Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
You may experience some slow load times, errors, and slight inconsistencies. We ask for your patience as we finalize the launch. Thank you.

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Design question - redundant Internet link with HSRP between Cisco routers separated by ASA 5505s

We are thinking of buying two Cisco ASA 5505s with security plus licenses as our core firewalls. We have two internet connections that are in two separate rooms which would have two Cisco ISR G2 routers in them. We want to run the ASAs in routed mode, and to have them firewall traffic between different VLANs.

In addition, we would like to have some type of setup that would make use of our two internet links. Traffic would be flowing through only one internet link at a time (active / passive configuration). I was thinking of running HSRP between the Cisco ISR G2 routers on VLAN 60 (see attached diagram).

On the Cisco ASA 5505s, I was thinking we would have static default routes on each ASA to the HSRP VIP shared across VLAN 60.

In our network currently, the link between the two ASA 5505s periodically fails (the wireless bridge between access points 1 and 2 fails). I read that HSRP and VRRP are not supported on Cisco ASA 5505s, and that high availablility requires a dedicated physical link between the two ASA 5505s.

In our situation, we do not have the ability to run an Ethernet cable between the two ASA 5505s (they are in separate offices).

I think hosts usually only have one default gateway assigned.

If the default gateway of the hosts in each VLAN would be the SVI IPs on the primary ASA on the left on the attached diagram, traffic from client B wouldn't get anywhere if the wireless bridge between access points 1 and 2 was down, and the whole high availability concept would not work.

Given these network conditions, limitations, and equipment, is there a way that we can implement a primary / backup internet connectivity setup?

  • WAN Routing and Switching
1 ACCEPTED SOLUTION

Accepted Solutions

Hello, Interesting discussion

Hello,

 

Interesting discussion.

 

First of all as you said failover requires a dedicated link on the ASA FWs (This one can be over a l2 switch, in fact this is cisco recomendation) so the session replication (Stateful failover link), the configuration, etc gets to the other mate but note that also for a good deployment of failover all of the interfaces of the ASAs belong to the same L3 network so they can exchange Keepalive messages to determine whether the peer or the peer interface is up and running.

 

Now back to the redundancy deployment.

 

On the Edge side we are good with HSRP on both of the ISR, problem is on the Internal or Inside side where we are not able to run active/standby failover on the Firewalls.

One Option I can think of is placing another hop in between connecting to all of the client vlans, let's say a L3 switch or Cisco Router.

So then you can run a feature such as IP SLA so you can determine that based on the reliability to one of the ASAs you will send the traffic via that path otherwise send it to the  other link.

 

I know it's hard as you will need more equipment but maybe you have some boxes that could do this to you. I do not see how we will be able to add the redundancy with the ASAs being unable to run HA. We must set it somewhere else .

 

Hope that I could help.

 

Jcarvaja

http://laguiadelnetworking.com

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
4 REPLIES

Hello, Interesting discussion

Hello,

 

Interesting discussion.

 

First of all as you said failover requires a dedicated link on the ASA FWs (This one can be over a l2 switch, in fact this is cisco recomendation) so the session replication (Stateful failover link), the configuration, etc gets to the other mate but note that also for a good deployment of failover all of the interfaces of the ASAs belong to the same L3 network so they can exchange Keepalive messages to determine whether the peer or the peer interface is up and running.

 

Now back to the redundancy deployment.

 

On the Edge side we are good with HSRP on both of the ISR, problem is on the Internal or Inside side where we are not able to run active/standby failover on the Firewalls.

One Option I can think of is placing another hop in between connecting to all of the client vlans, let's say a L3 switch or Cisco Router.

So then you can run a feature such as IP SLA so you can determine that based on the reliability to one of the ASAs you will send the traffic via that path otherwise send it to the  other link.

 

I know it's hard as you will need more equipment but maybe you have some boxes that could do this to you. I do not see how we will be able to add the redundancy with the ASAs being unable to run HA. We must set it somewhere else .

 

Hope that I could help.

 

Jcarvaja

http://laguiadelnetworking.com

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

Interesting idea! If we

Interesting idea! If we decided on using a router, I think we would need two routers (one on each side of the wireless bridge) running an HSRP process for each VLAN, and then I would point the clients to the VIP for their respective VLAN.

If we only had one router on one side of the wireless bridge, the clients on the other side would still have an outage if the wireless bridge went down.

Hello, Exactly, you will need

Hello,

 

Exactly, you will need that in order to avoid the necesity of the L2 connection between both FWs.

 

Altough you already have the license in order to enable HA. No way you can build a "L2" connection between the offices to make this happen.

 

Regards,

 

Jcarvaja

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

Ok, thanks for your

Ok, thanks for your suggestion. I can't think of another way, and I'll mark your answer as the "Correct Answer" for your insight.

1131
Views
0
Helpful
4
Replies