Note: No configuration is done yet, we are presenting this design to a customer. just need your feedback as to whether this design is correct.
i have attached the diagram as well
I have a very simple requirement. I have 2 core routers (2901) that are needed to connect to 2 5512-x firewalls that will be configured in Active/failover mode.
Both core routers will have dual connection to 2 firewalls (which are further connected to core switch). That means each firewall will have 2 outside interface but then how will i configure both these interfaces ? i mean do i need 2 layer 3 connections on both routers and then some routing protocol to manage the traffic ? or is there some other way of doing it ? ( i am totally lost here, i drew the diagram but i dont know how the traffic shall flow)
Both core routers and firewalls will be connected to a switch. Then i think we need to run HSRP/VRRP on both routers and firewalls will be routing traffic to the virtual ip ?
I am a bit lost here as to how achieve HA design in this scenario. I am not asking for any configuration just want to know how to set this up.
Generally speaking you would use a switch to interconnect the firewalls to the routers. The routers would use IP of the active firewall and if the active firewall changes the IP is moved over to standby firewall which becomes active.
And internally you would point your LAN at the active firewall's inside IP address for the same reason.
The main issues are with the routers and detecting failover. If you use a switch between the routers and firewalls then a router could fail but the firewall doesn't know because it has an up/up connection to the switch. The way round this is -
1) run a routing protocol between the firewalls and the routers. However a lot of people don't like running a routing protocol on their firewalls for security reasons especially between the outside interfaces and routers. In addition, last time i checked with a routing protocol the standby firewall does not actually particpate so if the firewall fails over the new active firewall then has to establish adjacencies with the routers. This restriction may have been lifted though with the newer firewalls.
2) track the status of neighbor with route tracking on the ASA firewall.
There are other issues you consider -
NAT - is each ISP providing you with a range of public IPs or do you have provider independant addressing ? Bear in mind both may be primary but if you used one of ISP1s address to PAT all your internal clients you could send trafic out via ISP2 but it would come back via ISP1. So it could be hard to load balance. You could split up your internal clients to NAT some to ISP1 and some to ISP2.
NAT for internal devices (on a dmz maybe) to be accessed from the internet. Again whose IP addresses would you use for this , ISP1s or ISP2s. Is ISP1 willing to advertise out ISP2s block and vice versa. If not all traffic for those services would come via the ISP you have used the addresses of.
If you do have provider independant addressing the above 2 are not so much of a concern because each ISP would advertise out your block of addresses.
Routing. The ASAs have a limitation that you cannot configure 2 default routes pointing out of different interfaces. This is another reason why having each router connect directly to the ASA is not a good idea because you would have 2 outside interfaces. With a switch you only have one outside interface so you can have 2 default routes, one pointing to one router and one to the other. As already stated if you do this you would need to somehow track the state of the links.
What routes are your routers receiving from the ISPs ? Are you peering with them using BGP or simply using statics. Do you want to influence outbound traffic to take one path or another or are you happy to just use 2 default routes on your firewall and let it load balance between them (with the provisos i covered about NAT).
Finally i should say that i have not used any of the more recent ASAs or software versions so some of what i have said, specifically the standby not particpating in the routing protocol and the limitation on default routes, may not be issues now so it may be worth posting into the Firewalling forum as well or putting a link to here just in case.
Apologies for overloading you with information but with 2 ISPs it can become quite complex.
Sir an excellent, totally awesome reply and guide. I really appreciate and am grateful.
Sir just one thing more, if i place a switch between routers and firewalls, does it need to be redundant too ? i mean in that case there will be just more interfaces connecting and things becoming complex. So how is it practically done ? 1 switch or 2 switches ?
If you have redundant firewalls and 2 routers having only one switch would not be a good idea as if it fails you have lost all connectivity. So yes, you would need 2 switches.
You would have one firewall and one router connected to each switch. All connections from both firewalls and routers would be in the same vlan. You connect the 2 switches together and because there is only one vlan then the switch ports connecting the switches just need to be access ports in that vlan.
If a switch fails you lose one firewall and on router.
Note also that from your original post you said in option 2 you run HSRP/VRRP on the routers. I think i covered it in the last post but worth saying again that you do point the routers at the firewall active IP but you don't run HSRP/VRRP on the routers because only one would be used. You simply add 2 default routes to the firewalls pointing to each routers LAN IP address.
In terms of failure -
1) active firewall fails. You still have 2 switches and 2 routers and one firewall
2) router fails. You still have an active and standby firewall, 2 switches and one router
3) switch fails. You still have one firewall and one router
None of the above necessarily means a loss of service but i would reiterate that your IP addressing from the ISPs and how you use them on the firewall could also dicatate what is and isn't available.
So it very important to understand exactly what the customer expects from the design in terms of redundancy, usage of both ISPs links etc. and whether your design will meet those requirements.
Thinking about it, this has more to do with the capabilities of the firewalls than the routers so i would suggest moving this thread to the Firewalling forum where there are people with much more recent experience than me in these things.
This document gives several answers on frequently asked questions for PFRv3 channel state behavior.
Q1: What are all the channel operational states from a BR (border role) perspective and what are the rules/conditions to be in each st...
The need was to reach an host inside a LAN through a VPN connection managed by the LAN gateway (Cisco 1921).
The LAN gateway performs NAT and there was a dedicate nat rule for the host i wanted to reach through VPN.
I couldn't connect to the hos...
We have 3 identical switches configured by someone else and would like to claim some of the Gigabit ports(G1/G2/G3/G4) for use on servers. When we try to change the wiring and configuration, we run in to connectivity issues. Attached is a des...