Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

internet Failover Inbound and Outbound

Posted on 2014-01-15
16
Medium Priority
?
368 Views
Last Modified: 2014-01-19
Hello Experts,

Please have a look to attached diagram.

I have 2 parts A & B. Part A already exist and running. We are planning to add Part B as show in the diagram.

Part A consists of ASA 5540 and 2921 as Edge Router and Microsoft TMG as Web Proxy for internal users

All other traffic routed to ASA. ASA handles NAT and ACL's

Objective of adding Part B is to have Redundancy Inbound and Outbound. However, firstly I  want to focus on outbound redundancy then I will move to Inbound Part.

After adding Part B, TMG will have 3 NIC's. 2 NIC will be connected to ASA's and 1 to internal

For Web proxy fail over I will configure TMG ISP-R feature. But my concern is for other traffic

Therefore, please can someone help me what are best possible ways I can use for outbound failover.

Thanking in advance. I appreciate the help
design.jpg
0
Comment
Question by:cciedreamer
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 8
16 Comments
 
LVL 47

Expert Comment

by:Craig Beck
ID: 39783868
If you put the TMG between the ASAs like you have in the diagram your routing will change and you'll need to run dynamic protocols between your ASAs and core switch.  It'll be really messy.

The way you have it at the moment is the best you'll get with what you've got for outbound redundancy as you actively want to send all web traffic via ISP2 by default.

As was mentioned in your first question (previous thread for other experts) if you want to achieve proper inbound redundancy you'll need to implement a BGP solution.  If you use two different ISPs you'll need to purchase your own AS number and associated PI address space, then provide routing updates to each ISP.  This will probably need different routers and will definitely require a redesign of your external network.  Ultimately that will mean you will have to go with the solution I mentioned a long while back which means you have a dedicated router on each circuit.
0
 
LVL 3

Author Comment

by:cciedreamer
ID: 39785074
Hi,

Thanks for inbound I just came across this thread

http://www.experts-exchange.com/Security/Software_Firewalls/Enterprise_Firewalls/Cisco_PIX_Firewall/Q_23443125.html


Map public IP's ( isp 1 and isp 2 ) to same DNS record.

But I was just wondering the DNS request identify that ISP1 is down and it should go to ISP2 IP.
0
 
LVL 47

Expert Comment

by:Craig Beck
ID: 39786266
That's the problem - it won't.

With inbound mail it's fine as you can use MX priorities to set the preferred mail server.  If the preferred mail server is unreachable the second preference is tried.  All you would do is set one MX record to go down ISP1 link and the other to go down ISP2 link.

You can't do that with DNS though.  You can simply create multiple host (A) records for the server, using the different IPs you mapped, and let the DNS server return the results in a round-robin fashion.

This will mean clients might see 'Page can not be displayed' if you're hosting a web server, for example as they might be given the IP which is down.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 3

Author Comment

by:cciedreamer
ID: 39788157
Hi,

I was planning to do in this way.

- Decrease the TTL of the DNS record to 1 hour.
- Whenever our ISP1 ine goes down beyond 1 hour, I will change the DNS  record mapping to ISP2 public IP

Thanks
0
 
LVL 47

Expert Comment

by:Craig Beck
ID: 39788174
That makes this manual failover then though.  You want to automate this by adding all this complexity.

What will your users do for an hour while DNS records are still waiting to expire?
0
 
LVL 3

Author Comment

by:cciedreamer
ID: 39788228
Sir,

Is there other recommendation to achieve this redudancy without the using BGP. Because BGP is expensive :)
0
 
LVL 47

Expert Comment

by:Craig Beck
ID: 39788264
You might be able to use a load-balancer, although this would require you to change things again and you probably wouldn't get the result you want.
0
 
LVL 3

Author Comment

by:cciedreamer
ID: 39790500
Sorry for repeating this stuff again, what if I decrease the TTL to 15 minutes.
Then manually update the dns records.

But I was wondering about 1 more point how the server will reply back to request through ISP2.

My current default route L3 switch is pointing to ASA

Thanks
0
 
LVL 47

Accepted Solution

by:
Craig Beck earned 2000 total points
ID: 39790511
This is the thing... you're only providing outbound internet redundancy at the moment.

If you want to provide redundant inbound services you can do this in different ways, but if you want to provide redundand inbound and outbound services at the same time you need to use the same solution for both or it won't work properly or without some kind of manual intervention.

To do this properly you'll need to either (in order of success):

1] Use a full-blown BGP solution using your own AS and addressing.
2] Use a halfway BGP solution which uses two circuits from the same ISP, using the same addressing.
3] Use a load-balancer or dual-WAN router and create multiple DNS records
4] Manually switch the line over and edit or create multiple DNS records.

Each solution poses its own different problems, but obviously option 1 is the only fool-proof solution as it removes the reliance from a single point of failure (the ISP link).

Personally I think that it would be better for you to greatly simplify the inbound requirement by just adding a second link from the same ISP and getting them to do BGP themselves across the two links (option 2).  That dramatically reduces the chances of a line failure stopping your inbound services from working.
0
 
LVL 3

Author Comment

by:cciedreamer
ID: 39792226
Hi craigbeck,

I agree with you and I'll consider on having BGP.

What are the requirements of BGP ?
How the setup will be in aspects of NAT, IP addressing ?

Thanks
0
 
LVL 47

Expert Comment

by:Craig Beck
ID: 39792273
If you go with a pair of lines from the same ISP there's no requirement other than the two ISP feeds come into the same switch on the same VLAN.  You don't really have to do anything.

The ISP's routers will talk BGP between each-other and will use HSRP to automatically tell your router which link to use.  All you do on your router is configure a default gateway as normal.
0
 
LVL 3

Author Comment

by:cciedreamer
ID: 39792279
Actually I have different ISP's
0
 
LVL 47

Expert Comment

by:Craig Beck
ID: 39792286
I realise this.

Get a second link from ISP1 and do the BGP solution.  Leave ISP2 connected to your TMG.

Job done!
0
 
LVL 3

Author Comment

by:cciedreamer
ID: 39792295
:) Not possible we have already for ISP2 $3200

I want to stick current ISP's

Thanks
0
 
LVL 47

Expert Comment

by:Craig Beck
ID: 39792299
So as I said, you can't do what you want to achieve.  You'll only get a halfway-house solution unfortunately.
0
 
LVL 3

Author Closing Comment

by:cciedreamer
ID: 39792441
Thank you sir
I will keep in consideration this point and plan it accordingly.
Thanks once again for great support
0

Featured Post

Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Getting to know the threat landscape in which DDoS has evolved, and making the right choice to get ourselves geared up to defend against  DDoS attacks effectively. Get the necessary preparation works done and focus on Doing the First Things Right.
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question