twinstatevdv
asked on
Cisco ASA 5505 with WAN Failover
I will be setting up a Cisco ASA 5505 (with security plus license) to handle to ISP connections: one active and the other standby for failover. I have found examples on how to do this with (this one is great:http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml) but they are using software version 7.x . I have also found Cisco official configuration examples using software version 8.x (see: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml) but they require the use of two ASA units where I will only be using one.
I need to know how I am going to do this with software version 8.x with one device but I am having trouble finding proper documentation or examples. Anyone?
I need to know how I am going to do this with software version 8.x with one device but I am having trouble finding proper documentation or examples. Anyone?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
kevinhsieh
That is your public IP addresses will change and inbound connections will fail unless they get directed to the new addresses. Inbound mail is easy because you can just add MX records to DNS.
For other connections, a service like DNS Made Easy can monitor your servers and change the A records in DNS to point to the new ISP when appropriate, and then change them back to the original ISP when it comes back up. I use them and it works very well, especially for the price. Otherwise you need a global load balancer.
ASKER
thank you very much for the valuable input. I was supposed to be installing the equipment today but it got delayed until next week for which I am glad to I can mull over your comments.
I do have a related question. I will be setting up SSL VPN on this firewall as well and wonder if I have to make any special accomodations during the setup because of the two links. For example, if the main link goes down and the standby becomes active, will users be able to vpn to the standby IP address?
If I am lucky I don't have to do anything beyond telling them start their vpn connections using a different IP address; I could even use the DNS tool you mentioned to redirect vpn.acme.com to the alternate IP. Lemme know.
I do have a related question. I will be setting up SSL VPN on this firewall as well and wonder if I have to make any special accomodations during the setup because of the two links. For example, if the main link goes down and the standby becomes active, will users be able to vpn to the standby IP address?
If I am lucky I don't have to do anything beyond telling them start their vpn connections using a different IP address; I could even use the DNS tool you mentioned to redirect vpn.acme.com to the alternate IP. Lemme know.
What I have is a regular router for my main ISP. My secondary ISP IS Comcast and that router does NAT. If you use DNS Made Easy then users can just use the URL vpn.company.com and they will get the correct IP address.
ASKER
I am finally working with the customer and things got more complicated. They don't use 1 ISP as primary and the other as standby. They currently have 2 seperate firewalls (pix 501 and 506) and internally their servers use one as a gateway and the user population uses the other as a gateway. That is to say, one internet connection is only for specific traffic designated for the servers and the other is for public internet access.
Currently those two firewalls have different IP addresses (let's say 10.0.0.1 and 10.0.0.254) which makes routing easy: just specify one gateway or the other on the machine based on your need. How do I accomplish this with one ASA5505?
Can I assign multiple internal IPs (the same as above) to the ASA 5505 (either to the same interface or to seperate ones) or can I only use one?
If I can only use one, how do I tell certain requests for internet access to go out one ISP or the other? Can I do that based on the source IP?
Help!!!!
Currently those two firewalls have different IP addresses (let's say 10.0.0.1 and 10.0.0.254) which makes routing easy: just specify one gateway or the other on the machine based on your need. How do I accomplish this with one ASA5505?
Can I assign multiple internal IPs (the same as above) to the ASA 5505 (either to the same interface or to seperate ones) or can I only use one?
If I can only use one, how do I tell certain requests for internet access to go out one ISP or the other? Can I do that based on the source IP?
Help!!!!