Solved

internet Failover Inbound and Outbound

Posted on 2014-01-15
16
357 Views
Last Modified: 2014-01-19
Hello Experts,

Please have a look to attached diagram.

I have 2 parts A & B. Part A already exist and running. We are planning to add Part B as show in the diagram.

Part A consists of ASA 5540 and 2921 as Edge Router and Microsoft TMG as Web Proxy for internal users

All other traffic routed to ASA. ASA handles NAT and ACL's

Objective of adding Part B is to have Redundancy Inbound and Outbound. However, firstly I  want to focus on outbound redundancy then I will move to Inbound Part.

After adding Part B, TMG will have 3 NIC's. 2 NIC will be connected to ASA's and 1 to internal

For Web proxy fail over I will configure TMG ISP-R feature. But my concern is for other traffic

Therefore, please can someone help me what are best possible ways I can use for outbound failover.

Thanking in advance. I appreciate the help
design.jpg
0
Comment
Question by:cciedreamer
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 8
16 Comments
 
LVL 46

Expert Comment

by:Craig Beck
ID: 39783868
If you put the TMG between the ASAs like you have in the diagram your routing will change and you'll need to run dynamic protocols between your ASAs and core switch.  It'll be really messy.

The way you have it at the moment is the best you'll get with what you've got for outbound redundancy as you actively want to send all web traffic via ISP2 by default.

As was mentioned in your first question (previous thread for other experts) if you want to achieve proper inbound redundancy you'll need to implement a BGP solution.  If you use two different ISPs you'll need to purchase your own AS number and associated PI address space, then provide routing updates to each ISP.  This will probably need different routers and will definitely require a redesign of your external network.  Ultimately that will mean you will have to go with the solution I mentioned a long while back which means you have a dedicated router on each circuit.
0
 
LVL 3

Author Comment

by:cciedreamer
ID: 39785074
Hi,

Thanks for inbound I just came across this thread

http://www.experts-exchange.com/Security/Software_Firewalls/Enterprise_Firewalls/Cisco_PIX_Firewall/Q_23443125.html


Map public IP's ( isp 1 and isp 2 ) to same DNS record.

But I was just wondering the DNS request identify that ISP1 is down and it should go to ISP2 IP.
0
 
LVL 46

Expert Comment

by:Craig Beck
ID: 39786266
That's the problem - it won't.

With inbound mail it's fine as you can use MX priorities to set the preferred mail server.  If the preferred mail server is unreachable the second preference is tried.  All you would do is set one MX record to go down ISP1 link and the other to go down ISP2 link.

You can't do that with DNS though.  You can simply create multiple host (A) records for the server, using the different IPs you mapped, and let the DNS server return the results in a round-robin fashion.

This will mean clients might see 'Page can not be displayed' if you're hosting a web server, for example as they might be given the IP which is down.
0
NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

 
LVL 3

Author Comment

by:cciedreamer
ID: 39788157
Hi,

I was planning to do in this way.

- Decrease the TTL of the DNS record to 1 hour.
- Whenever our ISP1 ine goes down beyond 1 hour, I will change the DNS  record mapping to ISP2 public IP

Thanks
0
 
LVL 46

Expert Comment

by:Craig Beck
ID: 39788174
That makes this manual failover then though.  You want to automate this by adding all this complexity.

What will your users do for an hour while DNS records are still waiting to expire?
0
 
LVL 3

Author Comment

by:cciedreamer
ID: 39788228
Sir,

Is there other recommendation to achieve this redudancy without the using BGP. Because BGP is expensive :)
0
 
LVL 46

Expert Comment

by:Craig Beck
ID: 39788264
You might be able to use a load-balancer, although this would require you to change things again and you probably wouldn't get the result you want.
0
 
LVL 3

Author Comment

by:cciedreamer
ID: 39790500
Sorry for repeating this stuff again, what if I decrease the TTL to 15 minutes.
Then manually update the dns records.

But I was wondering about 1 more point how the server will reply back to request through ISP2.

My current default route L3 switch is pointing to ASA

Thanks
0
 
LVL 46

Accepted Solution

by:
Craig Beck earned 500 total points
ID: 39790511
This is the thing... you're only providing outbound internet redundancy at the moment.

If you want to provide redundant inbound services you can do this in different ways, but if you want to provide redundand inbound and outbound services at the same time you need to use the same solution for both or it won't work properly or without some kind of manual intervention.

To do this properly you'll need to either (in order of success):

1] Use a full-blown BGP solution using your own AS and addressing.
2] Use a halfway BGP solution which uses two circuits from the same ISP, using the same addressing.
3] Use a load-balancer or dual-WAN router and create multiple DNS records
4] Manually switch the line over and edit or create multiple DNS records.

Each solution poses its own different problems, but obviously option 1 is the only fool-proof solution as it removes the reliance from a single point of failure (the ISP link).

Personally I think that it would be better for you to greatly simplify the inbound requirement by just adding a second link from the same ISP and getting them to do BGP themselves across the two links (option 2).  That dramatically reduces the chances of a line failure stopping your inbound services from working.
0
 
LVL 3

Author Comment

by:cciedreamer
ID: 39792226
Hi craigbeck,

I agree with you and I'll consider on having BGP.

What are the requirements of BGP ?
How the setup will be in aspects of NAT, IP addressing ?

Thanks
0
 
LVL 46

Expert Comment

by:Craig Beck
ID: 39792273
If you go with a pair of lines from the same ISP there's no requirement other than the two ISP feeds come into the same switch on the same VLAN.  You don't really have to do anything.

The ISP's routers will talk BGP between each-other and will use HSRP to automatically tell your router which link to use.  All you do on your router is configure a default gateway as normal.
0
 
LVL 3

Author Comment

by:cciedreamer
ID: 39792279
Actually I have different ISP's
0
 
LVL 46

Expert Comment

by:Craig Beck
ID: 39792286
I realise this.

Get a second link from ISP1 and do the BGP solution.  Leave ISP2 connected to your TMG.

Job done!
0
 
LVL 3

Author Comment

by:cciedreamer
ID: 39792295
:) Not possible we have already for ISP2 $3200

I want to stick current ISP's

Thanks
0
 
LVL 46

Expert Comment

by:Craig Beck
ID: 39792299
So as I said, you can't do what you want to achieve.  You'll only get a halfway-house solution unfortunately.
0
 
LVL 3

Author Closing Comment

by:cciedreamer
ID: 39792441
Thank you sir
I will keep in consideration this point and plan it accordingly.
Thanks once again for great support
0

Featured Post

On Demand Webinar - Networking for the Cloud Era

This webinar discusses:
-Common barriers companies experience when moving to the cloud
-How SD-WAN changes the way we look at networks
-Best practices customers should employ moving forward with cloud migration
-What happens behind the scenes of SteelConnect’s one-click button

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
2 routers and 1 public IP Address. 10 61
Accessing two networks from one PC 30 154
HP 2530 switch and routing 4 64
Cisco 3650x ACL 8 9
Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
Examines three attack vectors, specifically, the different types of malware used in malicious attacks, web application attacks, and finally, network based attacks.  Concludes by examining the means of securing and protecting critical systems and inf…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question