full redundant wan design, Multiple ISP with failover in asa

Are you setting up some routing between ISP1 router and ISP2 router?

Presumably the reason you are using two routers versus a single router with both ISP's terminating on it is to cover the router failure.

The failover portion of the ASA is to use a VirtualIP which the LAN systems will use as the default gateway.

Do you own your own IPs or is ISP1 providing theirs while ISP2 provides you with theirs?

When using active/standby on ASA's you want the interfaces to be able to ping each other basically for keepalives to work correctly and for the ASA failover to know the status of the interfaces.  So if the 2960's in the drawing are going to have vlans, then configuring trunking between them and place the ASA interfaces on the inside on the same vlan on both ASA.  Same with the outside interface.

But your drawing the way you have it fully meshed to the ASA isn't really going to work.  The 5520 isn't going to support that I think.  It would be something like:

inside2960sw1 <> ASA1 <> outside2960sw2
   |                                                 |
inside2960sw2 <> ASA2 <> outside2960sw2

Thanks for the response...

ISP1 and ISP2 will provide /30 ip address on the outside interface of the router and i am planning to use /28 public IP's between the firewall outside and the router inside. I also think we have to use the HSRP on the router at the inside part.

lets say
ON R1
========
interface g 0/1
ip address xx.xx.66.1 /28
standby 1 ip xx.xx.61.5
standby 1 priority 100
standby 1 preempt
standby 1 track g0/1 75 (outside interface)

ON R1
========
interface g 0/1
ip address xx.xx.66.2 /28
standby 1 ip xx.xx.61.5
standby 1 priority 75
standby 1 track g0/1 50 (outside interface)

so on the ASA default gateway will be the xx.xx.61.5 that is the VIP of the HSRP and it will track the active link if that link goes down then all the traffic will be forwarded to the backup link.

yes arnold you are right....the reason to use two router for device redundancy and full mesh is for path redundancy...

Gavving the full mesh topology is for path redundancy......lets say if the switch 1 goes down then from firewall there will be no path to the active link i.e. lets say 15 MB and backup link is only 4MB...

Gavving i agree with ur design but what if the switch between Router 1 and ASA1 is down as we dont have any other link between them. outside interfaces of firewall and inside interfaces of routers are in the same vlan.

Sure there will be one link between the ASA1 and ASA2 for the failover and it will be through the switch in one seprate vlan say vlan20 for failover messages and stateful link

if the full mesh design has any problem then the below deisgn will be fine...please sugest the guys.....
but i dont understand how the link between two router will be configure. my plan is to use only static routing as no load sharing  in the network ..traffic will go to active router if that ISP connection is down then it will go to backup router...

--inside--|ASAp|--outsidevlan--|SWITCH|--outsidevlan--|2900p|--WAN
                    |                                       |                                            |
             failover                        outsidevlan                        inter router link
                    |                                       |                                            |
--inside--|ASAb|--outsidevlan--|SWITCH|--outsidevlan--|2900b|--WAN

waiting for you replies and pls let me know if i am not correct at any point......

Thanks

suppose if we want to use the same design but  enhance the full mesh with the following configuration
Redundant interface concept on the firewall and as switches are 2960-S so that I can stack them (SW1&2) as one stack and SW 3&4 as another stack. so that both the switches will appear as one virtual switch and i can configure ether-channel on it for ASA and router ports

On ASA1
On ASA will it be possible to use the redundant interface concept. so that I can combine two physical interfaces in one logical interface  and then configure the IP address on it. on the switch side I can do the ether channel .
ex:-
ASA1 (outside interface)
redundant interface 1 (E0,E1)----connecting on switch 1 gi1/0/1 and switch 2 gi1/0/1
redundant interface 1 (E2,E2)---- connecting on switch 1 gi1/0/2 and switch 2 gi1/0/2

interface redundant 0
member-interface e0
member-interface e1
ip address xx.xx.61.3 255.255.255.x
nameif outside
security-level 0
no shutdown

On switch 1 and switch 2, we can create the vlan 10 (for instance) and put gi1/0/1, gi2/0/1 of sw1 and sw2 in vlan 10

SW1&2 as one stack
interface gi 1/0/1,gi2/0/1
switch mode access
switch mode vlan 10
channel-group 1 mode on

interface gi 1/0/2,gi2/0/2
switch mode access
switch mode vlan 10
channel-group 2 mode on

ASA1 (inside interface)
redundant interface 1 (E2,E3)----connecting on switch 3 gi0/1 and switch 3 gi0/1
redundant interface 1 (E2,E3)---- connecting on switch 4 gi0/2 and switch 4 gi0/2


interface redundant 1
member-interface e0
member-interface e1
ip address 10.xx.xx.3 255.255.255.x
nameif inside
security-level 100
no shutdown

