Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

ASA 5520 supporting dual connections

I have a quick question;

if one was to enable HSRP on two routers (same subnet address), could a ASA support/uplink the dual connections from both routers?

correct me if I'm wrong, but wouldn't one have to enable a dynamic routing protocol on the ASA in order to support this type of solution?

1 ACCEPTED SOLUTION

Accepted Solutions

Re: ASA 5520 supporting dual connections

SLA with RTR tracking is a good solution, but basically complicates the whole setup ! Even if he has to run BGP, let it terminate on the external routers, and internally there can be a local route to reach the LAN, through the firewall.. Basically the routers can have a back-to-back connection to decide where to forward/receive packets from internet, through BGP or any other means.. The firewall's responsibility is just to forward the traffic onto a particular router, designated primary, which can be achieved thro simple HSRP !

my 2 cents...

Raj

15 REPLIES
Hall of Fame Super Blue

Re: ASA 5520 supporting dual connections

Kevin

Not quite sure what you mean. Is there a switch between the ASA and the 2 routers or do you mean connect into 2 interfaces on the ASA.

HSRP is not intended for utilising both links so it's not entirely clear what you mean.

Jon

New Member

Re: ASA 5520 supporting dual connections

Jon, sorry, yes, a switch will be connecting both routers and firewall

Hall of Fame Super Blue

Re: ASA 5520 supporting dual connections

Still a little unclear as to your question. As Collin says you can just allocate the ASA into the same subnet and then point the ASA route to the HSRP address.

Am i misunderstanding your question ?

Jon

Re: ASA 5520 supporting dual connections

If you're running HSRP across two interfaces, you would just point the ASA to the virtual address. Is this how your setup is?

INTERNET

|.......|

RTR.... RTR

|_______| <--HSRP running here

.....|

....ASA

Ignore the dots, I used them to fix the ACSII art.

Re: ASA 5520 supporting dual connections

Kevin

The way ASA primary/failover works is quite different from having 2 switches connecting to external routers, for HSRP.. I havent seen any scenario to have HSRP between external firewall and routers.. The issue here is, there is no layer 2 forwarding between the ASA's, unlike switches which can forward information over the trunk ! Hence.. have two static routes, or as u said, a routing protocol running between the ASA and router, to forward L3 traffic...

Failure can happen in the following ways:

1) Incase the first router goes down, ASA's interface goes down, and the traffic is flapped onto the failover firewall in a stateful way..

2) Incase the link on the primary router goes down the ASA primary will forward traffic to the primary router.. primary router should be connected back to back with failover router, to forward traffic through the secondary link...

3) same applies on the failure of ASA's too ..

Hope this helps. all the best..

Raj

Re: ASA 5520 supporting dual connections

If it is just a single ASA, and a switch inbetween, then it makes sense to run HSRP on the routers.. as Jon said, you can point the default gateway on the ASA, to the VIP of the routers..

there should be some L2 connectivity between the HSRP neighbors, for the keepalives to flow.. since you have a layer 2 switch, it is very much possible.. as per my previous post, if you have the routers, directly connected to two different ASA's, then it would have been difficult, and L3 routing would have been the only solution...

HTH

Raj

New Member

Re: ASA 5520 supporting dual connections

Is your second connection just for redundancy or do you have your own ASN and both routers are BGP peers to your ISPs?

If you have 2 different external networks I would use ip sla and tracking statements. Then apply the track to the defualt route so it can be removed when the ip sla is no longer true.

New Member

Re: ASA 5520 supporting dual connections

I agree with kylerossd, sla monitor with rtr tracking is the better solution.

Re: ASA 5520 supporting dual connections

SLA with RTR tracking is a good solution, but basically complicates the whole setup ! Even if he has to run BGP, let it terminate on the external routers, and internally there can be a local route to reach the LAN, through the firewall.. Basically the routers can have a back-to-back connection to decide where to forward/receive packets from internet, through BGP or any other means.. The firewall's responsibility is just to forward the traffic onto a particular router, designated primary, which can be achieved thro simple HSRP !

my 2 cents...

Raj

New Member

Re: ASA 5520 supporting dual connections

So what happens when the primary HSRPs internet connection dies? It is still advertising the mac address of the gateway to the ASA and your dead in the water.

It gets even worse if the connection doesn't go down. Your CE routers copper is up but thier fiber is down your sitting there UP/UP.

New Member

Re: ASA 5520 supporting dual connections

true, but I think the network people were thinking only router failure, not ISP

that'll be a fault in their design ... but I will remind them, thanks

New Member

Re: ASA 5520 supporting dual connections

No problem, Good luck!

Re: ASA 5520 supporting dual connections

Kyle.. ISP redundancy has to be taken care at the router level.. when we speak about multihoming, we might need more than a rtr command to make it work.. The solution that we were referring would take care of the following:

1) if the primary HSRP internet connection dies, packets would be forwarded to the primary router from FW, through HSRP VIP.. the primary router can run IBGP or any dynamic routing protocol to forward the traffic to the back up router, through a dedicated backtoback connection..

2) if the primary router fails, HSRP will take care of alternate routing thro secondary router..

3) If the Ethernet doesnt go down, and the link remains up/up, BGP reachability on the primary router will go down, and an alternate path, through IBGP will be available thro secondary router..

all these will be considered only if multihoming is necessary.. This design is more from the WAN router point of view, than the firewall.. I think the firewall should do more of packet filtering, IPS etc, and do very less routing.. whats say ??

Nothing to offend your design.. it is a good one, but the scenario here is different i guess..

Raj

New Member

Re: ASA 5520 supporting dual connections

Because in EDGE design you don't what firewall get involve with a lot of routing you just need default gateway for your firewalls. So HSRP will provide you one redundant default gateway and then you can take care of routing and ISP redundancy in route level with BGP and one internal routing protocol.

New Member

Re: ASA 5520 supporting dual connections

kyle, nope, this will be just an HSRP from both router's inside leg to ASA ...

no true dual ISP honing

thanks,

535
Views
14
Helpful
15
Replies
CreatePlease to create content