PerimeterIT
asked on
How to configure Active\Active Cisco ASAs
We are looking to add a level of redundancy to our front end internet connection / VPN concentrator.
Our current front end firewall is an ASA 5510. Trouble is of course when we take it down for maintenance or any outage occurs we go hard down for an extended period. We have a second ASA 5510 here in the lab basically sitting idle.
What I would like to do is stack the pair and run them as active / active firewalls. (I've never been fond of active/passive and having equipment sitting there doing nothing)
My thought was to install both and load balance VPN tunnels across them.
ie tunnel A goes to ASA A, tunnel B goes to ASA B and then program them to fail over to each other.
Likewise use ASA A to host our website and use ASA B to manage the in house internet traffic and again fail over to each other.
We already have OSPF in place to handle the routing updates.
Has anyone done anything similar in house?
Any best practices? warnings? better ideas?
Our current front end firewall is an ASA 5510. Trouble is of course when we take it down for maintenance or any outage occurs we go hard down for an extended period. We have a second ASA 5510 here in the lab basically sitting idle.
What I would like to do is stack the pair and run them as active / active firewalls. (I've never been fond of active/passive and having equipment sitting there doing nothing)
My thought was to install both and load balance VPN tunnels across them.
ie tunnel A goes to ASA A, tunnel B goes to ASA B and then program them to fail over to each other.
Likewise use ASA A to host our website and use ASA B to manage the in house internet traffic and again fail over to each other.
We already have OSPF in place to handle the routing updates.
Has anyone done anything similar in house?
Any best practices? warnings? better ideas?
ASKER
I've always been of the opinion that the two words network admins don't want to hear in the same sentence is "Load Balance" because it never works quite right...
In our companies case our C levels are pushing us to build DR into our infrastructure. But of course $ is always a problem. By building active/active its easier to push it across the line as you can show that you get improved performance out of the equipment rather than it just sitting there.
My take on it is instead of using both ASAs for each service, why not spoof active/active by splitting active/passive roles across both devices?
So ASA A becomes the default gateway for users and ASA B becomes the termination point for our websites. Both devices have different external IPs. Then use OSPF to fail over the routes between the devices.
As for the VPNs, has anyone gotten multi-homing to work on the ASA platform?
What I mean is if I set half our VPNs to terminate of ASA A and the other half on ASA B.
Is there a way I could program the routing so that would it fail over some or all of the tunnels to the other ASA in case of failure?
In our companies case our C levels are pushing us to build DR into our infrastructure. But of course $ is always a problem. By building active/active its easier to push it across the line as you can show that you get improved performance out of the equipment rather than it just sitting there.
My take on it is instead of using both ASAs for each service, why not spoof active/active by splitting active/passive roles across both devices?
So ASA A becomes the default gateway for users and ASA B becomes the termination point for our websites. Both devices have different external IPs. Then use OSPF to fail over the routes between the devices.
As for the VPNs, has anyone gotten multi-homing to work on the ASA platform?
What I mean is if I set half our VPNs to terminate of ASA A and the other half on ASA B.
Is there a way I could program the routing so that would it fail over some or all of the tunnels to the other ASA in case of failure?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I know this isn't really an opinion forum but regarding your comment about active / standby, I've always been fine with that. I understand the argument that, as you put it, you have equipment sitting there doing nothing, but active / standby is a much easier configuration, and every customer I've ever talked to has always said that in a failure scenario, they still wanted the same level of service as before the failure. Which, to me, means you have to size the firewalls so if only a single one is available it can still handle the full throughput load. The only benefit I see with active / active is increased throughput, but only if you're also willing to accept somewhat reduced service in a failure situation. My personal opinion is active / active was a checkbox Cisco needed to be able to figure out a way to do because Juniper was already able to and without that capability they were losing deals. My $.02....