Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA's and BGP

This is more of a design question than a technical question. I have inherited a network that uses BGP with two ISP's. Each ISP has an individual firewall (context) assigned to incoming traffic. We have a 6509 in our core that routes internal traffic to one firewall's internal interface.

My question is--what happens if the ISP fails that has the 6509 routing default traffic to it? Is there a way to use some protocol (HSRP-esque) so both ASA's have only one internal IP and the 6509 can route all traffic to either one if an ISP fails? Would it be better to use one firewall with two external interfaces and one internal interface? Are there any whitepapers from Cisco with a similar configuration to this?

Any help would be greatly appreciated. Thanks!

7 REPLIES

Re: ASA's and BGP

Interesting design. Without completely overhauling the ASA and internet edge (may be the best solution?), you could use IP SLA.

https://packetpros.com/cisco_kb/IP_SLA.html

New Member

Re: ASA's and BGP

So if we were to redesign the ASA's, would it make sense to have ONE context pointing to both VIP's in BGP with one internal interface? Is that even possible? Seems like there would be more documentation out there for situations like this.

Re: ASA's and BGP

Can you post a diagram? I want to make sure I understand your topology.

New Member

Re: ASA's and BGP

Sure, here is the basic design. I changed the IP's to private IP's, but you will get the idea.

We get default routes from ISP2 because we do not own a full class C for that connection, we do for the other (ISP1)

Re: ASA's and BGP

Here's what I would do-

Remove the contexts or if you need multiple contexts, use a single one for the internet access. Since there are two VIP's on the internet routers, you can point the default route on the ASA to either VIP. Luckily you're running iBGP which will take care of any ISP failures. If you must keep this current design, check the IPSLA link I sent earlier for routing around a firewall failure.

New Member

Re: ASA's and BGP

That makes sense, thanks for the advice!

Any other ideas?

Re: ASA's and BGP

We had a design similiar to this and I finally fixed it last weekend. The real kicker is usually people don't run iBGP between their routers, but you are, so that covers the big ticket items. I also have two HSRP groups, which makes no sense to me, but I can't afford the outage if I removed one of them.

292
Views
0
Helpful
7
Replies