Solved

Routing Web Traffic with Dual ISP and Firewalls

Posted on 2013-01-08
13
1,062 Views
Last Modified: 2016-11-23
Good Afternoon All

We have added a 2nd network (on another floor) to our network and added another ISP and Firewall for redundancy and to be the primary ISP for this new floor. We have several Web Apps that are accessible from outside and would like to add a second A-Record for each that points to this new ISP connection. The web servers will be staying on the original floor but we need to routing traffic that comes through the new ISP over the network to the original DMZ. I got the routing right because I can ping the Web Server from the new firewall but packets are being dropped due to ACL. The ACLs are the same on both firewalls so not sure where the issue is at this point. I am thinking it maybe easier to just route the traffic right from the new firewall to the DMZ switch and bypass the need to route through 2 firewall but something tells me that just is the right way.

We are using 2 ASA 5510s and 2 Dell Powerconnect 6224 as our gateways for each floor.

Any advice or thoughts?

Thanks
Ed
 
DMZ-Routing-with-Dual-Entry-Poin.pdf
0
Comment
Question by:flagshipcredit
  • 7
  • 6
13 Comments
 
LVL 20

Accepted Solution

by:
agonza07 earned 500 total points
ID: 38756638
The dropped packets probably has to do with your routing.

Here's the thing, you web server is configured with one default gateway, most likely ASA1.

So when a web client (let's say IP 1.1.1.1) comes in through ISP2/ASA2, the return traffic is going through ASA1/ISP1. This causes the web client to be talking to your ISP2 IP address, but getting return traffic from your ISP1 IP address.

In order to get this working correctly you have to do some PBR (policy based routing) to identify where the traffic is coming from and send it back out the same way.


Honestly though, the way I would set it up is create an Active/Active configuration on your ASA's and put in both ISPs on both ASAs. Then follow the document below to help you configure the dual ISP setup.

http://docwiki.cisco.com/wiki/Terminating_two_ISP's_on_ASA/PIX

Keep in mind that if one ISP goes down, then that A record will still exist and will not failover to your second ISP. For a fully redundant solution you need BGP setup or a FatPipe on the internet.
Dual-ISP-with-ASA.pdf
0
 

Author Comment

by:flagshipcredit
ID: 38756762
Thanks for your comments. Is this something we would setup and configure or is at the ISP level?
0
 

Author Comment

by:flagshipcredit
ID: 38756768
The BGP part?
0
 
LVL 20

Expert Comment

by:agonza07
ID: 38756777
configure what? The Active/Active ASA config can be done on your end as long as you administer the firewalls and run a network cable between the floors.

The BGP setup would have to be coordinated with your ISP. The FatPipe solution you can set up on your own.
0
 

Author Comment

by:flagshipcredit
ID: 38756803
Got it thanks. I will look into the BGP with our ISPs.

Thanks.
0
 

Author Comment

by:flagshipcredit
ID: 38756827
Sorry one last question we would still have to do the Active/Active with BGP, right? Sorry for the dumb question haven't had to deal with this type of setup before.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 20

Expert Comment

by:agonza07
ID: 38756837
I would but you dont need to. The active/active helps out in case one of the ASAs goes out on you. I think the 5510's are single power supply models, so if your power supply goes out on one of them the other picks up the load seamlessly.

the only reason I brought up the Active/Active config is because you already have both ASAs. If you wanted to, you can just have one running and keep the other as a spare...
0
 

Author Comment

by:flagshipcredit
ID: 38756876
I am using OSPF to redirect traffic if one of them goes down.

Thanks for all your help.
0
 
LVL 20

Expert Comment

by:agonza07
ID: 38756905
OSPF will work internally, but not externally. However, the browser will try other A records if one fails... this guy has a good write up on what happens. So I guess you don't really need BGP if all you are serving up is web pages.... but worth considering if you are hosting a large server farm or a website where no form of latency is required.


http://webmasters.stackexchange.com/questions/10927/using-multiple-a-records-for-my-domain-do-web-browsers-ever-try-more-than-one

Yes, most browsers from the last 5-10 years will try the other A records if one fails to respond. This is sometimes called "browser retry" or "client retry" apparently. You'll pretty much only find stuff about it in the context of the various browser exploits which this feature enables against sites not using it (see DNS rebinding and DNS pinning, anti-dns pinning, anti-anti-dns pinning, anti-anti-anti-dns pinning, and so on). Kind of a bad reputation, but it does prove it exists.

Pretty much every browser does indeed receive the full list of A records, and does indeed check others if the one it is using fails. You can expect each client to have a 30 second wait when they first try to access a site when a server is down, until it connects to a working address. The browser will then cache which address is working and continue using that one for future requests unless it also fails, then it will have to search through the list again. So 30 second wait on first request, fine thereafter.

But it isn't something you necessarily want to use, it's going to have lots of caveats about browser compatibility, os compatibility, proxy compatibility, cache-control headers are going to have weird effects on whether it remembers which IPs are down or starts having that 30 second wait on every request, people writing custom clients for your site are going to end up using gethostbyname instead of getaddrinfo and not be able to handle the failover, all sorts of potential problems.

You also can't rely on multiple A records to allow for "master" and "slave" servers, because you'll never know which address a browser is going to pick out of the list. They all need to be just as capable of handling visitors if running, because any one might get traffic if it's up. A browser might think your third server out of the list is the most appealing, maybe it looks the closest, and it will choose that one even though all three are still up.

But if you can live with the limitations and have a reasonably simple HTTP system that you can predict the browser interaction with, it will work.

Oh, you'll also have to deal with a lot of people telling you this doesn't exist (since that was true 15 years ago). But you can try telneting to an A record with some dead IPs in it and some good ones if you need to prove it (yes, even good old telnet now uses getaddrinfo and handles multiple A records gracefully these days) -- it will print out a nice list of the IPs it's trying until it finally succeeds.
0
 

Author Comment

by:flagshipcredit
ID: 38756975
I guess that would still leave us with the issue of traffic going back out the right path???
0
 
LVL 20

Expert Comment

by:agonza07
ID: 38757014
If you put both ISPs into one firewall (including Active/Active config) and follow that Dual ISP wiki from Cisco you'll be set. The firewall will respond out the correct link.
0
 

Author Comment

by:flagshipcredit
ID: 38757059
What if they are separate subnets?
0
 
LVL 20

Expert Comment

by:agonza07
ID: 38757132
They should be separate subnets, and yeah it'll work. Check out the wiki doc, it explains it all there.
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
Security is one of the biggest concerns when moving and migrating your data from your on-premise location to the Public Cloud.  Where is your data? Who can access it? Will it be safe from accidental deletion?  All of these questions and more are imp…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now