point to the active router.


For the existing servers etc.. that are natted leave them on the existing IP addresses and when traffic comes in via the standby router nat the source IPs to the inside interface of that router. Then return traffic will go back to that router and not use the default-route on the firewall. I have never done this and it doesn't sound very clean but it might help you come up with some better ideas of your own.


Or you could look at using PBR on the router and based on the source IP which you will know because your are doing the natting on the firewall you could send the traffic out of one router or another.


The key thing is you have some flexibility with the outbound user traffic because they don;t care what they are natted to so you could try and use one of the new IPs for them. The inbound traffic you are restricted because presumably you have DNS entries on the internet for these and perhaps certificates as well.


Me and Giuseppe were involved in a similiar thread a while and there is an Enterprise multihoming white paper so i'll see if i can dig it out but i think a lot of it relied on being able to advertise both address ranges through both ISPs.


Jon

Actions

This Discussion