Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

ASA Routing

Thanks in advance!

We're setting up a web server farm consisting of web, SQL, FTP, and domain controller servers. The data centre provided us 2 10Mbps Ethernet connections with 3 public static IPs each on primary subnet, and additional 14 public static IPs on secondary subnet.

Would a single Cisco ASA 5510 be capable of all this?

REQUIREMENTS

- Firewall the network.

- Ability to VPN into the network.

- Ability to route secondary IPs traffic to servers' internal IPs.

- Multiple internal subnets, can create rules as to which resource on each subnet can access the other.

- Implement redundancy with the secondary Ethernet connection. So if primary connection drops web traffics automatically go through the secondary connection.

Greatly appreciated!Z

4 REPLIES

Re: ASA Routing

For the ASA -

I suggest you go for 2 ASAs for Redundancy -

Active - Standby / Active - Active.

They will do stateful failover.

Firewall - yes

VPN into the network - Yes

Multiple internal subnets, can create rules as to which resource on each subnet can access the other. - Yes

2 numbers 7200 Routers running I-BGP with HSRP & Running E BGP with the ISP

Redundancy for Secondary Internet - connection - Yes

Ability to route secondary IPs traffic to servers' internal IPs. - Yes

For BGP refer this url -

http://www.cisco.com/warp/public/459/27.html

http://www.cisco.com/warp/public/459/40.html

HTH - Pls rate if useful

Gold

Re: ASA Routing

Active/active failover does not support VPNs, so you'll have to use active/standby for redundancy.

Re: ASA Routing

That is true. Sorry i missed out that one

New Member

Re: ASA Routing

The answer is : it depends.

Is the Data Center operator doing any dynamic routing protocol with you (BGP, OSPF, RIP ...) ? Or are you going to need something else (like Cisco OER) ? Is the second line a "pure backup" or can you do some kind of load distribution across the two lines ?

Can both subnets be sent over the two lines or is the first subnet going to be feed only through the first one and the second subnet only through the second link ? In that case, can Global Load Balancing be a solution for you ?

I'll take some hypothesis :

- You need a firewall;

- You need to VPN (site-to-site or client-to-site) to your infra;

- You need to perform NAT;

- You need failover;

- Your provider offers you OSPF routing to switch between first and second link.

All that can be done with an ASA box (and - of course - much more), or even better, two ASAs failovering active/standby.

If possible, can you provide us a small network sketch of what you plan to do ?

My two cents ...

jF

200
Views
0
Helpful
4
Replies
CreatePlease to create content