High Availability and the ASA 5510

Unanswered Question

Hello all. 

...this is my first post here and I tend to be exceedingly verbose but please go easy on me.

Nevertheless, I appreciate ALL feedback whether terse or verbose (…but my little, CCNA-level brain will probably have a better chance at understanding your feedback or suggestions if they contain a good amount of detail). 

Please participate in this discussion, even if you only have a tiny configuration detail to add to all of this.

ALL feedback and/or suggestions will be appreciated! …REALLY!  

I know this post is somewhat lengthy, but please give it a good read-through and see if there is some way in which your experience and knowledge might be able to help me here.

THANK YOU VERY MUCH, in advance, for any help you can provide me here!

…so with that said…let’s get to it.

I have to deploy a kind of collapsed network "block" for a site which is something like a small data center.

The goal is to create a simple yet High-Availability (HA)/fault-tolerant network design that will give me the highest amount of trouble-free uptime as possible using ONLY the following devices:

-----------------------------------------------------------------------------------------------------------------------------------------

  • Two - 2811 routers for my WAN-side connectivity
  • Two - base ASA 5510s- i.e. with no expansion modules or additional ports
  • Two (or more if needed) - Cat 2960-24-TT-L switches for my server access layer

Note: Each server will be equipped with "teamed" NICs and I'm assuming the HA best practice would be to attach each server to two different access-layer switches but please let me know if you have a better idea on how this part of the network should be configured.  Each WAN router has a different connection to the Internet over a different circuit type (T1 and ADSL) but both go to the same ISP and will not be running an EGP.

-----------------------------------------------------------------------------------------------------------------------------------------

Given the constraints outlined above, what is the best way to cable and configure this network block for HA?

Obviously, if I had ASA 5550s, Cat 3750s or a pair of Nexus 7000s, etc, etc, etc, ...this would be a trivial task (...but a whole lot more expensive too) !

But given the specific devices I have to work with here, there will obviously be some design trade-offs.

At a high-level, I imagine the network design should look something like what's shown in the attached picture, but my CCNA-level brain is having trouble figuring-out some of the details required to actually implement this design in the real world.

So what are some ideas in the community about how to obtain maximum HA given the limitations of the hardware I have on-hand for this project?

For instance:

  1. 1.     Should I run the ASAs in Routed or Transparent mode? (I'm assuming Routed-mode)
  2. 2.     I think I only need a single, security context so I'm thinking I'll run the ASA pair in Active/Standby (unless someone else out there has a clever design in-mind that would use two or more security contexts and Active/Active).
  3. 3.     I'm thinking I should use HSRP on the LAN/Firewall-facing side of the 2811 routers to give my outbound traffic some kind of default gateway/next-hop redundancy/HA - What do you think?
  4. 4.     If I run the ASAs in a Routed - Active/Standby configuration, will this provide an acceptable level of default gateway/next-hop redundancy for my servers or would my servers get better HA (e.g. lower fail-over/convergence times) if the firewalls were transparent and the HSRP VIP on the 2811s was the default gateway for the servers?
  5. 5.     Given the fact I only have 5 Ethernet interfaces on the ASA 5510s, where should I implement redundant interfaces and where should I go without (Inside, Outside, Fail-Over Control Link - I'm not planning to implement a DMZ here)?
  6. 6.     Given your opinion on the question above, what's the best way to cable all these devices together? For instance, if I use a redundant interface on the ASAs to create my logical Inside connection to the access-layer, should I run both physical members of the redundant interface to the same access-layer switch or to different access-layer switches?

So given all of this, what do you think?  ...Curious minds want to know. 

THANKS AGAIN !

--Steve

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Kureli Sankar Sat, 04/10/2010 - 20:17

This link has some samples:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ref_examples.html#wp1057935

  1. 1.     Should I run the ASAs in Routed or Transparent mode? (I'm assuming Routed-mode)


Yes routed mode since this is internet facing and you would be doing NAT. NAT in transparent only is available starting 8.0.2.

  1. 2.     I think I only need a single, security context so I'm thinking I'll run the ASA pair in Active/Standby (unless someone else out there has a clever design in-mind that would use two or more security contexts and Active/Active).

active/standby


  1. 3.     I'm thinking I should use HSRP on the LAN/Firewall-facing side of the 2811 routers to give my outbound traffic some kind of default gateway/next-hop redundancy/HA - What do you think?

YES. Certainly

  1. 4.     If I run the ASAs in a Routed - Active/Standby configuration, will this provide an acceptable level of default gateway/next-hop redundancy for my servers or would my servers get better HA (e.g. lower fail-over/convergence times) if the firewalls were transparent and the HSRP VIP on the 2811s was the default gateway for the servers?


I don't see any diff. whether routed or transparent mode. It will be the same for the servers.


  1. 5.     Given the fact I only have 5 Ethernet interfaces on the ASA 5510s, where should I implement redundant interfaces and where should I go without (Inside, Outside, Fail-Over Control Link - I'm not planning to implement a DMZ here)?

