Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
366
Views
0
Helpful
4
Replies

ASA Routing

angelatam
Level 1
Level 1

‎08-22-2007 12:16 PM - edited ‎02-21-2020 01:39 AM

Thanks in advance!

We're setting up a web server farm consisting of web, SQL, FTP, and domain controller servers. The data centre provided us 2 10Mbps Ethernet connections with 3 public static IPs each on primary subnet, and additional 14 public static IPs on secondary subnet.

Would a single Cisco ASA 5510 be capable of all this?

REQUIREMENTS

- Firewall the network.

- Ability to VPN into the network.

- Ability to route secondary IPs traffic to servers' internal IPs.

- Multiple internal subnets, can create rules as to which resource on each subnet can access the other.

- Implement redundancy with the secondary Ethernet connection. So if primary connection drops web traffics automatically go through the secondary connection.

Greatly appreciated!Z

0 Helpful
4 Replies 4

anandramapathy
Level 3
Level 3

‎08-23-2007 12:18 AM

For the ASA -

I suggest you go for 2 ASAs for Redundancy -

Active - Standby / Active - Active.

They will do stateful failover.

Firewall - yes

VPN into the network - Yes

Multiple internal subnets, can create rules as to which resource on each subnet can access the other. - Yes

2 numbers 7200 Routers running I-BGP with HSRP & Running E BGP with the ISP

Redundancy for Secondary Internet - connection - Yes

Ability to route secondary IPs traffic to servers' internal IPs. - Yes

For BGP refer this url -

http://www.cisco.com/warp/public/459/27.html

http://www.cisco.com/warp/public/459/40.html

HTH - Pls rate if useful

0 Helpful

srue
Level 7
Level 7
In response to anandramapathy

‎08-23-2007 04:50 AM

Active/active failover does not support VPNs, so you'll have to use active/standby for redundancy.

0 Helpful

anandramapathy
Level 3
Level 3
In response to srue

‎08-23-2007 04:58 AM

That is true. Sorry i missed out that one

0 Helpful

jfgobin01
Level 1
Level 1

‎09-01-2007 04:43 AM

The answer is : it depends.

Is the Data Center operator doing any dynamic routing protocol with you (BGP, OSPF, RIP ...) ? Or are you going to need something else (like Cisco OER) ? Is the second line a "pure backup" or can you do some kind of load distribution across the two lines ?

Can both subnets be sent over the two lines or is the first subnet going to be feed only through the first one and the second subnet only through the second link ? In that case, can Global Load Balancing be a solution for you ?

I'll take some hypothesis :

- You need a firewall;

- You need to VPN (site-to-site or client-to-site) to your infra;

- You need to perform NAT;

- You need failover;

- Your provider offers you OSPF routing to switch between first and second link.

All that can be done with an ASA box (and - of course - much more), or even better, two ASAs failovering active/standby.

If possible, can you provide us a small network sketch of what you plan to do ?

My two cents ...

jF

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card