1) A per DR router should connect to both 3845 routers which are kept in DMZ of ASA. It will give you redundancy. Routing protocol will take care of redundancy, so no manual intervention is required.
2) You have mentioned PIX in your IP schema, but there is no PIX in your diagram.
3) Routing protocol you should go for either EIGRP or OSPF. which ever you are comortable with. But if u r planning to run routing protocol between ASA and ruters, then you need to run OSPF/RIP because it doesn`t support EIGRP.
4) for branches, primary connectivity through CE1 and backup via PRI dialup is fine.configuration you can find here :
ASA in active/active mode means you are running multiple contexts, one context in primary mode on one ASA with the 2nd ASA as secondary. Vice versa for 2nd ASA. When running in multiple context mode you cannot use dynamic routing protocols (static only). If you will only need 1 firewall (i.e. not multiple contexts), then the ASAs will be running in active/standby mode (and can use dynamic routing).
Another note, if the client wants to use Intrusion Prevention (inline) versus Intrusion Detection (mirrored with acl blocking/shunning), the ASA IPS modules are much easier to maintain then inline 4215s. OS upgrades come out every couple of months. With ASA IPS cards, traffic will automatically bypass IPS during upgrades (reload of IPS card).
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...