Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Dual ISP connection with Dual Firewall

Hi Team

let me explain the setup first...

we have 2  firewalls in the setup running in active-standby mode..in the inside network we have 2 diffrent networks which follow separate internet links.for the 1st network default route is pointed towards the isp and for teh 2nd network static route for specific outside networks is mentioned with 2nd ISP (Source based routing)...for the standby firewall another 2 isp links are connected which are the backup links for the respective primary links on primary firewall.Tracking is configured to as the internet links are with ethernet output..

We are using Juniper firewall in this setup.the challenage is whenver link1 is going down on primary firewall,by tracking functionality primary firewall understands it and shift entire operation to backup firewall so both the links in secondary firewall becomes active..now problem is link2 was active in primary firewall and those user still face outgae during the firewall failover..As per juniper documentation it cannot just shift link 1 on primary fw to 2nd firewall and let link2 on primary firewall continue ..instaed of it entire box operation is shifted to another box.,,

is it possible to achive the required result with cisco ASA so that setup can be shifted to Cisco ...what i want to achive is whenver link1 on primary fw fails,link1 traffic should be forwarded to 2ndry fw and let the traffic for link 2 continue with primary firewall...this will avoid my unnecessary outage for my network2 users using link2..

i am attaching schematic for reference

2 REPLIES
New Member

Dual ISP connection with Dual Firewall

I saw two seperate cases you opened.  One was a couple of years back, and this one above.  Both appeared to be related to load balancing and failer over with multiple internet connections.  The responses appear to be based on PBR.  You may want to see some of the articles using PfR, OER, or Transport Diversity.

https://supportforums.cisco.com/docs/DOC-8353

New Member

Dual ISP connection with Dual Firewall

Hi I have done this with Cisco a good amount of times and I will explain to you how I have done it the environments I have worked on and you decide if this is a fit for you.

I have two firewalls one connected to ISP_1 and IPS_2. This firewall is called ASA-01. The primary internet for it is ISP_1.

I configured OSPF so it learns the routes for internal networks with a Cisco Layer 3 switch called CORE-01.

I have configured on ASA-01 an SLA monitor to track the gateway similar to the slax script for next-hop tracking and configured a static route with an admin distance of 200 to ISP_2.

Next I have another firewall called call ASA-02 with ISP_1 and ISP_2 and its primary internet is ISP_2.

It also runs OSPF so it learns the route for internal networks with a Cisco layer 3 switch called CORE-02.

I have configured on ASA-02 an SLA monitor to track the gateway for ISP_2 and a static route with an admin distance of 200 for ISP_1.

On the core switches I run HSRP and PVSTP.

For the Vlans I want to have go over ISP_1 I make CORE-1 the primary root bridge and the primary HSRP router and for the Vlans I want to go over ISP_2 I make CORE-2 the primary root bridge and primary HSRP router for those Vlans.

If ISP_1 fails for ASA-01 then it learns via OSPF to go out of ASA-02 for its internet via the core switches. It uses OSPF because the admin distance is lower than 200 for the static route out the directly connected interface and vice versa for ISP_2 and ASA-02.

This approach allows you to load balancer per switch, per firewall, and per ISP and have outbound redundancy too.

In the juniper SRX you can configure virtual routers with filter base forwarding and perform the load balancing and redundancy with that approach too or the slax script and I believe in JUNOS 11.1 it is now included an automated next-hop check configuration without the need to use the slax scripts.

Thanks,

Juan

1121
Views
0
Helpful
2
Replies
CreatePlease login to create content