On switch 1 and switch 2, we can create the vlan 20 (for instance) and put gi0/1,gi0/2 of sw3 and sw4 in vlan 20

SW 3&4 as one stack
interface gi 1/0/1,gi2/0/1
switch mode access
switch mode vlan 10
channel-group 1 mode on

interface gi 1/0/2,gi2/0/2
switch mode access
switch mode vlan 10
channel-group 2 mode on

Router  to Switch side
interface Port-channel1
ip address xx.xx.61.1 255.255.255.x
!
interface GigaEthernet0/0
duplex full
speed 100
channel-group 1
!
interface GigaEthernet0/1
duplex full
speed 100
channel-group 1

Next, the switch configuration:
interface Port-Channel1
switchport
switchport access vlan 10
switchport mode access
!
interface FastEthernet0/1
 switchport access vlan 10
switchport mode access
channel-group 1 mode on
!
interface FastEthernet0/2
 switchport access vlan 10
switchport mode access
channel-group 1 mode on

 Pls comment.....what you guys think for it.....which one will be better.......

waiting for the response

BGP peering and failover is not being mentioned for ISP failover.  That's what I'd recommend be used.   You'd have to get an AS number, and get BGP peering agreements with your ISPs.  Then you get assigned IP blocks from both ISPs and have both of them advertise each others IP blocks.  If one ISP goes down the other will still route the IP block from the other ISP.  

Is that what you plan to do?

I've implemented VSS6509s and fully redundant Internet connections previously.  Later today I'll try to throw together a diagram and sample configs.

Thanks for the reply Gravving and arnold.....

I did not plan to implement the BGP in the network as there is not plan for load sharing....i am aware that BGP is used if the load sharing is required. if i want to send some network form one ISP and other network form other ISP and vice versa.....

I am aware that we need to purchase the AS no and pool of IP if we need to implement the BGP in the network.....

As gravving recommend to implement BGP but how the connection will be lets say ISP1 will connect on R1 and ISP2 will connect on R2 and IP address will be provided by ISP's and we will do the BGP neighbor relationship as they will provide the peer IP address..

So will it result Auto Fall back/failover if one ISP down and no need of HSRP in it. Am i right.

Gravving you mention failover  and u mean to this is for internet  not the ASA failover. Isn't it ?

Gavving it will be great if u put the solutions what u have implemented.....

Arnold i did not get what u want to say in this statement "What or how you envision the transition/convergence?" please give a bit explanation....

waiting for the reply.....

Thanks.....

l

You have to use OSPF at least between R1 and R2 to handle the convergence in the event of ISP1 or ISP2 connection going down.
Since you have ISP provided IP, you would have to use DNS to load-balance/distribute how incoming requests will be handled, but that is neither here nor there.

each router will advertise to the other a lower preference/higher weight route for 0.0.0.0/0
Such that if a packet lands on the route the preferred path will be out the ISP to which the Router is directly connected, in the event the ISP connection is down, and the packet still lands on the router for the ISP, the path will converge and the packet will be routed to the other router and out via the second ISP.

The ASA is too far away to determine the path out to the Internet as well as the two Untrust interfaces will likely have equal weight because of the same issue.

Thanks for the reply arnold.....
i got it, for sure two ISP will provide their own DNS and gateway and if the connection switch due to link or conneciton failure then it shd get change.....

can u pls post a sample config .........that will be great.......if u find some time for it..............

Thanks......

will wait for ur reply

Bundle of Thanks Gavving for the diagram and the configs........scenario is almost clear to me now....

I was already done the VSS part but with ur config it mada me more clear......but i will be thankful i you put shed some light on the following points regarding BGP...

1)External routers are configured with HSRP to allow failover of the router.......
In the hsrp config you are tracking object 2 but it does not have any config....i assume i need to track the default gateway  or BGP peer of R1 and if it goes down the R2 should become active. Am i right ?

2)I will take the AS no from the ISP lets say xxx2 and i will do the ebgp peering with ISP1 and ISP2 and will advertise the subnet/network between firewalls-routers ex: x.x.61.0 in bgp.  
What will be the use of iBGP in this secnario ? >>as u said it will be  use for network traffic on a regular basis........please correct me if i am wrong
Lets say internet traffic is coming from the firewall and it will hit the Active HSRP router and it will forward the traffic to related ISP (EX ISP1) but active router will have two routes to forward the traffic one is through eBGP and another is through iBGP...so eBGP route will be preferred and when the ISP1 link goes down it will have route through iBGP but HSRP will make the R2 as active so all the traffic will flow through it.

