Adding an extra firewall with one internet feed (live/redundant)
I am new to these forums and hope you can help me.
We currently have one Cisco ASA 5540 firewall with one public network cable into it. It includes one line that is live and if it fails the route switches automatically to the second line so it works in a failover configuration.
We just purchased a secondary Firewall for redundancy incase the first firewall fails and I am not sure the best way to set this up given we only have one ISP feed that is already doing redundancy.
There are many designs that one can implement to achieve Internet redundancy - and then several variations of those same designs. Without knowing all the details it would be impossible to provide you a recommendation.
Starting from the beginning you mentioned that you have (1) ISP. Are they providing you (2) physical connections (ie. cables)?
If so - then you could configure your (2) ASA 5540s to act as an Active/Standby (or Active/Active) firewall pair/cluster. This would allow you to perform the following:
"Active/Standby failover lets you use a standby security appliance to take over the functionality of a failed unit. When the active unit fails, it changes to the standby state while the standby unit changes to the active state. The unit that becomes active assumes the IP addresses (or, for transparent firewall, the management IP address) and MAC addresses of the failed unit and begins passing traffic. The unit that is now in standby state takes over the standby IP addresses and MAC addresses. Because network devices see no change in the MAC to IP address pairing, no ARP entries change or time out anywhere on the network. "
Look for 'Configuring Failover' on the Cisco website, under the ASA category, to obtain more information.
In my opinion - if I was the Network Admin. - to keep the complexity on the side of the ISP.
For example, I would request that the ISP provide a demarcation device that has multiple copper interfaces - and request that they provide me (2) copper RJ45 connections. That way you don't have to extend any more equipment past your firewalls (ie. cost, single point of failure, administration).
Worst case scenario is that you put a switch between your ISP demarc and your firewall. Then you have (2) connections.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...