Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Cisco ASA 5505 with WAN Failover

Posted on 2012-09-11
6
Medium Priority
?
1,624 Views
Last Modified: 2012-10-16
I will be setting up a Cisco ASA 5505 (with security plus license) to handle to ISP connections: one active and the other standby for failover. I have found examples on how to do this with (this one is great:http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml) but they are using software version 7.x . I have also found Cisco official configuration examples using software version 8.x (see: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml) but they require the use of two ASA units where I will only be using one.

I need to know how I am going to do this with software version 8.x with one device but I am having trouble finding proper documentation or examples.  Anyone?
0
Comment
Question by:twinstatevdv
  • 4
  • 2
6 Comments
 
LVL 42

Accepted Solution

by:
kevinhsieh earned 1500 total points
ID: 38390703
Your first link looks correct. Many of the guides haven't been updated for 8.x, which is okay because much of the syntax hasn't changed. I use multiple ISP with tracking to handle ISP failover. It works great because even though I May have a .GP route from my ISP, they may not have good connectivity to the Internet. The second link you found is for clustering two ASA, which is different than having multiple ISP. Note that having multiple ISP will allow you to maintain outbound connectivity, when you fail over your public IPOD addresses will change
0
 
LVL 42

Expert Comment

by:kevinhsieh
ID: 38390729
That is your public IP addresses will change and inbound connections will fail unless they get directed to the new addresses. Inbound mail is easy because you can just add MX records to DNS.
0
 
LVL 42

Expert Comment

by:kevinhsieh
ID: 38390746
For other connections, a service like DNS Made Easy can monitor your servers and change the A records in DNS to point to the new ISP when appropriate, and then change them back to the original ISP when it comes back up. I use them and it works very well, especially for the price. Otherwise you need a global load balancer.
0
The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

 

Author Comment

by:twinstatevdv
ID: 38392058
thank you very much for the valuable input. I was supposed to be installing the equipment today but it got delayed until next week for which I am glad to I can mull over your comments.

I do have a related question. I will be setting up SSL VPN on this firewall as well and wonder if I have to make any special accomodations during the setup because of the two links. For example, if the main link goes down and the standby becomes active, will users be able to vpn to the standby IP address?

If I am lucky I don't have to do anything beyond telling them start their vpn connections using a different IP address; I could even use the DNS tool you mentioned to redirect vpn.acme.com to the alternate IP. Lemme know.
0
 
LVL 42

Expert Comment

by:kevinhsieh
ID: 38392179
What I have is a regular router for my main ISP. My secondary ISP IS Comcast and that router does NAT. If you use DNS Made Easy then users can just use the URL vpn.company.com and they will get the correct IP address.
0
 

Author Comment

by:twinstatevdv
ID: 38414077
I am finally working with the customer and things got more complicated. They don't use 1 ISP as primary and the other as standby. They currently have 2 seperate firewalls (pix 501 and 506) and internally their servers use one as a gateway and the user population uses the other as a gateway. That is to say, one internet connection is only for specific traffic designated for the servers and the other is for public internet access.

Currently those two firewalls have different IP addresses (let's say 10.0.0.1 and 10.0.0.254) which makes routing easy: just specify one gateway or the other on the machine based on your need. How do I accomplish this with one ASA5505?

Can I assign multiple internal IPs (the same as above) to the ASA 5505 (either to the same interface or to seperate ones) or can I only use one?

If I can only use one, how do I tell certain requests for internet access to go out one ISP or the other? Can I do that based on the source IP?

Help!!!!
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
Tech spooks aren't just for those who are tech savvy, it also happens to those of us running a business. Check out the top tech spooks for business owners.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…

578 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question