Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1020
Views
0
Helpful
1
Replies

ASA Failover when Firewalls are at different sites - help

steven.crutchley
Level 1
Level 1

‎02-20-2014 03:22 AM - edited ‎03-11-2019 08:47 PM

I am implementing a solution for a customer whereby they have two Cisco ASA 5520X firewalls. They wish for the firewalls to be in an Active-Standby state.

This not only means that if one firewall dies, the other will take over. It also means that any configuration changes made on the primary are copied to the backup.

The only catch is, both firewalls are at different sites. There is no layer 2 WAN link running between the sites. They are seperated by both the internet cloud on one side and their internal company MPLS cloud on the other.

The diagram, that I have taken from my GNS3 simulation and modified slightly, shows the setup. All of the IP addresses (and AS numbers) are made up. Any reflection on real world IPs is unintentional and just a coincidence.

Cisco Forum Question 1.png

The diagram is probably too overcrowded with IP information than is needed in this question - but the basic idea is the following:

1. Under normal conditions traffic will flow to the internet from the remote MPLS site and leave via the firewall (PAT) at site1 - however note the public range of 23.23.23.0/24 is configured at both Site-1 and Site-2 - so at the moment the internet cloud is prefering Site-1 to reach that range.

2. If the internet link fron INT-PRI at Site-1 fails, remote MPLS traffic destined for the internet will be forwarded out to the internet at Site-2.

3. If the two MPLS links to Site-1 fail, INT-PRI will stop advertising the public range to the internet PE routers and traffic from the remote MPLS router destined for the internet will go out via Site-2.

I have the tracking and dynamic routing failover setup between the sites all configured and worked out (I can provide the details of how INT-PRI tracks a sponge address in the MPLS cloud to determine whether or not it advertises the public range to the internet etc etc if you want, but on this question I want to focus on the firewalls).

Currently the customer has resigned to having to do manual copying between the firewalls every time a change is made (i.e. there is no dynamic failover configured and the Site-2 firewall is just a clone that is kept up to date by their change management team).

Is there a smart way to set up an Active-Standby configuration between these distant sites? Or at the very least dynamically copy the configuraiton to the backup everytime a change is made? My first though would be some kind of EEM or TCL script but I'm not that experienced with either. Alternatively, if there is smart was to get the two firewalls talking over Layer 2 it might be a better way forward.

Thanks in advance. Apologies for this question being too wordy.

Labels:
0 Helpful
1 Reply 1

Marius Gunnerud
VIP
VIP

‎02-20-2014 04:22 AM

You could used Ethernet over MPLS (EoMPLS) or Virtual Private Lan Services (VPLS), though if I remember correctly this is limited to certain platforms and IOS versions.

Here is a design guide you could have a read through on the options

http://www.cisco.com/c/en/us/products/collateral/data-center-virtualization/data-center-interconnect/white_paper_c11_493718.html#wp9000079

EoMPLS configuration guide:

http://www.cisco.com/c/en/us/td/docs/wireless/asr_901/Configuration/Guide/config_guide/eompls.html

VPLS configuration guide:

http://www.cisco.com/c/en/us/td/docs/optical/cpt/r9_5/configuration/guide/cpt95_configuration/cpt95_configuration_chapter_011000.html

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card