Re: Is it possible with ASA in Active/Active mode?

cisco24x7 · ‎02-17-2008

I have a question for pix Firewall gurus in this forum.

I do not have a pair of UR Pix firewall to test this

so I have to ask.

Scenario:

inside network: 192.168.1.0/24

outside network 129.174.1.0/24

default gateway for inside network: 192.168.1.1

default gatway for outside network 129.174.1.254

Right now I have a pair of Checkpoint SPLAT firewall

running in Active/Active mode via Checkpoint ClusterXL.

network 192.168.1.0/24, when going out to the internet,

is NAT'ed to the checkpoint Cluster External IP address

which is 129.174.1.1 (.2 and .3 is the physical ip

address of the checkpoint SPLAT firewall).

If I initiate an FTP or http connection from let say host

192.168.1.10 to external site such as 4.2.2.2 or

www.oracle.com and download a 1GB file, I can see the

the checkpoint firewall does "load-sharing" on both

firewalls, which is expected. Firewall_1 takes 50%

of the traffics and firewall_2 takes the other 50% of the

traffics from the same host 192.168.1.10

Now, customer would like to migrate from checkpoint to

Pix/ASA and maintain the same load-sharing with Pix/ASA.

is this possible?

Thanks.

abinjola · ‎02-17-2008

yes its possible, you need to configure Active/Active Failover configuration where both the units pass the traffic

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/failover.html#wp1046889

however extensive load sharing not possible

cisco24x7 · ‎02-17-2008

In my "specific" configuration scenario, is it

possible to have 50% of the traffics from

host 192.168.1.10 going through firewall_1 and

the other 50% of the traffics from host

192.168.1.10 going through firewall_2?

Can Pix/ASA do this?

abinjola · ‎02-17-2008

yes, as at one time 1 failover group is active that constitute context1 of 1st firewall and conext 2 of second firewall

cisco24x7 · ‎02-17-2008

"yes, as at one time 1 failover group is active that constitute context1 of 1st firewall and conext 2 of second firewall"

Can you elaborate on this? The host

192.168.1.10 has the default gateway of

192.168.1.1. How can 50% traffics on host

192.168.1.10 goes out on firewall_1 and

50% of traffics on host 192.168.1.10 goes out

on firewall_2 via one session, like FTP,

ssh or telnet?

I mean truly load-sharing. Let say when

I download a 1GB file size via secure copy,

ssh, at a rate of let say 90mbps, I want

45mbps goes through firewall_1 and 45mbps

goes through firewall_2, AT THE SAME TIME.

Can you provide an example if it can be done?

Thanks.

abinjola · ‎02-17-2008

NO, what you trying to achieve is not possible

when you use Active/Active via two or more security contexts the

Internal L3 devices needs to have policy routes to the respective context you want to use.

This would allow load sharing based on our definitions for source VLAN's and want security

context we want to use on each ASA. For example if Context A Failover group 1 is used for

odd internal VLAN's and Context B failover group 2 is used for even VLAN's then internal

policy routing would be as follows:

If source = VLAN odd then set next hop to failover group 1 IP (Context A)

If source = VLAN even hen set next hop to failover group 2 IP (context B).

cisco24x7 · ‎02-17-2008

I think I got the idea. Basically, ASA

Active/Active is some what similar to HSRP,

not exactly the same but similar.

When ASA means Active/Active, it means that

it will load-balance traffics for two different network behind the ASA firewalls, similar to

HSRP:

R1:

int f0/1

ip address 10.1.1.2 255.255.255.0

ip address 10.1.2.2 255.255.255.0 secondary

standby 10 ip 10.1.1.1

standby 10 priority 105

standby 10 preempt

standby 10 authentication cisco1

standby 10 name HSRP_1

standby 20 ip 10.1.2.1

standby 20 priority 95

standby 20 preempt

standby 20 authentication cisco2

standby 20 name HSRP_2

R2:

ip address 10.1.1.3 255.255.255.0

ip address 10.1.2.3 255.255.255.0 secondary

ip address 10.1.1.3 255.255.255.0

standby 10 ip 10.1.1.1

standby 10 priority 95

standby 10 preempt

standby 10 authentication cisco1

standby 10 name HSRP_1

standby 20 ip 10.1.2.1

standby 20 priority 105

standby 20 preempt

standby 20 authentication cisco2

standby 20 name HSRP_2

Basically, I can have network 10.1.1.0/24 will

go through R1 while network 10.1.2.0/24

will go through R2, thus achieving

load-sharing.

In other words, ASA uses a similar technique

like HSRP.

Is that the correct assumption? Thanks.

abinjola · ‎02-17-2008

You got it..