Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
489
Views
0
Helpful
7
Replies

ASA in active/standby mode with dual ISPs in active active topology

rays
Level 1
Level 1

‎10-09-2014 01:19 AM - edited ‎03-11-2019 09:53 PM

Hello, I have the following topology - 2x ASA5525-X in active/standby with dual ISPs and under normal conditions I want to send guest traffic out ISP1 and Corp out ISP2. I am proposing to use a port channel between the ASA outside interface and the DMZ switch which will carry vlans 10 and 20 which will connect to ISP1 and ISP2. I will use SVI interfaces on the ASA. This way I believe I can have 2x equal cost default routes, 1 to each ISP and do some round robin loadbalancing of outbound traffic, is that correct? Since I am using 1 single physical interface?

If I NAT the guest subnet to a public IP address from ISP1 then this, by the default behaviour, will force traffic to use ISP1 interface for outbound traffic and return traffic should naturally flow back via ISP1 since the source is a public address from this ISP.

My question is how would the ASA handle this in a failure situation if ISP1 went down? Is there a way to have a second NAT statement that NATs the guest subnet to a public address from ISP2 in the event of ISP1 going down? Or if not how can failover be achieved with this design?

Fyi we have no Provider Independent address space to work with.

Many thanks

Rays

 

Labels:
0 Helpful
7 Replies 7

Vibhor Amrodia
Cisco Employee
Cisco Employee

‎10-09-2014 01:46 AM

Hi,

ASA device does not support PBR. Are you using ISP redundancy on the ASA device ?

Also , what is the ASA version you are running ?

You can check this document for more information:-

https://supportforums.cisco.com/document/49756/asapix-load-balancing-between-two-isp-options

Thanks and Regards,

Vibhor Amrodia

0 Helpful

rays
Level 1
Level 1
In response to Vibhor Amrodia

‎10-09-2014 01:56 AM

Hi Vibhor and thanks for the quick reply. We will be using version 9.3. I was aware that the ASA does not support PBR but I thought with the new code you could do some policy nat that could help influence the outbound flow?

 

So in this case we have 2x ISPs and 2x public address space, one from each ISP. How is the NAT and routing handled by the ASA in this design?

Can I not identify the guest subnet (192.168.0.0/22) and NAT this to a public address from ISP1 and also identify the corp subnets (10.x.x.x)  and NAT them to ISP2?

My understanding (which is probably wrong) is that the NAT will select the egress interface rather than the routing table, so guest will be sent via ISP1 since the SVI interface of the ASA that connects to this ISP1 has an IP address from the same public address space..?

Is that incorrect?

 

Many thanks

Rays

0 Helpful

Vibhor Amrodia
Cisco Employee
Cisco Employee
In response to rays

‎10-09-2014 01:59 AM

Hi,

Yes , you are correct. We can use the NAT statement for modifying the Egress interface on the ASA device.

Are you using ISP redundancy on the ASA device ?

Thanks and Regards,

Vibhor Amrodia

0 Helpful

Vibhor Amrodia
Cisco Employee
Cisco Employee
In response to Vibhor Amrodia

‎10-09-2014 02:01 AM

Hi,

If you are using ISP redundancy , check this:-

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118049-config-eem-00.html

Thanks and Regards,

Vibhor Amrodia

0 Helpful

rays
Level 1
Level 1
In response to Vibhor Amrodia

‎10-09-2014 02:20 AM

Thanks for the link, very interesting.

In my design, I will be creating a port channel on the ASA with interfaces 0/1 and /02 members. this will connect to the DMZ switch. The port channel will carry Vlan 10 and 20. Vlan 10 will connect to ISP1 and Vlan 20 to ISP2. I will create SVIs, 10 and 20 on the ASA and assign them a public IP from each ISP. So int vlan 10 will be ISP1 public_ip and int vlan 20 will be ISP2 public_ip.

I have will have 2x default routes with same cost. I believe this works since they are connected to the same physical interfaces?

So would the EEM script work if the same physical interface is being used for both ISPs? Or can we remove default route if IPSLA stops working for ISP1 and tell the ASA to now route all traffic out via ISP2 (using the routing table rather than NAT to decide)..

 

Thanks

 

 

 

0 Helpful

Vibhor Amrodia
Cisco Employee
Cisco Employee
In response to rays

‎10-09-2014 09:02 PM

Hi,

I don't think having same physical interface should matter as long as we have two different logical interface on the ASA device[Port Channel Sub-Interfaces].

You can configure the ISP redundancy on the ASA device and then use the above method.

Thanks and Regards,

Vibhor Amrodia

0 Helpful

rays
Level 1
Level 1
In response to Vibhor Amrodia

‎10-09-2014 02:04 AM

Hi, yes I am hoping to achieve redundancy but I am not sure how I can achieve that. Is there any option to track ISP1 and if it fails use a secondary policy NAT for guests which will NAT to the ISP2 address space?

Or if the ISP1 went down, can the ASA decide to use the routing table to chose the egress interface rather than being influenced by the NAT statement? This way traffic will be routed out via ISP2 since the default route to ISP1 will be removed due tracking and IPSLA..

What are the options for failover in this design?

Many thanks

Rays

 

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card