3)you have advertise  13.22.220 network in bgp but this has no relation with ISP networks or ROuter to firewall networks..........I guess these are some public network behind the VSS as u are pointing one static route for this network to 11.123.123.2 i.e. outside of ASA 1. so i think that network can be DMZ or behind inside network.

4)what the HSRP shd track the outside interface of the router or the default gateway or eBGP peer of the ISP1 and ISP2 on each router (R1 and R2)

5)can you advise what subnet IP block need to purchase for the ASA-routers network as some static nat's will be done here in addition to PAT. Am i right that VPN tunnels shd be installed on ASA not on routers....

6) use of prefix list is just to send networks 11.x.x.x. and 13.x.x.x. to the ISP1 and ISP2...

Thanks for your time......gavving...
please answer the above points.....

Thanks.....

The 13.22.22.0/24 subnet I threw in there to show how you would configure an additional IP subnet.  When you sign up with 2 ISPs you can get multiple IP subnets, hopefully at least a /24 from both.  That way you have 2 /24s, but you only need to use one of them for the transport network IPs on the external side of the firewalls.  So the other one can be routed directly to the ASA external interface and you can NAT into it to use it.

1) The tracked objects are used in 2 places.  Track 1 is used in for the static route for the 13.22.22.0/24 subnet static route.  So that static route goes away in the event that the inside facing g0/0/1 interface goes down, and thus that router stops advertising it via BGP.  Track 2 is used to monitor the status of g0/0/0 and to cause the HSRP active router to flip to the ISP2-router in the event that the uplink to ISP1 goes down on g0/0/0.

2) What will happen with it configured like this is that ISP1-router will see full routes to the internet out both paths, and yes it will have 2 routes present for each subnet in the internet route table.  BGP will choose which route to use based upon AS-path distance, thus the 'closest' path is chosen.  If your destination happens to be 'closer' when going through ISP2, then the traffic will flow from ISP1-router thru the iBGP peer link on g0/0/2 to ISP2-router, then out to ISP2.  When you do a 'show ip route' on the routers you'll see an intermixing of routes going out the ISP connected to the router, and out the g0/0/2 interface to the other router.    How well they are balanced is dependent upon the peering quality of the ISPs.  Also you can adjust this somewhat with BGP options.

3) See comment at top on purpose of the 13.22.22.0/24 network.    It could be a DMZ network, or it could be just more IPs that you NAT into on the ASA.

4) see comment #1 on purpose of tracking.

5) For BGP you must advertise a /24, nothing smaller is allowed.  Yes VPN tunnels should be terminated on the ASA.  

6) Whenever your doing BGP peering with externally connected networks (i.e. the Internet) you should filter your outbound routes so that you only advertise what you want.  If you dont use the prefix lists, then when you get BGP peering with both ISPs working your routers will advertise the Internet route table from ISP1 to ISP2 and you're network will be seen as a route to the whole internet.  This is _bad_.  ISPs should have upstream filtering that stops you from taking down the Internet, but it's not a good idea to depend upon them.  Once you have a BGP link to the Internet, your now part of the Internet routing community and should act responsibly and knowledgeably about the connection.

Thanks for the reply..........

i understood the scenario and can implement with the required changes and enhancements.....but i discussed it with my client IT guy so he was asking just the users need to use the internet as its a 20+ floor building.....there are no sites attached ot it ...or hardly 1 or 2 VPN. So is it a good practice just for the use of internet to users we will implement BGP...

Will it not be done through HSRP with IP SLA route tracking....

            
ip sla monitor 2
 type echo protocol ipIcmpEcho x.1.31.3 (default gateway of ISP1 or peer IP )
 frequency 5
ip sla monitor schedule 2 start-time now
!
track 10 rtr 2
!
interface FastEthernet0/0
 ip address x.1.61.x 255.255.255.0
 duplex auto
 speed auto
 standby 1 ip 150.1.61.1
 standby 1 preempt
 standby 1 track FastEthernet1/0
standby 1 track 10 decrement 50
   

On R2
=======
interface FastEthernet0/0
 ip address x.x.61.2 255.255.255.0
 speed auto
 full-duplex
 standby 1 ip 150.1.61.1
 standby 1 priority 95
 standby 1 preempt
 standby 1 track FastEthernet1/0
end


ASA will be Pointed to the virutal IP of the HSRP.............if the Public IP address are the problem on ASA-Router network then any private subnet can be used and natting can be done on the Router and couple of VPNS>.........

please advice....

waiting for reply......


Thanks.....

The Information that I provided was detailed and helped the member understand his options and methods that could be used to accomplish the original intent of the question that was asked.  It is a tried and true solution that many companies have implemented.  If additional information or questions are present, then this question should be closed and points awarded accordingly.   Thanks.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa72/configuration/guide/conf_gd/failover.html