cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2100
Views
0
Helpful
4
Replies

Design question - redundant Internet link with HSRP between Cisco routers separated by ASA 5505s

Sam Brynes
Level 1
Level 1

We are thinking of buying two Cisco ASA 5505s with security plus licenses as our core firewalls. We have two internet connections that are in two separate rooms which would have two Cisco ISR G2 routers in them. We want to run the ASAs in routed mode, and to have them firewall traffic between different VLANs.

In addition, we would like to have some type of setup that would make use of our two internet links. Traffic would be flowing through only one internet link at a time (active / passive configuration). I was thinking of running HSRP between the Cisco ISR G2 routers on VLAN 60 (see attached diagram).

On the Cisco ASA 5505s, I was thinking we would have static default routes on each ASA to the HSRP VIP shared across VLAN 60.

In our network currently, the link between the two ASA 5505s periodically fails (the wireless bridge between access points 1 and 2 fails). I read that HSRP and VRRP are not supported on Cisco ASA 5505s, and that high availablility requires a dedicated physical link between the two ASA 5505s.

In our situation, we do not have the ability to run an Ethernet cable between the two ASA 5505s (they are in separate offices).

I think hosts usually only have one default gateway assigned.

If the default gateway of the hosts in each VLAN would be the SVI IPs on the primary ASA on the left on the attached diagram, traffic from client B wouldn't get anywhere if the wireless bridge between access points 1 and 2 was down, and the whole high availability concept would not work.

Given these network conditions, limitations, and equipment, is there a way that we can implement a primary / backup internet connectivity setup?

1 Accepted Solution

Accepted Solutions

Julio Carvajal
VIP Alumni
VIP Alumni

Hello,

 

Interesting discussion.

 

First of all as you said failover requires a dedicated link on the ASA FWs (This one can be over a l2 switch, in fact this is cisco recomendation) so the session replication (Stateful failover link), the configuration, etc gets to the other mate but note that also for a good deployment of failover all of the interfaces of the ASAs belong to the same L3 network so they can exchange Keepalive messages to determine whether the peer or the peer interface is up and running.

 

Now back to the redundancy deployment.

 

On the Edge side we are good with HSRP on both of the ISR, problem is on the Internal or Inside side where we are not able to run active/standby failover on the Firewalls.

One Option I can think of is placing another hop in between connecting to all of the client vlans, let's say a L3 switch or Cisco Router.

So then you can run a feature such as IP SLA so you can determine that based on the reliability to one of the ASAs you will send the traffic via that path otherwise send it to the  other link.

 

I know it's hard as you will need more equipment but maybe you have some boxes that could do this to you. I do not see how we will be able to add the redundancy with the ASAs being unable to run HA. We must set it somewhere else .

 

Hope that I could help.

 

Jcarvaja

http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

4 Replies 4

Julio Carvajal
VIP Alumni
VIP Alumni

Hello,

 

Interesting discussion.

 

First of all as you said failover requires a dedicated link on the ASA FWs (This one can be over a l2 switch, in fact this is cisco recomendation) so the session replication (Stateful failover link), the configuration, etc gets to the other mate but note that also for a good deployment of failover all of the interfaces of the ASAs belong to the same L3 network so they can exchange Keepalive messages to determine whether the peer or the peer interface is up and running.

 

Now back to the redundancy deployment.

 

On the Edge side we are good with HSRP on both of the ISR, problem is on the Internal or Inside side where we are not able to run active/standby failover on the Firewalls.

One Option I can think of is placing another hop in between connecting to all of the client vlans, let's say a L3 switch or Cisco Router.

So then you can run a feature such as IP SLA so you can determine that based on the reliability to one of the ASAs you will send the traffic via that path otherwise send it to the  other link.

 

I know it's hard as you will need more equipment but maybe you have some boxes that could do this to you. I do not see how we will be able to add the redundancy with the ASAs being unable to run HA. We must set it somewhere else .

 

Hope that I could help.

 

Jcarvaja

http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Interesting idea! If we decided on using a router, I think we would need two routers (one on each side of the wireless bridge) running an HSRP process for each VLAN, and then I would point the clients to the VIP for their respective VLAN.

If we only had one router on one side of the wireless bridge, the clients on the other side would still have an outage if the wireless bridge went down.

Hello,

 

Exactly, you will need that in order to avoid the necesity of the L2 connection between both FWs.

 

Altough you already have the license in order to enable HA. No way you can build a "L2" connection between the offices to make this happen.

 

Regards,

 

Jcarvaja

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Ok, thanks for your suggestion. I can't think of another way, and I'll mark your answer as the "Correct Answer" for your insight.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco