Solved

2 ISP blocks, 2 ASA's

Posted on 2012-03-13
19
554 Views
Last Modified: 2012-03-26
Hello

I currently have 2 sites each with their own ASA. We only had 1 ISP block.

We have added a new ISP block so now we have an ISP block for each site.

Each site will be configured to prefer a particular ISP block.

iBGP will be configured between the routers so that if one site fails, the other
will take over.

I am not sure how to configure the ASA interfaces. Each ASA has (4) interfaces.

interface Gi0/0 on both ASA's is in the subnet of the original ISP block.

Neither ASA has an interface configured in the new ISP block. For Nat/Pat to occur,
i need and interface on the ASA's to be in new ISP block.

My goal: Because each ASA will be a failover for the other,I will need the ability for each ASA to Nat/Pat both ISP blocks. (My 10.x.x.x addresses will be assigned to ISP block A and my 192.168.x.x addresses will be assigned to ISP block B)

Can I configure Gi0/3 on each ASA with the new ISP block subnet address thereby having (2) outside interfaces, 1 for each ISP block?

To make sure ibgp works will I need (2) neighbor statements on each ASA such as:


router bgp 23064                  
no synchronization
bgp log-neighbor-changes
network 216.x.x.0 mask 255.255.255.0
network 12.x.x.x 255.255.255.192
neighbor 12.x.x.77 remote-as "telco as#"
neighbor 12.x.x.77 send-community
neighbor 12.x.x.77 route-map SETLP out
neighbor 216.x.x.11 remote-as "my as#"
neighbor 216.x.x.11 next-hop-self
neighbor 12.x.x.1 remote-as "My as#"
neighbor 12.x.x.1  next-hop-self
0
Comment
Question by:s_coad5
  • 11
  • 8
19 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37719404
You shouldn't really need an extra interface to configure the second public range on. If the new range is forwarded correctly to the ASA public address in the old range, you can just add the new public ip's to the existing interface just as you did with the first range.
0
 

Author Comment

by:s_coad5
ID: 37719810
I am not sure I follow what you are saying.

It sounds like you are saying to use the new block as a secondary range on same int?

Please advise.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37720011
That's correct. I have seen a number of cases where people get a second public range (from their ISP). There is no need then to do any extra configuring on the ASA, just use that range as you would with the primary range (statics ACL's etc.).
0
DevOps Toolchain Recommendations

Read this Gartner Research Note and discover how your IT organization can automate and optimize DevOps processes using a toolchain architecture.

 

Author Comment

by:s_coad5
ID: 37720145
Since the ASA does the Nat/Pat, I was under the impression that the ASA needed an interface
in the ISP block to facilitate that. Also, my interfaces to AT&T are vlan tagged. My data center
ISP block has a different tag than my Corporate ISP block.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37720353
You mean the interfaces on the ASA's? Could you provide some more detail?
0
 

Author Comment

by:s_coad5
ID: 37721349
I have 2 sites in same city (Site_A and Site_B)
Each has had it's own ASA. 1 was primary for both sites, the other was backup for both.
SiteA_ASA-5520#
System IP Addresses:
Interface                Name                   IP address      Subnet mask     Method
GigabitEthernet0/0       outside                216.174.182.2   255.255.255.0   CONFIG
GigabitEthernet0/1       inside                 192.168.2.1     255.255.255.0   CONFIG
GigabitEthernet0/2.182   dmz                    192.168.182.1   255.255.255.0   CONFIG
GigabitEthernet0/3       Heartbeat              192.168.86.1    255.255.255.0   unset
Management0/0            management             192.168.20.84   255.255.255.0   CONFIG
Current IP Addresses:
Interface                Name                   IP address      Subnet mask     Method
GigabitEthernet0/0       outside                216.174.182.2   255.255.255.0   CONFIG
GigabitEthernet0/1       inside                 192.168.2.1     255.255.255.0   CONFIG
GigabitEthernet0/2.182   dmz                    192.168.182.1   255.255.255.0   CONFIG
GigabitEthernet0/3       Heartbeat              192.168.86.1    255.255.255.0   unset
Management0/0            management             192.168.20.84   255.255.255.0   CONFIG


Originally, only primary side_A has ISP block @ 10 Meg
Now side_B has ISP block of 25 Meg

The routing for original ISP block is on 2811 @ site_A
The routing for new ISP block is on 2811 @Site_B

The ASA and the 2811's connect to a Cisco 2960 to communicate.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37723839
I see. Do you happen to have a failover bundle?
0
 

Author Comment

by:s_coad5
ID: 37724677
failover bundle?

My goal is to use the iBGP between the edge routers as failover.
0
 

Author Comment

by:s_coad5
ID: 37729511
A question about default gateways.

Please see the Visio document attached.

The network as it stands today has a default gateway which is the ip address of the Site_B
ASA. I have outlined the devices in red that have this gateway as well as the EIGRP statements.  The new Internet link, Site_B, is in blue to differentiate how the network is going to change.

What I want to know is will I need to change the default gateways in order to complete this transformation of preferring the new link over the old link for particular ISP block?
Current-Corporate-topology-with-.vsd
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37729808
I somehow missed your previous post, so let me get back to that first.

Looking at the interface of the ASA's you can see that they both have the same IP's. You also have a heartbeat interface. That would indicate the ASA's are a failover bundle. If that is the case, you can only run them active/passive, not active/active. You can check this by issuing a sh ver and sh fail. Just to make sure you don't need an other license.

I'll check your Visio later on and get back.
0
 

Author Comment

by:s_coad5
ID: 37729861
Another license?

Instead of having failover, would it be ok to change the failover IP to an address in the new block?

If so, would making the iBGP neighbor statements work off both ISP blocks
Site_A
neighbor 216.174.182.11 remote-as 23064
neighbor 12.219.220.65 remote-as 23064


Site_B
neighbor 216.174.182.11 remote-as 23064
neighbor 12.219.220.66 remote-as 23064
0
 

Author Comment

by:s_coad5
ID: 37729862
Sorry

Site_B
neighbor 216.174.182.1 remote-as 23064
neighbor 12.219.220.66 remote-as 23064
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37730377
Wait. We're talking about two different things here. I don't mean failover in terms of routing but failover as a feature in cisco ASAs.
Have a look at: http://www.cisco.com/en/US/docs/security/asa/asa82/license/license82.html#wp205230

Just to give you an idea of a failover pair.
0
 

Author Comment

by:s_coad5
ID: 37730608
Hmm

Vlan 86 is used for the "heartbeat" between ASA's. If Site_B ASA fails, then Site_A ASA will take over.

I am trying to make sure that if either ASA fails, then both ISP blocks will be advertised out the remaining ASA. When the failed ASA comes back up, then they resume their return to their normal operation.
0
 

Author Comment

by:s_coad5
ID: 37730611
Also, will both 2811 edge routers need to have an ACL for each ISP block?

access-list 1 permit 216.174.182.0 0.0.0.255
access-list 2 permit 12.219.220.64 0.0.0.63
0
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 500 total points
ID: 37732766
What I try to point out here is that if you do have a failover pair only one of them will actually work at any given moment. You can't have them both active at the same time. It might be handy to check that first. That's why I keep on 'nagging' about this.
0
 

Author Comment

by:s_coad5
ID: 37733383
I apologize if I seem a little slow on the uptake. I do appreciate all your input.

Based on what I sent earlier, apparently I do have failover pair.

ASA-5520# sh failover
Failover On
Failover unit Secondary
Failover LAN Interface: Heartbeat GigabitEthernet0/3 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 3 of 160 maximum
Version: Ours 8.2(3), Mate 8.2(3)
Last Failover at: 12:04:33 CST Jan 26 2012
        This host: Secondary - Standby Ready
                Active time: 15138653 (sec)
                slot 0: ASA5520 hw/sw rev (2.0/8.2(3)) status (Up Sys)
                  Interface outside (216.174.182.12): Normal
                  Interface inside (192.168.2.2): Normal
                  Interface dmz (192.168.182.2): Normal (Not-Monitored)
                  Interface management (0.0.0.0): No Link (Waiting)
                slot 1: empty
        Other host: Primary - Active
                Active time: 7826256 (sec)
                slot 0: ASA5520 hw/sw rev (2.0/8.2(3)) status (Up Sys)
                  Interface outside (216.174.182.2): Normal
                  Interface inside (192.168.2.1): Normal
                  Interface dmz (192.168.182.1): Normal (Not-Monitored)
                  Interface management (192.168.20.84): No Link (Waiting)
                slot 1: empty


To complete this task, do I need to disable this failover?
0
 

Author Closing Comment

by:s_coad5
ID: 37765828
Thankyou for your help
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37766363
Ok, this time I was a bit slow in the response but let me give you an answer on the last question.
Failover isn't something you can disabled, it's embedded int the license. If I remember correct, one firewall has a full license and the other one a failover license. To have them both act on their own you'll need a second full license. I'm not a license guru so you might want to ask Cisco about that. Maybe they have an upgrade?
0

Featured Post

ScreenConnect 6.0 Free Trial

Discover new time-saving features in one game-changing release, ScreenConnect 6.0, based on partner feedback. New features include a redesigned UI, app configurations and chat acknowledgement to improve customer engagement!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Configuring network clients can be a chore, especially if there are a large number of them or a lot of itinerant users.  DHCP dynamically manages this process, much to the relief of users and administrators alike!
Microservice architecture adoption brings many advantages, but can add intricacy. Selecting the right orchestration tool is most important for business specific needs.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question