I need help on FW implementation in my Data Center. I have two 5545 for Internet FW and DMZ is connected to this FW. We have two Internet Service Provider, we need both ISP as active for loadbalance and Firewall can send traffic to both Routers.
Again this 5545 (internet FW) will connect to my Core FW (5585) connected to Nexus 7k.
I have attached diagram. Could anyone can help me on this how to setup the Firewall so I can achieve full redundancy between Firewall and Internet Router. in case of any link goes down, backup will be there to send traffic.
It sounds like someoneone didn't research this very well in selecting a firewall as your ISP load balancing point. The ASA cannot do this in any way you'd be advised to implement. You can do a VERY crude load balancing setup as described here but that's more of a science project than an actual recommended setup (in my opinion).
An ASA can choose between different interfaces for a default route using IP SLA setup as described here.
Beyond that limited functionality, you need a real router (or two) to make intelligent routing decisions using BGP and route accordingly.
Thanks for explaining, its really helpfull,
as you said we need a real router (two) to achieve better loadbalance/redundancy through bgp, i am agreed with you and we are going to put two 3945 routers with all advance license, and I am going to use bgp with internet service provider. And i am going to use two l2 switch because of more ports required to achieve full mesh topology.
my concern is the configuration of two 5545 Firewall, I did not work on asa before. How do i setup physical and logical connection between two ASAs 5545 and Two Routers (3945) in such a way that I can have full redundancy between Firewalls and Routers. if any one link goes down Primary FW able to send traffic to Routers and Primary FW goes down Failover FW can send traffic to Both Routers.
Could you please suggest, how do I acheive this in my design considering that we will use two real routers and BGP.
Continuing along that path, you would setup your ASA pair in the standard failover configuration.
If your two routers are connected via your intermediate L2 switch on the outside, that's good. You can setup the outside interface on each ASA as an Etherchannel with two physical ports on each ASA - one physical port to each stack or cluster member. Ideally the L2 switch is either a stack (2 or more members) or VSS cluster - at a minimum it should be a dual power supply system.
The two routers then run either a dynamic routing protocol towards the ASAs (EIGRP or OSPF) which is redistributed to/from eBGP towards the Internet and iBGP with each other. Alternatively they could run a first hop redundancy protocol like HSRP and your ASA could just point a static default route to the FHRP gateway IP address.
Some (many) people prefer not to run a dynamic routing protocol on their ASAs so as not to expose a routing control plane to the public interface (and because they're not "real" routers and it's often frustrating to not be able to do more advanced routing functions).
First of all, L2 switches between 3945 and ASA 5545 is 2960 Stack Switch.
i would like to go with HSRP option, its looks easy for troubleshooting and configuration for me as beginner in Firewall/ASA.
Now if I want to use both internet links as active, one is on 3945-1 and another one is on 3945-2. How do i do this? Because in case of HSRP only one router will be primary at a time.
Do I need to setup two HSRP for this case. and two static route from ASA? One HSRP id is primary for Router 1 and another HSRP id is primary for 2nd Router?
Another doubt should I use both iBGP between two 3945 routers and HSRP between two 3945 routers at a time.
Or either iBGP or HSRP?
I am sorry for asking very basic question because i have no options, i have to design and implement ASA first time. Pls.
Before we continue the BGP discussion you need to be sure you can get an ASN number and direct IP allocation from your RIR. If you are in North America this is ARIN (www.arin.net) or if in the European region RIPE (www.ripe.net).
Thanks for your advise,
I have worked on Network Design and Implementation, but this is the first time I will be working with Firewall.
I do not have an idea on how I can setup physical/logical FW between Edge Router and Core SW, so I can have full redundancy.
Can you suggest me some realtime scenerio and configuration, so I can read and understand the my design should be.
I have gone through the documents, its really really nice and most helpfull.
Could you please share if you have more documents on this type of design and implementation.
I have gone through lot of document and thinking to use OSPF between outside interfaces of 5545 and inside interfaces of router 3945 and eBGP between PE and CE router, iBGP between 3945.
I would like to know whether 5545 / Firewall would be good to run OSPF and stable fo dynamic routing protocol.
Or it is possible to solve with HSRP solution. Latest Design I have uploaded here. Our intention is to use two lnternet link as active / activie, normal browsing traffic will be forwarded to ISP 1 and e-mail traffic will be forwarded to ISP 2. The challenges are two internet links is terminated to different router.
cannot upload file, anyone can tell me.
You would be better advised to read some configuration guides and/or get a book about network design if you don't have a Cisco partner or consultant to work with. The forum is a good place for specific questions but walking you step by step through setting up and enterprise network is a bit out of place.
I'd suggest the Cisco Validated design (CVD) for Enterprise Internet Edge (here) is a good resource.
Regarding your sepcific question - yes - for the HSRP to routing transition to work properly, you need to run iBGP between your two routers. You do also need an AS number as Joe mentioned and the ability to advertise your assigned network out to both providers.