ASA 5520 Redundant ISP and Fail over Load balance

[jasondvox]

jasondvox (TechnicalUser) Feb 21, 2008
I am in a fact finding, developing and designing stage.

Build of Materials:
1 Cisco 4506 with supII plus
2 Cisco ASA 5520's with ASDM 8 (4 port gige ports each)
2 ISP's (Bonded t1's @ 3mg, ISP w/eithernet @10megs seperate wan Subnets IE 12.240.X.X and 206.170.x.x both /28)
4 servers for DMZ (New)

Best protocol that all equipment has in common is EIGRP

Task:

Build secure, redundant access to internet with Loadbalancing, fail over and high access to DMZ.


With a single ASA firewall configuring "reachable static routes" is cut and dry. The asa has a feature to ping static routes and call one dead and switch route priority.

Here are the questions:
When configuring a DMZ with 2 ISP's in defferent subnets is configuring the DMZ as easy as just adding the public address and routing information? Can I nat / publish my DMZ on both ISP's? If so how?

Then to further the issue how do I accomplish the above and setup Loadbalancing on a second asa 5520?

I do not expect any one to have the "answer" but any direction is appreciated..

Thanks

 

[NetworkGhost]

With different ISPs it may be hard to get this done. You will have to ask them if they will support it. They probably will not support advertising an address space they do not own.

So by internet failover, do you mean for incoming connections or outbound connections?

http://www.wr-mem.com

 

[brianinms]

With 2 connections and 2 ASA's you would be best served with multiple contexts on each appliance and doing active/active failover.

 

[jasondvox]

outgoing is easy What the "powers that be" want is I guess i could call it a multi-homed DMZ.

Simply if one ISP goes down we want to have a presence on the other ISP with our DMZ and VPN access and also all the while have a presence simultaniously.

 

[brianinms]

Running 2 ASA's with multiple contexts would allow what you are looking for. Essentially ASA1 would be primary for ISP1, and standby for ISP2 .... ASA2 would be standby for ISP1 and primary for ISP2.

 

[jasondvox]

I read briefly about the contextual firewalls. To be honest I am alittle intimidated about it. Mainly from an operational and administrative stand point.

But an answer is answer. Can any one point towards a good document to put this implementation in perspective? with the dual homed dual active active ASA's I am having a hard time imagineing the routing.....and Publishing my DMZ on both ISP's

Or Should I just call cisco smartnet, act dumb and tell them to do it?

 

[NetworkGhost]

You said it, VPN. Not compatible with multicontext mode. Are you using the ASAs for VPN termination?

What is the goal with the DMZ? To be able to let external users access it if one of your ISPs go down?

This will not work if so. This redundancy has to be built in the network cloud and with 2 sep ISPs this aint going to happen. You may want to go with one ISP and for redundancy get different termination points if available. This would allow for routing redundancy.

http://www.wr-mem.com

 

[brianinms]

Good Catch on VPN NetworkGhost, I must have overlooked it in the previous post.

 

[jasondvox]

Yes we are using the ASA's for VPN end points. It seems that Cisco is not making the 3000 series concentrators. Our concentrator "poped" recently. So the answer is /are ASA's with the k9/vpn bundle.