You can use 2 interfces - redundant for inside

you can use 2 interface - redundant for outside

management interface - failover interface and state


  1. 6.     Given your opinion on the question above, what's the best way to cable all these devices together? For instance, if I use a redundant interface on the ASAs to create my logical Inside connection to the access-layer, should I run both physical members of the redundant interface to the same access-layer switch or to different access-layer switches?


To diff. switches.

-KS

snarayanaraju Thu, 12/23/2010 - 22:18

Kureli Sankar,

You may not be remembering me, But we interacted couple of times when i contacted you for some TAC cases from India,Chennai. Hope you are doing well

While reading this thread, I got more interest as this question is there in my mind for long time, How the wiring is done in HA design when Access switch (inside zone of FW), ASA FW , Router (Outside Zone of Firewall) is connected

Question 1: How the redundant interface of FW-1 will be connected to Router-2. Since, both primary interface and secondary interface of Firewalls cannot share the same IP subnet, how this wiring and routing is achieved. I know we cannot bridge the Primary and secondary interfaces in Firewall as we do in Routers.

Question 2: SInce routers are connected in criss cross fashion, whether i should bridge the 2 interfaces of the routers and run HSRP ? (This IP will be the default gateway for ASA Firewalls running in A/S)

I believe you will spare your valuable time to share your expert ideas and experience on this

regards,

SAIRAM

Kureli Sankar Fri, 12/24/2010 - 06:56

Sairam,

I am doing well.

Question 1: How the redundant interface of FW-1 will be connected to  Router-2. Since, both primary interface and secondary interface of  Firewalls cannot share the same IP subnet, how this wiring and routing  is achieved. I know we cannot bridge the Primary and secondary  interfaces in Firewall as we do in Routers.

Primary and Secondary firewall will have active and standby IP on the same subnet for each interface.

No two interfaces can share IP address on the same subnet.

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ref_examples.html#wp1028629

ex:

interface gigabitethernet0/1 
   nameif inside
   ip address 192.168.2.1 255.255.255.0 standby 192.168.2.2
   no shutdown

Question  2: SInce routers are connected in criss cross fashion, whether i should  bridge the 2 interfaces of the routers and run HSRP ? (This IP will be  the default gateway for ASA Firewalls running in A/S)

Yes HSRP is a good idea on the routers.  The ASA will point to the HSRP IP address for its default gateway or route statement.

-KS

snarayanaraju Sat, 12/25/2010 - 02:19

Hi,

Thanks for your comments. "Romba nandri madam" .

To make your view better, I made 2 sketches. Please find the attached diagrams.

1.  If the wiring is made as shown in Sketch 1,

          a)  What will be the IP address configured in GE-2 interface of ASA?

          b)  Whether it will be in the same security-level and Zone (OUTSIDE) of GE-1 interface ?

2. Looking at Sketch 2 whether Link no. 1 (Connecting ASA-1 and Router-2) and Link no. 2 (Connecting ASA-2 and Router-1) is required for best practice HA design? I am seeing all the Design Document shows this Criss cross Link between Routers and Firewall.

I believe in case of Link between ASA-1 & Rouer-1 failure, ASA-2 will take the Active Role and the traffic will pass thru ASA-2----> Router-2----->Router-1----> ISP-1

regards,

SAIRAM

Attachment: 
Kureli Sankar Tue, 12/28/2010 - 09:47

1.  If the wiring is made as shown in Sketch 1,

          a)  What will be the IP address configured in GE-2 interface of ASA?

          b)  Whether it will be in the same security-level and Zone (OUTSIDE) of GE-1 interface ?

GE-2 - should be configured on a completely diff. subnet than GE-1 according to your requirement.  The security level also depends on your requirement. Most of the times the OUTSIDE interface as soon as you issue the "nameif" command it will automatically configure the security level as zero.  If you choose to leave it at 0 even for GE2, then if GE1 and GE2 networks need to communicate then, you need to implement the same security permit inter-interface" command.

If you need redundancy between GE1 and GE2 you can configure redundant interface.  You can read about it here:

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/intrface.html#wp1045838

2. Looking at Sketch  2 whether Link no. 1 (Connecting ASA-1 and Router-2) and Link no. 2  (Connecting ASA-2 and Router-1) is required for best practice HA design?  I am seeing all the Design Document shows this Criss cross Link between  Routers and Firewall.

No you don't. Refer this link: http://packetlife.net/media/forum/attachments/17/ASA-FO.jpeg

This below link has configuration example of active/standby ASA


http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ref_examples.html#wp1028629

It appears that you are planning on connecting the failover link using a cross over cable.  I'd recommend carving out a separate vlan on the swtich for this purpose and connecting both ASAs to these ports on this separate vlan.  The reason being if the NIC was to go bad on one ASA the other ASA's interface will show down down also. 

-KS

Actions

This Discussion