Solved

internet Failover Inbound and Outbound

Posted on 2014-01-15
16
342 Views
Last Modified: 2014-01-19
Hello Experts,

Please have a look to attached diagram.

I have 2 parts A & B. Part A already exist and running. We are planning to add Part B as show in the diagram.

Part A consists of ASA 5540 and 2921 as Edge Router and Microsoft TMG as Web Proxy for internal users

All other traffic routed to ASA. ASA handles NAT and ACL's

Objective of adding Part B is to have Redundancy Inbound and Outbound. However, firstly I  want to focus on outbound redundancy then I will move to Inbound Part.

After adding Part B, TMG will have 3 NIC's. 2 NIC will be connected to ASA's and 1 to internal

For Web proxy fail over I will configure TMG ISP-R feature. But my concern is for other traffic

Therefore, please can someone help me what are best possible ways I can use for outbound failover.

Thanking in advance. I appreciate the help
design.jpg
0
Comment
Question by:cciedreamer
  • 8
  • 8
16 Comments
 
LVL 45

Expert Comment

by:Craig Beck
Comment Utility
If you put the TMG between the ASAs like you have in the diagram your routing will change and you'll need to run dynamic protocols between your ASAs and core switch.  It'll be really messy.

The way you have it at the moment is the best you'll get with what you've got for outbound redundancy as you actively want to send all web traffic via ISP2 by default.

As was mentioned in your first question (previous thread for other experts) if you want to achieve proper inbound redundancy you'll need to implement a BGP solution.  If you use two different ISPs you'll need to purchase your own AS number and associated PI address space, then provide routing updates to each ISP.  This will probably need different routers and will definitely require a redesign of your external network.  Ultimately that will mean you will have to go with the solution I mentioned a long while back which means you have a dedicated router on each circuit.
0
 
LVL 3

Author Comment

by:cciedreamer
Comment Utility
Hi,

Thanks for inbound I just came across this thread

http://www.experts-exchange.com/Security/Software_Firewalls/Enterprise_Firewalls/Cisco_PIX_Firewall/Q_23443125.html


Map public IP's ( isp 1 and isp 2 ) to same DNS record.

But I was just wondering the DNS request identify that ISP1 is down and it should go to ISP2 IP.
0
 
LVL 45

Expert Comment

by:Craig Beck
Comment Utility
That's the problem - it won't.

With inbound mail it's fine as you can use MX priorities to set the preferred mail server.  If the preferred mail server is unreachable the second preference is tried.  All you would do is set one MX record to go down ISP1 link and the other to go down ISP2 link.

You can't do that with DNS though.  You can simply create multiple host (A) records for the server, using the different IPs you mapped, and let the DNS server return the results in a round-robin fashion.

This will mean clients might see 'Page can not be displayed' if you're hosting a web server, for example as they might be given the IP which is down.
0
 
LVL 3

Author Comment

by:cciedreamer
Comment Utility
Hi,

I was planning to do in this way.

- Decrease the TTL of the DNS record to 1 hour.
- Whenever our ISP1 ine goes down beyond 1 hour, I will change the DNS  record mapping to ISP2 public IP

Thanks
0
 
LVL 45

Expert Comment

by:Craig Beck
Comment Utility
That makes this manual failover then though.  You want to automate this by adding all this complexity.

What will your users do for an hour while DNS records are still waiting to expire?
0
 
LVL 3

Author Comment

by:cciedreamer
Comment Utility
Sir,

Is there other recommendation to achieve this redudancy without the using BGP. Because BGP is expensive :)
0
 
LVL 45

Expert Comment

by:Craig Beck
Comment Utility
You might be able to use a load-balancer, although this would require you to change things again and you probably wouldn't get the result you want.
0
 
LVL 3

Author Comment

by:cciedreamer
Comment Utility
Sorry for repeating this stuff again, what if I decrease the TTL to 15 minutes.
Then manually update the dns records.

But I was wondering about 1 more point how the server will reply back to request through ISP2.

My current default route L3 switch is pointing to ASA

Thanks
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 45

Accepted Solution

by:
Craig Beck earned 500 total points
Comment Utility
This is the thing... you're only providing outbound internet redundancy at the moment.

If you want to provide redundant inbound services you can do this in different ways, but if you want to provide redundand inbound and outbound services at the same time you need to use the same solution for both or it won't work properly or without some kind of manual intervention.

To do this properly you'll need to either (in order of success):

1] Use a full-blown BGP solution using your own AS and addressing.
2] Use a halfway BGP solution which uses two circuits from the same ISP, using the same addressing.
3] Use a load-balancer or dual-WAN router and create multiple DNS records
4] Manually switch the line over and edit or create multiple DNS records.

Each solution poses its own different problems, but obviously option 1 is the only fool-proof solution as it removes the reliance from a single point of failure (the ISP link).

Personally I think that it would be better for you to greatly simplify the inbound requirement by just adding a second link from the same ISP and getting them to do BGP themselves across the two links (option 2).  That dramatically reduces the chances of a line failure stopping your inbound services from working.
0
 
LVL 3

Author Comment

by:cciedreamer
Comment Utility
Hi craigbeck,

I agree with you and I'll consider on having BGP.

What are the requirements of BGP ?
How the setup will be in aspects of NAT, IP addressing ?

Thanks
0
 
LVL 45

Expert Comment

by:Craig Beck
Comment Utility
If you go with a pair of lines from the same ISP there's no requirement other than the two ISP feeds come into the same switch on the same VLAN.  You don't really have to do anything.

The ISP's routers will talk BGP between each-other and will use HSRP to automatically tell your router which link to use.  All you do on your router is configure a default gateway as normal.
0
 
LVL 3

Author Comment

by:cciedreamer
Comment Utility
Actually I have different ISP's
0
 
LVL 45

Expert Comment

by:Craig Beck
Comment Utility
I realise this.

Get a second link from ISP1 and do the BGP solution.  Leave ISP2 connected to your TMG.

Job done!
0
 
LVL 3

Author Comment

by:cciedreamer
Comment Utility
:) Not possible we have already for ISP2 $3200

I want to stick current ISP's

Thanks
0
 
LVL 45

Expert Comment

by:Craig Beck
Comment Utility
So as I said, you can't do what you want to achieve.  You'll only get a halfway-house solution unfortunately.
0
 
LVL 3

Author Closing Comment

by:cciedreamer
Comment Utility
Thank you sir
I will keep in consideration this point and plan it accordingly.
Thanks once again for great support
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

Security is one of the biggest concerns when moving and migrating your data from your on-premise location to the Public Cloud.  Where is your data? Who can access it? Will it be safe from accidental deletion?  All of these questions and more are imp…
If you are thinking of adopting cloud services, or just curious as to what ‘the cloud’ can offer then the leader according to Gartner for Infrastructure as a Service (IaaS) is Amazon Web Services (AWS).  When I started using AWS I was completely new…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now