cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7107
Views
0
Helpful
8
Replies

BGP Multihomed Dual ISP Dual Routers and Dual ASA

I have a client that is requesting redundant internet connections using 2 7204 routers to 2 asa 5520 in an active standby configuration.  There is no load balancing requirement this is strictly for failover.  The issue that I am having is that I have to have 1 of there public IP addresses on the Lan side of the 7204 for the ASA connectivity.  Because of this both routers advertise out their public subnet to the respective providers, but the issue is that when the wan link on the primary router fails and traffic traverses the secondary wan the return traffic comes back in the secondary wan and stops because it sees the link to the asa as being up even though the asa is in standby.  No matter what route manipulations I do a directly connected route is alway going to be better.  Can anyone help with a scenerio on how I can get this to work.  Below is a rough sketch:

Verizon------Router A (Primary)-----ASA A (Active)--------------Nexus1

                         |                              |                              |

                         |  IBGP                    | Keepalive               | VPC Link

                         |                              |                              |

AT&T---------Router B (Backup)-----ASA B (Standby)------------Nexus2

8 Replies 8

gatlin007
Level 4
Level 4

Do you have switching fabric between the ASA pair and the Internet routers?  How is the ASA failover protocol propagating?

The ASA is a good firewall but a lousy router.  If you aren’t already using 'transparent mode' on the ASA's consider it so they aren’t involved in a routing decision.  If your switch supports routing turn up an IGP between the switch and the internet routers.  In this configuration if an internet uplink failed on router A; router B should see a LAN route from router A via an IGP.



Chris

The ASA's are connected via fiber converter.  We are redistributing the default route from BGP into eigrp which the asa's are participating in.  The asa's then redistribute the default route into the internal network.

If you execute a 'show fail' on ASA A does it state that ASA A is 'Primary Active' and ASA B 'Standby Ready'?  Also, is your outside interface in a normal state on both ASA's.  I'm not sure the ASA failover will work properly if both outside interfaces are not in the same broadcast domain. 

If you execute a 'show ip eigrp nei' on Router B, does it currently have an EIGRP adjacency with ASA B?  Does router B forward to ASA B based on a static route or an EIGRP route?


Thanks,

Chris

aman.diwakar
Level 1
Level 1

The ASA's and routers should be connected via a switch and be on the same VLAN on the outside interface of the ASA (inside for the routers),

the ASA's have a virtual IP (Active IP) that is swapped between them, when the primary goes down, the secondary takes over...and it should be transparent for the router upstream to forward because it sees only one active IP address on its inside interface.

I think there are some constraints that need to be discussed with the customer, namely, the ASAs each obviously cannot have unique IPs on the outside interfaces and your design would have to incorporate a schema whereas the routers inside and ASA outside are on the same subnet and that subnet may have to be a RFC 1918.

How did this scenario end up? I am in a "like" implementation.

I have a simple answer which as per me should work in this scenario:

There are couple of points that we need to consider before the solution:

- ASA are running in failover mode, so config on both the ASA will sync up and from layer 3 perspective, there would be only one Active Ip address both on the inside as well as outside

- Both Edge Routers inside interfaces & firewalls outside interfaces have to be on the same subnet through a switch in between

Now, to make it work, use HSRP on the edge routers with IP SLA tracking (for the ISP interface or we can even track an ip in ISP's cloud to keep a check on the Internet connectivity). I admit that it will not have the same kind of convergence as a routing protocol but it's simple and will work.

LAN is going to use the Active ASA ip address as the gateway, both the ASA will be using HSRP virtual ip as its gateway in default route and then Active router will send the traffic out to internet.

Now for the return traffic, it will come back through the same router which sent it out and no matter whether its primary or secondary, it will simply send the return traffic to the Active ASA's outside ip.

This does not involve any neighborship confusion, the only thing which I can point out is the Single point of failure because of the L2 switch connecting these 4 devices. Even that can be taken care of by using dual switches, provided customer/you are ready to shell out more bucks

Hope it helps

Neeraj

singh-hardeep
Level 1
Level 1

Hi ,

Actually i am newbie to this multihoming , i want to setup a lab where i can set two ISP connection , one as primary second as a standby but i want to configure it on one router or layer 3 switch , Can you please guide me , what command should i have to use to set these setting , Please mail me on deep6029@yahoo.co.in

Regards,

Hardeep Singh

Nick Cutting
Level 1
Level 1

iBGP can be with loopbacks, or the public addresses on Vlan 100.

This is generic design - see below for layer2, and then the layer3.

Use route-maps to set local pref, prepends communities etc.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco