2 ISP blocks, 2 ASA's
Hello
I currently have 2 sites each with their own ASA. We only had 1 ISP block.
We have added a new ISP block so now we have an ISP block for each site.
Each site will be configured to prefer a particular ISP block.
iBGP will be configured between the routers so that if one site fails, the other
will take over.
I am not sure how to configure the ASA interfaces. Each ASA has (4) interfaces.
interface Gi0/0 on both ASA's is in the subnet of the original ISP block.
Neither ASA has an interface configured in the new ISP block. For Nat/Pat to occur,
i need and interface on the ASA's to be in new ISP block.
My goal: Because each ASA will be a failover for the other,I will need the ability for each ASA to Nat/Pat both ISP blocks. (My 10.x.x.x addresses will be assigned to ISP block A and my 192.168.x.x addresses will be assigned to ISP block B)
Can I configure Gi0/3 on each ASA with the new ISP block subnet address thereby having (2) outside interfaces, 1 for each ISP block?
To make sure ibgp works will I need (2) neighbor statements on each ASA such as:
router bgp 23064
no synchronization
bgp log-neighbor-changes
network 216.x.x.0 mask 255.255.255.0
network 12.x.x.x 255.255.255.192
neighbor 12.x.x.77 remote-as "telco as#"
neighbor 12.x.x.77 send-community
neighbor 12.x.x.77 route-map SETLP out
neighbor 216.x.x.11 remote-as "my as#"
neighbor 216.x.x.11 next-hop-self
neighbor 12.x.x.1 remote-as "My as#"
neighbor 12.x.x.1 next-hop-self
I currently have 2 sites each with their own ASA. We only had 1 ISP block.
We have added a new ISP block so now we have an ISP block for each site.
Each site will be configured to prefer a particular ISP block.
iBGP will be configured between the routers so that if one site fails, the other
will take over.
I am not sure how to configure the ASA interfaces. Each ASA has (4) interfaces.
interface Gi0/0 on both ASA's is in the subnet of the original ISP block.
Neither ASA has an interface configured in the new ISP block. For Nat/Pat to occur,
i need and interface on the ASA's to be in new ISP block.
My goal: Because each ASA will be a failover for the other,I will need the ability for each ASA to Nat/Pat both ISP blocks. (My 10.x.x.x addresses will be assigned to ISP block A and my 192.168.x.x addresses will be assigned to ISP block B)
Can I configure Gi0/3 on each ASA with the new ISP block subnet address thereby having (2) outside interfaces, 1 for each ISP block?
To make sure ibgp works will I need (2) neighbor statements on each ASA such as:
router bgp 23064
no synchronization
bgp log-neighbor-changes
network 216.x.x.0 mask 255.255.255.0
network 12.x.x.x 255.255.255.192
neighbor 12.x.x.77 remote-as "telco as#"
neighbor 12.x.x.77 send-community
neighbor 12.x.x.77 route-map SETLP out
neighbor 216.x.x.11 remote-as "my as#"
neighbor 216.x.x.11 next-hop-self
neighbor 12.x.x.1 remote-as "My as#"
neighbor 12.x.x.1 next-hop-self
Ernie Beek
You shouldn't really need an extra interface to configure the second public range on. If the new range is forwarded correctly to the ASA public address in the old range, you can just add the new public ip's to the existing interface just as you did with the first range.
ASKER
I am not sure I follow what you are saying.
It sounds like you are saying to use the new block as a secondary range on same int?
Please advise.
It sounds like you are saying to use the new block as a secondary range on same int?
Please advise.
That's correct. I have seen a number of cases where people get a second public range (from their ISP). There is no need then to do any extra configuring on the ASA, just use that range as you would with the primary range (statics ACL's etc.).
ASKER
Since the ASA does the Nat/Pat, I was under the impression that the ASA needed an interface
in the ISP block to facilitate that. Also, my interfaces to AT&T are vlan tagged. My data center
ISP block has a different tag than my Corporate ISP block.
in the ISP block to facilitate that. Also, my interfaces to AT&T are vlan tagged. My data center
ISP block has a different tag than my Corporate ISP block.
You mean the interfaces on the ASA's? Could you provide some more detail?
ASKER
I have 2 sites in same city (Site_A and Site_B)
Each has had it's own ASA. 1 was primary for both sites, the other was backup for both.
SiteA_ASA-5520#
System IP Addresses:
Interface Name IP address Subnet mask Method
GigabitEthernet0/0 outside 216.174.182.2 255.255.255.0 CONFIG
GigabitEthernet0/1 inside 192.168.2.1 255.255.255.0 CONFIG
GigabitEthernet0/2.182 dmz 192.168.182.1 255.255.255.0 CONFIG
GigabitEthernet0/3 Heartbeat 192.168.86.1 255.255.255.0 unset
Management0/0 management 192.168.20.84 255.255.255.0 CONFIG
Current IP Addresses:
Interface Name IP address Subnet mask Method
GigabitEthernet0/0 outside 216.174.182.2 255.255.255.0 CONFIG
GigabitEthernet0/1 inside 192.168.2.1 255.255.255.0 CONFIG
GigabitEthernet0/2.182 dmz 192.168.182.1 255.255.255.0 CONFIG
GigabitEthernet0/3 Heartbeat 192.168.86.1 255.255.255.0 unset
Management0/0 management 192.168.20.84 255.255.255.0 CONFIG
Originally, only primary side_A has ISP block @ 10 Meg
Now side_B has ISP block of 25 Meg
The routing for original ISP block is on 2811 @ site_A
The routing for new ISP block is on 2811 @Site_B
The ASA and the 2811's connect to a Cisco 2960 to communicate.
Each has had it's own ASA. 1 was primary for both sites, the other was backup for both.
SiteA_ASA-5520#
System IP Addresses:
Interface Name IP address Subnet mask Method
GigabitEthernet0/0 outside 216.174.182.2 255.255.255.0 CONFIG
GigabitEthernet0/1 inside 192.168.2.1 255.255.255.0 CONFIG
GigabitEthernet0/2.182 dmz 192.168.182.1 255.255.255.0 CONFIG
GigabitEthernet0/3 Heartbeat 192.168.86.1 255.255.255.0 unset
Management0/0 management 192.168.20.84 255.255.255.0 CONFIG
Current IP Addresses:
Interface Name IP address Subnet mask Method
GigabitEthernet0/0 outside 216.174.182.2 255.255.255.0 CONFIG
GigabitEthernet0/1 inside 192.168.2.1 255.255.255.0 CONFIG
GigabitEthernet0/2.182 dmz 192.168.182.1 255.255.255.0 CONFIG
GigabitEthernet0/3 Heartbeat 192.168.86.1 255.255.255.0 unset
Management0/0 management 192.168.20.84 255.255.255.0 CONFIG
Originally, only primary side_A has ISP block @ 10 Meg
Now side_B has ISP block of 25 Meg
The routing for original ISP block is on 2811 @ site_A
The routing for new ISP block is on 2811 @Site_B
The ASA and the 2811's connect to a Cisco 2960 to communicate.
I see. Do you happen to have a failover bundle?
ASKER
failover bundle?
My goal is to use the iBGP between the edge routers as failover.
My goal is to use the iBGP between the edge routers as failover.
ASKER
A question about default gateways.
Please see the Visio document attached.
The network as it stands today has a default gateway which is the ip address of the Site_B
ASA. I have outlined the devices in red that have this gateway as well as the EIGRP statements. The new Internet link, Site_B, is in blue to differentiate how the network is going to change.
What I want to know is will I need to change the default gateways in order to complete this transformation of preferring the new link over the old link for particular ISP block?
Current-Corporate-topology-with-.vsd
Please see the Visio document attached.
The network as it stands today has a default gateway which is the ip address of the Site_B
ASA. I have outlined the devices in red that have this gateway as well as the EIGRP statements. The new Internet link, Site_B, is in blue to differentiate how the network is going to change.
What I want to know is will I need to change the default gateways in order to complete this transformation of preferring the new link over the old link for particular ISP block?
Current-Corporate-topology-with-.vsd
I somehow missed your previous post, so let me get back to that first.
Looking at the interface of the ASA's you can see that they both have the same IP's. You also have a heartbeat interface. That would indicate the ASA's are a failover bundle. If that is the case, you can only run them active/passive, not active/active. You can check this by issuing a sh ver and sh fail. Just to make sure you don't need an other license.
I'll check your Visio later on and get back.
Looking at the interface of the ASA's you can see that they both have the same IP's. You also have a heartbeat interface. That would indicate the ASA's are a failover bundle. If that is the case, you can only run them active/passive, not active/active. You can check this by issuing a sh ver and sh fail. Just to make sure you don't need an other license.
I'll check your Visio later on and get back.
ASKER
Another license?
Instead of having failover, would it be ok to change the failover IP to an address in the new block?
If so, would making the iBGP neighbor statements work off both ISP blocks
Site_A
neighbor 216.174.182.11 remote-as 23064
neighbor 12.219.220.65 remote-as 23064
Site_B
neighbor 216.174.182.11 remote-as 23064
neighbor 12.219.220.66 remote-as 23064
Instead of having failover, would it be ok to change the failover IP to an address in the new block?
If so, would making the iBGP neighbor statements work off both ISP blocks
Site_A
neighbor 216.174.182.11 remote-as 23064
neighbor 12.219.220.65 remote-as 23064
Site_B
neighbor 216.174.182.11 remote-as 23064
neighbor 12.219.220.66 remote-as 23064
ASKER
Sorry
Site_B
neighbor 216.174.182.1 remote-as 23064
neighbor 12.219.220.66 remote-as 23064
Site_B
neighbor 216.174.182.1 remote-as 23064
neighbor 12.219.220.66 remote-as 23064
Wait. We're talking about two different things here. I don't mean failover in terms of routing but failover as a feature in cisco ASAs.
Have a look at: http://www.cisco.com/en/US/docs/security/asa/asa82/license/license82.html#wp205230
Just to give you an idea of a failover pair.
Have a look at: http://www.cisco.com/en/US/docs/security/asa/asa82/license/license82.html#wp205230
Just to give you an idea of a failover pair.
ASKER
Hmm
Vlan 86 is used for the "heartbeat" between ASA's. If Site_B ASA fails, then Site_A ASA will take over.
I am trying to make sure that if either ASA fails, then both ISP blocks will be advertised out the remaining ASA. When the failed ASA comes back up, then they resume their return to their normal operation.
Vlan 86 is used for the "heartbeat" between ASA's. If Site_B ASA fails, then Site_A ASA will take over.
I am trying to make sure that if either ASA fails, then both ISP blocks will be advertised out the remaining ASA. When the failed ASA comes back up, then they resume their return to their normal operation.
ASKER
Also, will both 2811 edge routers need to have an ACL for each ISP block?
access-list 1 permit 216.174.182.0 0.0.0.255
access-list 2 permit 12.219.220.64 0.0.0.63
access-list 1 permit 216.174.182.0 0.0.0.255
access-list 2 permit 12.219.220.64 0.0.0.63
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I apologize if I seem a little slow on the uptake. I do appreciate all your input.
Based on what I sent earlier, apparently I do have failover pair.
ASA-5520# sh failover
Failover On
Failover unit Secondary
Failover LAN Interface: Heartbeat GigabitEthernet0/3 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 3 of 160 maximum
Version: Ours 8.2(3), Mate 8.2(3)
Last Failover at: 12:04:33 CST Jan 26 2012
This host: Secondary - Standby Ready
Active time: 15138653 (sec)
slot 0: ASA5520 hw/sw rev (2.0/8.2(3)) status (Up Sys)
Interface outside (216.174.182.12): Normal
Interface inside (192.168.2.2): Normal
Interface dmz (192.168.182.2): Normal (Not-Monitored)
Interface management (0.0.0.0): No Link (Waiting)
slot 1: empty
Other host: Primary - Active
Active time: 7826256 (sec)
slot 0: ASA5520 hw/sw rev (2.0/8.2(3)) status (Up Sys)
Interface outside (216.174.182.2): Normal
Interface inside (192.168.2.1): Normal
Interface dmz (192.168.182.1): Normal (Not-Monitored)
Interface management (192.168.20.84): No Link (Waiting)
slot 1: empty
To complete this task, do I need to disable this failover?
Based on what I sent earlier, apparently I do have failover pair.
ASA-5520# sh failover
Failover On
Failover unit Secondary
Failover LAN Interface: Heartbeat GigabitEthernet0/3 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 3 of 160 maximum
Version: Ours 8.2(3), Mate 8.2(3)
Last Failover at: 12:04:33 CST Jan 26 2012
This host: Secondary - Standby Ready
Active time: 15138653 (sec)
slot 0: ASA5520 hw/sw rev (2.0/8.2(3)) status (Up Sys)
Interface outside (216.174.182.12): Normal
Interface inside (192.168.2.2): Normal
Interface dmz (192.168.182.2): Normal (Not-Monitored)
Interface management (0.0.0.0): No Link (Waiting)
slot 1: empty
Other host: Primary - Active
Active time: 7826256 (sec)
slot 0: ASA5520 hw/sw rev (2.0/8.2(3)) status (Up Sys)
Interface outside (216.174.182.2): Normal
Interface inside (192.168.2.1): Normal
Interface dmz (192.168.182.1): Normal (Not-Monitored)
Interface management (192.168.20.84): No Link (Waiting)
slot 1: empty
To complete this task, do I need to disable this failover?
ASKER
Thankyou for your help
Ok, this time I was a bit slow in the response but let me give you an answer on the last question.
Failover isn't something you can disabled, it's embedded int the license. If I remember correct, one firewall has a full license and the other one a failover license. To have them both act on their own you'll need a second full license. I'm not a license guru so you might want to ask Cisco about that. Maybe they have an upgrade?
Failover isn't something you can disabled, it's embedded int the license. If I remember correct, one firewall has a full license and the other one a failover license. To have them both act on their own you'll need a second full license. I'm not a license guru so you might want to ask Cisco about that. Maybe they have an upgrade?